PIX515 IPSEC VPN tunnel

kerrow · ‎01-16-2002

Trying to build a VPN tunnel from a 827 DSL router to a Pix515, I have built over 80 of these to the same PIX and had no problems. Now every one I build is telling me the below message in my debugging of ipsec and isakmp. If anyone knows what this means and possibly a fix, please let me know. The problem seems to start at the line that says "01:44:00: ISAKMP (0:32): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3"

01:43:58: IPSEC(sa_request): ,

(key eng. msg.) src= 67.112.8.42, dest= 65.210.17.66,

src_proxy= 10.5.113.0/255.255.255.0/0/0 (type=4),

dest_proxy= 10.0.0.0/255.0.0.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0x139AA2D9(328901337), conn_id= 0, keysize= 0, flags= 0x4004

01:43:58: ISAKMP: received ke message (1/1)

01:43:58: ISAKMP: local port 500, remote port 500

01:43:58: ISAKMP (0:32): beginning Main Mode exchange

01:43:58: ISAKMP (0:32): sending packet to 65.210.17.66 (I) MM_NO_STATE

01:43:58: ISAKMP (0:32): received packet from 65.210.17.66 (I) MM_NO_STATE

01:43:58: ISAKMP (0:32): processing SA payload. message ID = 0

01:43:58: ISAKMP (0:32): found peer pre-shared key matching 65.210.17.66

01:43:58: ISAKMP (0:32): Checking ISAKMP transform 1 against priority 10 policy

01:43:58: ISAKMP: encryption DES-CBC

01:43:58: ISAKMP: hash MD5

01:43:58: ISAKMP: default group 1

01:43:58: ISAKMP: auth pre-share

01:43:58: ISAKMP: life type in seconds

01:43:58: ISAKMP: life duration (basic) of 3600

01:43:58: ISAKMP (0:32): atts are acceptable. Next payload is 0

01:43:59: ISAKMP (0:32): SA is doing pre-shared key authentication using id type

ID_IPV4_ADDR13.1

01:43:59: ISAKMP (0:32): sending packet to 65.210.17.66 (I) MM_SA_SETUP

01:43:59: ISAKMP (0:32): received packet from 65.210.17.66 (I) MM_SA_SETUP

01:43:59: ISAKMP (0:32): processing KE payload. message ID = 0

01:43:59: ISAKMP (0:32): processing NONCE payload. message ID = 0

01:43:59: ISAKMP (0:32): found peer pre-shared key matching 65.210.17.66

01:43:59: ISAKMP (0:32): SKEYID state generated

01:43:59: ISAKMP (0:32): processing vendor id payload

01:43:59: ISAKMP (0:32): speaking to another IOS box!

01:43:59: ISAKMP (32): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

01:43:59: ISAKMP (32): Total payload length: 12

01:43:59: ISAKMP (0:32): sending packet to 65.210.17.66 (I) MM_KEY_EXCH

01:43:59: ISAKMP (0:32): received packet from 65.210.17.66 (I) MM_KEY_EXCH

01:43:59: ISAKMP (0:32): processing ID payload. message ID = 0

01:43:59: ISAKMP (0:32): processing HASH payload. message ID = 0

01:43:59: ISAKMP (0:32): SA has been authenticated with 65.210.17.66

01:43:59: ISAKMP (0:32): beginning Quick Mode exchange, M-ID of 1533428816

01:43:59: ISAKMP (0:32): sending packet to 65.210.17.66 (I) QM_IDLE

01:44:00: ISAKMP (0:32): received packet from 65.210.17.66 (I) QM_IDLE

01:44:00: ISAKMP (0:32): processing HASH payload. message ID = -1063731131

01:44:00: ISAKMP (0:32): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 328901337, message ID = -1063731131

01:44:00: ISAKMP (0:32): deleting spi 328901337 message ID = 1533428816

01:44:00: ISAKMP (0:32): deleting node 1533428816 error TRUE reason "delete_larv

al"

01:44:00: ISAKMP (0:32): deleting node -1063731131 error FALSE reason "informati

onal (in) state 1"

s-doyle · ‎01-23-2002

What version of PIX code are you running? I would check that against bug tracker to see if there are any known issues. Other than that, you’ll probably have to talk to tac to see what’s going on.