Problems S2SVPN Cisoc Watchguard after upgrade IOS

Grr,

I've upgraded my VPN router from 12.2.23 to 12.3.14T Now the Tunnel to a Wacthguard WFS 7.0 isn't working anymore. "debug crypto isakmp" give following. Downgrading is no issue, because we need some new fnctionalities in the new IOS.

Any solution?

Dec 1 11:39:05: ISAKMP (0:0): received packet from 10.20.30.40 dport 500 sport 500 Global (N) NEW SA

Dec 1 11:39:05: ISAKMP: Created a peer struct for 10.20.30.40, peer port

500

Dec 1 11:39:05: ISAKMP: New peer created peer = 0x6560EE98 peer_handle =

0x8000011C

Dec 1 11:39:05: ISAKMP: Locking peer struct 0x6560EE98, IKE refcount 1 for crypto_isakmp_process_block

Dec 1 11:39:05: ISAKMP: local port 500, remote port 500

Dec 1 11:39:05: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 656157AC

Dec 1 11:39:05: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Dec 1 11:39:05: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1

Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0

Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): processing vendor id payload

Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch

Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3

Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): processing vendor id payload

Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 221 mismatch

Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): processing vendor id payload

Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch

Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2

Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): processing vendor id payload

Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 0 mismatch

Dec 1 11:39:05: ISAKMP:(0:0:N/A:0):Looking for a matching key for

10.20.30.40 in default

Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): : success

Dec 1 11:39:05: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching

10.20.30.40

Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): local preshared key found

Dec 1 11:39:05: ISAKMP : Scanning profiles for xauth ...

Dec 1 11:39:05: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 4 policy

Dec 1 11:39:05: ISAKMP: encryption 3DES-CBC

Dec 1 11:39:05: ISAKMP: hash MD5

Dec 1 11:39:05: ISAKMP: auth pre-share

Dec 1 11:39:05: ISAKMP: life type in seconds

Dec 1 11:39:05: ISAKMP: life duration (basic) of 28800

Dec 1 11:39:05: ISAKMP: life type in kilobytes

Dec 1 11:39:05: ISAKMP: life duration (basic) of 32000

Dec 1 11:39:05: ISAKMP: default group 2

Dec 1 11:39:05: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!

Dec 1 11:39:05: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is

0

Dec 1 11:39:05: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 5 policy

Dec 1 11:39:05: ISAKMP: encryption 3DES-CBC

Dec 1 11:39:05: ISAKMP: hash MD5

Dec 1 11:39:05: ISAKMP: auth pre-share

Dec 1 11:39:05: ISAKMP: life type in seconds

Dec 1 11:39:05: ISAKMP: life duration (basic) of 28800

Dec 1 11:39:05: ISAKMP: life type in kilobytes

Dec 1 11:39:05: ISAKMP: life duration (basic) of 32000

Dec 1 11:39:05: ISAKMP: default group 2

Dec 1 11:39:05: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0

Dec 1 11:39:05: ISAKMP:(0:70:SW:1): processing vendor id payload

Dec 1 11:39:05: ISAKMP:(0:70:SW:1): vendor ID seems Unity/DPD but major 157 mismatch

Dec 1 11:39:05: ISAKMP:(0:70:SW:1): vendor ID is NAT-T v3

Dec 1 11:39:05: ISAKMP:(0:70:SW:1): processing vendor id payload

Dec 1 11:39:05: ISAKMP:(0:70:SW:1): vendor ID seems Unity/DPD but major 221 mismatch

Dec 1 11:39:05: ISAKMP:(0:70:SW:1): processing vendor id payload

Dec 1 11:39:05: ISAKMP:(0:70:SW:1): vendor ID seems Unity/DPD but major 123 mismatch

Dec 1 11:39:05: ISAKMP:(0:70:SW:1): vendor ID is NAT-T v2

Dec 1 11:39:05: ISAKMP:(0:70:SW:1): processing vendor id payload

Dec 1 11:39:05: ISAKMP:(0:70:SW:1): vendor ID seems Unity/DPD but major 0 mismatch

Dec 1 11:39:05: ISAKMP:(0:70:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Dec 1 11:39:05: ISAKMP:(0:70:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1

Dec 1 11:39:05: ISAKMP:(0:70:SW:1): constructed NAT-T vendor-03 ID

Dec 1 11:39:05: ISAKMP:(0:70:SW:1): sending packet to 10.20.30.40 my_port

500 peer_port 500 (R) MM_SA_SETUP

Dec 1 11:39:05: ISAKMP:(0:70:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Dec 1 11:39:05: ISAKMP:(0:70:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2

Dec 1 11:39:06: ISAKMP (0:134217798): received packet from 10.20.30.40 dport 500 sport 500 Global (R) MM_SA_SETUP

Dec 1 11:39:06: ISAKMP:(0:70:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Dec 1 11:39:06: ISAKMP:(0:70:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3

