ISAKMP SA negotiation fails with Watchguard Firebox II

awoodruff · ‎04-18-2003

For the past couple weeks, our IPSec tunnel has dropped intermittently with the following debug results below. The IPsec tunnel terminates with a Watchguard Firebox II.

Am I interpreting this correctly? It appears that the Watchguard is trying to negotiate a SA using DES, SHA, and a pre-share key, but eventually times out. The actual policy is for 3DES, MD5, and a pre-shared key. However, when we re-boot the PIX, the two devices connect. Is this a bug problem with the PIX OS?

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP: default group 1

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 65535 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP: default group 1

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): no offers accepted!

ISAKMP (0): SA not acceptable!

return status is IKMP_ERR_TRANS

ISAKMP (0): deleting SA: src 206.142.126.125, dst 67.39.58.130

ISADB: reaper checking SA 0x80d0cfb8, conn_id = 0 DELETE IT!

afakhan · ‎04-20-2003

Hi,

it seems that watchguard box is sending :

DES-SHA-Group1-Preshared

and your policy#10 on pix doesn't have that, if you do have that policy, pix should negotiate it, otherwise try loading V6.3.1, if that doesn't help, open up a TAC case to file a possible bug.

Thx

Afaq