Site to Site VPN with IOS to Checkpoint - I'm lost

keesvanbeekict · ‎11-14-2008

Hi all,

I need to setup a site 2 site IKE VPN-tunnel, the configuration kinda speaks for itself, but in short the idea is to only use the secondairy DSL interface for a dedicated IPSec tunnel to a remote location.

When the tunnel is being initiated, it fails on Phase1:

The awkward thing is:

ISAKMP: reserved not zero on ID payload!

%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 111.111.111.111 failed its sanity check or is malformed

Would indicate a mismatch in the preshared key (or does it?!). I tripple checked that....

Kinda lost now, any thinking along and/or help appreciated!

ajagadee · ‎11-14-2008

Hi,

Yes, the debug message "ISAKMP: reserved not zero on ID payload!" means that the PSK does not match on both the sides.

Also, can you add the "no-xauth" option to the PSK Statement in the Configuration.

crypto isakmp key cisco address 1.1.1.1 no-xauth

Regards

Arul

*Pls rate if it helps*

keesvanbeekict · ‎11-19-2008

It'll probably won't be earlier than this friday than I can give it a try, but I will and report/rate back ;-)

I'm not sure why using the no-xauth would make a difference though...

"no-xauth:

(Optional) Use this keyword if router-to-router IPSec is on the same crypto map as a Virtual Private Network (VPN)-client-to-Cisco-IOS IPSec. This keyword prevents the router from prompting the peer for extended authentication (Xauth) information (username and password). "

Worth a shot :-)