PIX to Nortel VPN tunnel

Hi,

Has anyone tried to build a vpn tunnel between PIX & Nortel ? One of my branch office need to build a vpn tunnel with a Nortel box. I set following profile :

isakmp - 3DES/SHA/DH G2/Pre-share key/lifetime 86400 ipsec - 3DES/SHA/PFS G2/lifetime 3600

When I type 'sh cry isa sa' in the pix, I could see the isakmp sa estabsihed but getting below messages, looks like the porfile does not match the Nortel box. Can anyone tell me how to configure the tunnel with Nortel box, where x.x.x.x is peer gateway ip and y.y.y.y is branch office address :

ISADB: reaper checking SA 0x12f645c, conn_id = 0 crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): processing NOTIFY payload 24578 protocol 1 spi 0, message ID = 0 ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with x.x.x.x

ISAKMP (0): deleting SA: src x.x.x.x, dst y.y.y.y ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload next-payload : 8 type : 2 protocol : 17 port : 500 length : 26 ISAKMP (0): Total payload length: 30 return status is IKMP_NO_ERROR ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify ISAKMP (0): sending NOTIFY message 24576 protocol 1 VPN Peer: ISAKMP: Peer ip:x.x.x.x/500 Ref cnt incremented to:2 Total VPN Peers:4 crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500 ISAKMP: error, msg not encrypted ISADB: reaper checking SA 0x13a811c, conn_id = 0 ISADB: reaper checking SA 0x13a9804, conn_id = 0 ISADB: reaper checking SA 0x13b0af4, conn_id = 0 ISADB: reaper checking SA 0x12f645c, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:x.x.x.x/500 Ref cnt decremented to:1 Total VPN Peers:4IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with x.x.x.x

ISADB: reaper checking SA 0x13a811c, conn_id = 0 ISADB: reaper checking SA 0x13a9804, conn_id = 0 ISADB: reaper checking SA 0x13b0af4, conn_id = 0 ISADB: reaper checking SA 0x13c1a54, conn_id = 0 crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500

Any thoughts ?

Reply to
yellow
Loading thread data ...

"ISAKMP: error, msg not encrypted"

indicates that both sides cannot exchange the preshared-key

indicates that the PIX is sending it's identity using a hostname. Idendity authentication must be the same on both side, and i think the default on the Contivity is by IP address.

I would try to add the following command on the PIX

isakmp identity address

Reply to
mcaissie

Thanks for your comment.

Should 'lifetime' parameter exactly match at both PIX & Nortel box ? I assume two firewall will negotiate and pick the lowest lifetime.

mcaissie =E5=AF=AB=E9=81=93=EF=BC=9A

Reply to
yellow

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.