Bluefire VPN Client to PIX

siiiilky · ‎02-05-2007

We have a few PDA's on trial and am trying the bluefire VPN client. This did work for a while but now it won't connect.

The only thing I can see in a isakmp debug is the following -:

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3

ISAKMP (0:0): constructed HIS NAT-D

ISAKMP (0:0): constructed MINE NAT-D

ISAKMP (0:0): Detected port floating

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:*.*.*.*, dest:FIREWALL spt:10587 dpt:4500

OAK_AG exchange

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing NOTIFY payload 24578 protocol 1

spi 0, message ID = 0

ISAKMP (0): processing notify INITIAL_CONTACT

ISADB: reaper checking SA 0x3d1fcf4, conn_id = 0

ISADB: reaper checking SA 0x3d5ec4c, conn_id = 0

ISADB: reaper checking SA 0x3d30744, conn_id = 0

ISADB: reaper checking SA 0x3d2734c, conn_id = 0

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): recalc my hash for NAT-D

ISAKMP (0:0): NAT match MINE hash

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): recalc his hash for NAT-D

ISAKMP (0:0): NAT does not match HIS hash

What does 'NAT does not match HIS hash' mean?

ggilbert · ‎02-05-2007

The hashing value that was calculated between the devices did not match after the NAT-D detection was done.

Is the client connecting from behind a firewall or a NAT device.

If so, do you have NAT-T enabled on the VPN headend device.

Thanks

Gilbert

siiiilky · ‎02-06-2007

Strange, just re-installed the software on the handheld and it is working fine now!