isakmp policy initiator does not negotiate PIX515e 7.2(1)

Unanswered Question
Feb 9th, 2007

PIX515 has the following isakmp policy.

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

Outside IPSec VPN peers will not connect if the isakmp policy is set to 3DES-SHA. D-LINK, Linksys, SonicWall WatchGuard, etc must have the phase 1 set to 3DES-MD5 which is my highest priority shown above.

Any clue why negotiation isn't happening?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
zulqurnain Fri, 02/09/2007 - 13:30

hello,

you can turn on debug and check what's happening.

debug crypto ipsec

debug crypto isakmp

HTH, PRI

flippedflop Fri, 02/09/2007 - 13:53

Here's a cut of the error messages.

Feb 07 11:22:31 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:22:35 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:22:41 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:22:50 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:22:50 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:22:50 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:22:51 172.16.xx.xx local4.err %PIX-3-713902: Group = 68.85.xxx.xxx, IP = 68.85.xxx.xxx, QM FSM error (P2 struct &0x29f80b0, mess id 0xc0abab34)!

Feb 07 11:22:51 172.16.xx.xx local4.debug %PIX-7-715065: Group = 68.85.xxx.xxx, IP = 68.85.xxx.xxx, IKE QM Initiator FSM error history (struct &0x29f80b0) , : QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent

Feb 07 11:22:51 172.16.xx.xx local4.debug %PIX-7-713906: Group = 68.85.xxx.xxx, IP = 68.85.xxx.xxx, sending delete/delete with reason message

Feb 07 11:22:52 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:22:53 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:22:59 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:23:04 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:23:11 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:23:12 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:23:20 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:23:20 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:23:23 172.16.xx.xx local4.err %PIX-3-713902: Group = 68.85.xxx.xxx, IP = 68.85.xxx.xxx, QM FSM error (P2 struct &0x31eb6a8, mess id 0xca21d6f7)!

zulqurnain Sat, 02/10/2007 - 02:53

hello,

have you got pfs = yes in your config.

anyways, this error which you are getting could be due to if one of the side have configured IKEv2 instead of IKEv1.

HTH, PRI

Fernando_Meza Sat, 02/10/2007 - 17:45

HI .. this sort of errors are generally related to mismatches between the peers .. I suggest making sure that Phase 1 and 2 parameters are the same in the PIX and the other peer.

I hope it helps .. please rate it if it does!!!

Actions

This Discussion