08-16-2004 07:40 AM - edited 02-21-2020 01:18 PM
When trying to establish a VPN connection from a VPN box to my firewall PIX 515E, I get the following in the debugs. Any ideas?
crypto_isakmp_process_block:src:Y.Y.Y.Y, dest:X.X.X.X spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 28800
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:Y.Y.Y.Y, dest:X.X.X.X spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:Y.Y.Y.Y, dest:X.X.X.X spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP: Created a peer struct for Y.Y.Y.Y, peer port 62465
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:Y.Y.Y.Y/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:Y.Y.Y.Y/500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_block:src:Y.Y.Y.Y, dest:X.X.X.X spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3265318006
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP: encaps is 1
ISAKMP: authenticator is HMAC-SHA
ISAKMP: group is 2
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= X.X.X.X, src= Y.Y.Y.Y,
dest_proxy= 192.168.147.0/255.255.255.0/0/0 (type=4),
src_proxy= 10.13.65.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24
IPSEC(validate_transform_proposal): peer address Y.Y.Y.Y not found
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= X.X.X.X, src= Y.Y.Y.Y,
dest_proxy= 10.13.65.0/255.255.255.0/0/0 (type=4),
src_proxy= 192.168.147.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24
IPSEC(validate_transform_proposal): peer address X.X.X.X not found
Thanks.
08-16-2004 07:42 PM
hi
before establishing the ipsec connecitivity do u hve the connecitivity with the remote peer address that u ve mentioned ??
ru able to ping and reach the remote peer ??
regds
08-17-2004 04:42 AM
Yes there is connectivity between the peers, but any computer on the other network can ping my network.
Actually I had other VPN connection to my network working fine, but when trying to add this new VPN connection (with other client) I get those logs.
Let me correct If I am wrong but I just add to the old access list the network of the new client and create the crypto map for the new client peer.
Regards,
08-17-2004 05:25 AM
Have you got ISAKMP key pramater configured for the new peer i.e.
isakmp key
Also, a look at your config might help too (remember to take out any sensitive info)
Jay
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide