Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
659
Views
0
Helpful
2
Replies

Problem between Cisco PIX 520 6.3(3) and FreeSwan 2.0.6

rene.schmid
Level 1
Level 1

‎12-01-2004 10:50 AM

hi,

i have troubles with a lan2lan vpn connection between my cisco pix 520 and a linux freeswan 2.0.6 firewall. kernel version 2.6.8

phase I is ok. i get the message QM_Idle

but phase II is not finished correctly.

on both sides we have no spi connection.

we want to encrypt the traffic between 2 private networks. on the linux box i get the message

ag-weid-fw:/etc# ipsec auto --up sitexs

104 "sitexs" #1: STATE_MAIN_I1: initiate

106 "sitexs" #1: STATE_MAIN_I2: sent MI2, expecting MR2

108 "sitexs" #1: STATE_MAIN_I3: sent MI3, expecting MR3

003 "sitexs" #1: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0

218 "sitexs" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION

003 "sitexs" #1: encrypted Informational Exchange message is invalid because it is for incomplete ISAKMP SA

010 "sitexs" #1: STATE_MAIN_I3: retransmission; will wait 20s for response

010 "sitexs" #1: STATE_MAIN_I3: retransmission; will wait 40s for response

031 "sitexs" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message

any ideas ???

please help..

rene

Labels:
0 Helpful
2 Replies 2

Patrick Iseli
Level 7
Level 7

‎12-01-2004 06:12 PM

1.) Could be PFS:

Unselect "PFS" on the /etc/ipsec.secrets file on the Freeswan. Also disable pfs /etc/ipsec.conf

conn %default

type=tunnel

pfs=NO

If PFS os on then you have to also set DH Group 5 on the FreeSwan

2.) Verify that the access-list for the interesting traffic, encryption domains are identic !!!

on pix:

PIX(config)# access-list VPN permit ip Internalnet ISubnet Externalnet ESubnet

PIX(config)# crypto map REMOTE 10 match address VPN

check also

PIX(config)# nat (inside) 0 access-list NONAT

PIX(config)# access-list NONAT permit ip Internalnet ISubnet Externalnet Esubnet

Check the debugg output on the PIX and compare it with that document:

IP Security Troubleshooting - Understanding and Using debug Commands:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

sincerley

Patrick

0 Helpful

rene.schmid
Level 1
Level 1
In response to Patrick Iseli

‎12-01-2004 10:59 PM

hi patrick,

thanks for reply, the access-list's on the systems are correct. pfs is not enabled.

rene

0 Helpful
Customers Also Viewed These Support Documents