IPSec problem between IOS switch and Nortel Alteon firewall

simon.allen · ‎03-31-2006

Hi,

I'm trying to bring up an IPSec tunnel between a Cisco IOS 6500 switch and a third party Nortel Alteon firewall.

Stage 1 is failing but the policy configuration looks the same at each end.

Debug output:

*Mar 31 15:33:39.836: ISAKMP:(0:5:HW:2): beginning Main Mode exchange

*Mar 31 15:33:39.836: ISAKMP:(0:5:HW:2): sending packet to 10.129.224.158 my_por

t 500 peer_port 500 (I) MM_NO_STATE

*Mar 31 15:33:39.848: ISAKMP (0:268435461): received packet from 10.129.224.158

dport 500 sport 500 Global (I) MM_NO_STATE

*Mar 31 15:33:39.848: ISAKMP:(0:5:HW:2):Couldn't find node: message_id 124167445

2

*Mar 31 15:33:39.848: ISAKMP:(0:5:HW:2):Unknown Input: state = IKE_I_MM1, major,

minor = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Mar 31 15:33:39.848: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational m

ode failed with peer at 10.129.224.158

I can't find any explanation of the "couldn't find node" error anywhere on CCO. The debug reports a response from the peer on protocol 500 so it looks like the two peers can see each other.

Anyone got any ideas?

spremkumar · ‎04-04-2006

Hi

you need to verify the following parameters on both the sides to overcome this error message...

Encryption DES or 3DES

Hash MD5 or SHA

Diffie-Hellman Group 1 or 2

Authentication {rsa-sig | rsa-encr | pre-share

for more info do refer this link..

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#processing_main

regds

simon.allen · ‎04-04-2006

Thanks for the response.

From what the engineer working on the Nortel told me the parameters matched ours so there was no obvious reason why the tunnel didn't come up.

Having changed their end from pre-share to rsa and then back again the tunnel came up!

Strange.