Re: IPSEC VPN : malformed payload

oguarisco · ‎11-25-2003

Hi,

Unfortunately I had to configure VPN site-site with the following caracteristics:

- Encryption 3DES

- Hashing MD5

- Authentication Pre-Shared

- DH group 2

- Lifetime 7200

between a PIX515E (6.3(3)) and...a 3com Security Gateway...no way to pass IKE Phase I...the two peers are seeing each other and start to negotiate IKE. With PIX debugging I've seen the following error messages on PIX:

- ISAKMP: reserved not zero on payload 5!

- ISAKMP: malformed payload

on 3com it logs Router-ID failure...

Is maybe a software Bug ???

On PIX I've also disable the NAT-T feature !!!

Are these two device interoperable???

Right now on PIX I've setup the isakmp identity as ADDRESS, should I use hostname or key-id ??

Thanks a lot

Omar

benhur.p · ‎12-01-2003

In the first place, I don't think so they are interoperable.

Regds,

Jon Marshall · ‎12-03-2003

Could do with more of the Phase 1 debugging. I would suggest double-checking the pre-shared key as i have seen this message quite a few times when the key is not matching.

Alternatively post the full ISAKMP debug.

oguarisco · ‎12-03-2003

Hi,

Thanks for the reply...I've tried to use isakmp identity as hostname and key-id...but no way the thigs get worst..seeing that with these two my PIX doesn't state Malformed payload

We've checking more times the preshared...and also changed to abcd but no way!

My thought is to not to use ike...and define manually the presahred key...