Hi,
Has anyone tried to build a vpn tunnel between PIX & Nortel ? One of my branch office need to build a vpn tunnel with a Nortel box. I set following profile :
isakmp - 3DES/SHA/DH G2/Pre-share key/lifetime 86400 ipsec - 3DES/SHA/PFS G2/lifetime 3600
When I type 'sh cry isa sa' in the pix, I could see the isakmp sa estabsihed but getting below messages, looks like the porfile does not match the Nortel box. Can anyone tell me how to configure the tunnel with Nortel box, where x.x.x.x is peer gateway ip and y.y.y.y is branch office address :
ISADB: reaper checking SA 0x12f645c, conn_id = 0 crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): processing NOTIFY payload 24578 protocol 1 spi 0, message ID = 0 ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with x.x.x.x
ISAKMP (0): deleting SA: src x.x.x.x, dst y.y.y.y ISAKMP (0): SA has been authenticated
ISAKMP (0): ID payload next-payload : 8 type : 2 protocol : 17 port : 500 length : 26 ISAKMP (0): Total payload length: 30 return status is IKMP_NO_ERROR ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify ISAKMP (0): sending NOTIFY message 24576 protocol 1 VPN Peer: ISAKMP: Peer ip:x.x.x.x/500 Ref cnt incremented to:2 Total VPN Peers:4 crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500 ISAKMP: error, msg not encrypted ISADB: reaper checking SA 0x13a811c, conn_id = 0 ISADB: reaper checking SA 0x13a9804, conn_id = 0 ISADB: reaper checking SA 0x13b0af4, conn_id = 0 ISADB: reaper checking SA 0x12f645c, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:x.x.x.x/500 Ref cnt decremented to:1 Total VPN Peers:4IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with x.x.x.x
ISADB: reaper checking SA 0x13a811c, conn_id = 0 ISADB: reaper checking SA 0x13a9804, conn_id = 0 ISADB: reaper checking SA 0x13b0af4, conn_id = 0 ISADB: reaper checking SA 0x13c1a54, conn_id = 0 crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
Any thoughts ?