Dec 1 11:39:06: ISAKMP:(0:70:SW:1): processing KE payload. message ID = 0

Dec 1 11:39:06: ISAKMP:(0:70:SW:1): processing NONCE payload. message ID =

0

Dec 1 11:39:06: ISAKMP:(0:0:N/A:0):Looking for a matching key for

10.20.30.40 in default

Dec 1 11:39:06: ISAKMP:(0:0:N/A:0): : success

Dec 1 11:39:06: ISAKMP:(0:70:SW:1):found peer pre-shared key matching

10.20.30.40

Dec 1 11:39:06: ISAKMP:(0:70:SW:1):SKEYID state generated

Dec 1 11:39:06: ISAKMP:received payload type 20

Dec 1 11:39:06: ISAKMP (0:134217798): NAT found, the node inside NAT

Dec 1 11:39:06: ISAKMP:received payload type 20

Dec 1 11:39:06: ISAKMP (0:134217798): NAT found, both nodes are all located inside NAT

Dec 1 11:39:06: ISAKMP:(0:70:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Dec 1 11:39:06: ISAKMP:(0:70:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3

Dec 1 11:39:06: ISAKMP:(0:70:SW:1): sending packet to 10.20.30.40 my_port

500 peer_port 500 (R) MM_KEY_EXCH

Dec 1 11:39:06: ISAKMP:(0:70:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Dec 1 11:39:06: ISAKMP:(0:70:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4

Dec 1 11:39:16: ISAKMP:(0:70:SW:1): retransmitting phase 1 MM_KEY_EXCH...

Dec 1 11:39:16: ISAKMP:(0:70:SW:1):incrementing error counter on sa: retransmit phase 1

Dec 1 11:39:16: ISAKMP:(0:70:SW:1): retransmitting phase 1 MM_KEY_EXCH

Dec 1 11:39:16: ISAKMP:(0:70:SW:1): sending packet to 10.20.30.40 my_port

500 peer_port 500 (R) MM_KEY_EXCH

Dec 1 11:39:26: ISAKMP:(0:70:SW:1): retransmitting phase 1 MM_KEY_EXCH...

Dec 1 11:39:26: ISAKMP:(0:70:SW:1):incrementing error counter on sa: retransmit phase 1

Dec 1 11:39:26: ISAKMP:(0:70:SW:1): retransmitting phase 1 MM_KEY_EXCH

Dec 1 11:39:26: ISAKMP:(0:70:SW:1): sending packet to 10.20.30.40 my_port

500 peer_port 500 (R) MM_KEY_EXCH

Dec 1 11:39:36: ISAKMP:(0:70:SW:1): retransmitting phase 1 MM_KEY_EXCH...

Dec 1 11:39:36: ISAKMP:(0:70:SW:1):incrementing error counter on sa: retransmit phase 1

Dec 1 11:39:36: ISAKMP:(0:70:SW:1): retransmitting phase 1 MM_KEY_EXCH

Dec 1 11:39:36: ISAKMP:(0:70:SW:1): sending packet to 10.20.30.40 my_port

500 peer_port 500 (R) MM_KEY_EXCH

Dec 1 11:39:36: ISAKMP:(0:69:SW:1):purging SA., sa=656150C0, delme=656150C0

Dec 1 11:39:46: ISAKMP:(0:70:SW:1): retransmitting phase 1 MM_KEY_EXCH...

Dec 1 11:39:46: ISAKMP:(0:70:SW:1):incrementing error counter on sa: retransmit phase 1

Dec 1 11:39:46: ISAKMP:(0:70:SW:1): retransmitting phase 1 MM_KEY_EXCH

Dec 1 11:39:46: ISAKMP:(0:70:SW:1): sending packet to 10.20.30.40 my_port

500 peer_port 500 (R) MM_KEY_EXCH

Dec 1 11:39:56: ISAKMP:(0:70:SW:1): retransmitting phase 1 MM_KEY_EXCH...

Dec 1 11:39:56: ISAKMP:(0:70:SW:1):incrementing error counter on sa: retransmit phase 1

Dec 1 11:39:56: ISAKMP:(0:70:SW:1): retransmitting phase 1 MM_KEY_EXCH

Dec 1 11:39:56: ISAKMP:(0:70:SW:1): sending packet to 10.20.30.40 my_port

500 peer_port 500 (R) MM_KEY_EXCH

Dec 1 11:40:06: ISAKMP:(0:70:SW:1): retransmitting phase 1 MM_KEY_EXCH...

Dec 1 11:40:06: ISAKMP:(0:70:SW:1):peer does not do paranoid keepalives.

Dec 1 11:40:06: ISAKMP:(0:70:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 10.20.30.40)

Dec 1 11:40:06: ISAKMP:(0:70:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 10.20.30.40)

Dec 1 11:40:06: ISAKMP: Unlocking IKE struct 0x6560EE98 for isadb_mark_sa_deleted(), count 0

Dec 1 11:40:06: ISAKMP: Deleting peer node by peer_reap for 10.20.30.40:

6560EE98

Dec 1 11:40:06: ISAKMP:(0:70:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Dec 1 11:40:06: ISAKMP:(0:70:SW:1):Old State = IKE_R_MM4 New State = IKE_DEST_SA

Reply to
Tom Pouce
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.