cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
522
Views
0
Helpful
4
Replies

PIX to Router IPSEC VPN - ISAKMP fail?

phoffswell
Level 1
Level 1

Hi -

Consider the following error from a isakmp debug on the PIX:

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 21 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): Unable to generate DH phase I values!

return status is IKMP_ERR_RETRANS

key exchange never makes it out of MM_NO_STATE

As you can see, my isakmp attributes are good, but all of a sudden I get that last error message about phase I.

Never heard of this before. Any ideas?

Cisco PIX Firewall Version 6.1(1)

C2600 Software (C2600-IK8S-M), Version 12.2(8)T

Standard config as per <A HREF="javascript:newWin('http://www.cisco.com/warp/customer/110/39.html')">http://www.cisco.com/warp/customer/110/39.html</A>

I've varied that i am running a transform set of esp-des only. I'm not making it to ipsec, so I don't think that's my problem.

Thanks!

4 Replies 4

yawnb
Level 1
Level 1

It looks like it may be having a problem calculating the Diffie-Hellmen values? Maybe you should try making the transform set esp-des esp-md5-hmac like in the doc. If that still does not work it could be a bug. Try a different version of code on your 2600. Good luck.

Ok. That's what I thought. Diffie-Helmen values not working. On the PIX side.

Changed my isakmp policy to use md5 hash, but get same error. Router has other tunnels to other routers, that cannot be changed, so my configuration is not exactly as the configuration guide.

My router is Version 12.2(8)T. Just upgraded.

Any other ideas?

ROBERT WATSON
Level 1
Level 1

Don't bother modifying your transform sets they are only for negotiating the phase 2 tunnel establishments. If your problem lies in phase one group issues, you may wanna use DH group 2

this is a 1024-bit group identifier

link to config on pix is

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/config/ipsec.htm#xtocid1580135')">http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/config/ipsec.htm#xtocid1580135

and on the router

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fipsenc/scfike.htm#22086')">http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fipsenc/scfike.htm#22086

IKE is what you should be Troubleshooting not Transform sets

Since you have other tunnels creat a brand new ISA policy for the problem tunnel and trouble shoot with the test policy.

Thanks for the comments. I, too, thought that the adjustments to my policies would not make a difference. It didn't.

But I did fix it!

Rebooted the PIX. Everything came up fine.

I expect that my CA's were bad? I don't know that I ever ran any clear crypto type commands.

Thanks again! Problems solved with reboot!