I have been trying to establish an IPSec tunnel between Cisco 3030 VPN concentrator and Cisco 2611XM router.
The problem I am facing is that I am able to establish the tunnel in one direction only i.e from router to concentrator. If I initiate traffic in the other direction first, then this also is not happening.
I am attaching the error messages I am getting on both the devices.
*Mar 1 02:31:43.322: ISAKMP: Error: payload length of VENDOR 0 < 4
*Mar 1 02:31:43.322: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 126.96.36.199 failed its sanity check or is malformed
62134 10/14/2004 13:44:57.070 SEV=8 IKEDBG/0 RPT=29427 188.8.131.52
RECEIVED Message (msgid=0) with payloads :
HDR + SA (1) + VENDOR (13) + UNKNOWN (89), *** ERROR ***
total length : 84
62136 10/14/2004 13:44:57.070 SEV=6 IKE/0 RPT=64955 184.108.40.206
Invalid packet detected!
Thanks in advance for your help.
The first item to check is to insure that you have a matching isakmp policy on both peers that have an exact match for all vlaues, even for lifetime ones. That is if one peer can negotiate 3des encrpt with an md5 hash, pre-share key, no pfs, DH Group 2 and a lifetime in sec. of 28800, then the other peer has an exact match in one of its policies.
The next item to do is to run a debug crypto isakmp command on the 2611XM. Then while debug is running, initiate a IPSec conn from conc-to-2611, then clear the SA's (clear cry isa sa, and clear cry sa - run them both to clear phase 1 and 2), and then initiate a connection from 2611-to-conc. Post the logs here if you are still having a problem after you validated the isakmp policies.
Please post the level of code are you running on the vpn concentrator and 2611XM devices too.
I have crosschecked the isakmp policy on both peers. They are matching infact. I have attached the logs from the 2611.
One more thing I noticed is that eventhough the tunnel is getting established from 2611 to Conc, it is getting automatically disconnected in an intreval of about 1 to 2 minutes. I have attached the logs at the time of disconnection too.
The code I am running is
2611-->12.3(9) Advanced Enterprise
Are there any firewalls between the 2611 and the vpn concentrator?
Can you post the relevant parts of the configs of the 2611 and the concentrator that pertains to the VPN connections?