Re: PIX to PIX Tunnel Issue - HELP !!!!

admin_2 · ‎05-20-2004

I have verified my keys are correct....I think the DSL provider on one of my PIX's is blocking port 500. Any help/ ideas would be greatly appreciated...I copied a debug crypto isa 2 log...I'm at a stand still...

Total : 1

Embryonic : 1

dst src state pending created

204.238.xx.xx 68.xx.xx.xx MM_KEY_EXCH 0 0

VPN Peer:ISAKMP: Peer Info for 204.238.xx.xx/500 not found - peers:0

crypto_isakmp_init_phase1_fields: initiator

construct_header: message_id 0x0

construct_isakmp_sa: auth 1

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:204.238.xx.xx, dest:68.xx.xx.xx spt:500 dpt:500

OAK_MM exchange

oakley_process_mm:

OAK_MM_NO_STATE

process_isakmp_packet:

process_sa: mess_id 0x0

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

crypto_generate_DH_parameters: dhset 0xeab84c, phase 0

DH_ALG_PHASE1

process_isakmp_packet: OAK_MM

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

construct_header: message_id 0x0

construct_ke:

need_cert_from_peer:

construct_nonce:

construct_xauthv6_vendor_id:

construct_dpd_vendor_id:

construct_unity_vendor_id:

construct_vendor_id:

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:204.238.xx.xx, dest:68.xx.xx.xx spt:500 dpt:500

OAK_MM exchange

oakley_process_mm:

OAK_MM_SA_SETUP

process_isakmp_packet:

process_ke:

ISAKMP (0): processing KE payload. message ID = 0

crypto_generate_DH_parameters: dhset 0xeab84c, phase 1

DH_ALG_PHASE2

process_isakmp_packet: OAK_MM

process_nonce:

ISAKMP (0): processing NONCE payload. message ID = 0

process_isakmp_packet: OAK_MM

process_vendor_id:

ISAKMP (0): processing vendor id payload

process_udp_enc_vendor_id:

process_isakmp_packet: OAK_MM

process_vendor_id:

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

process_isakmp_packet: OAK_MM

process_vendor_id:

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

process_isakmp_packet: OAK_MM

construct_header: message_id 0x0

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

construct_hash:

compute_hash:

return status is IKMP_NO_ERROR

ISAKMP (0): retransmitting phase 1 (0)...

ISAKMP (0): retransmitting phase 1 (1)...

ISAKMP (0): deleting SA: src 68.xx.xx.xx, dst 204.238.xx.xx

ISADB: reaper checking SA 0xeab594, conn_id = 0 DELETE IT!

shannong · ‎05-20-2004

We can see that the two devices successfully negotiated ISAKMP parameters. Therefore, I would assume that UDP/500 is not blocked.

Do the firewalls connect to each other via NAT? If so, I would try enabling NAT-T on your firewall.

[isakmp nat-traversal]

dmox · ‎05-25-2004

I'm having the exact same issue. I'm using IOS ver 6.2(1).

Does anyone have any ideas?