02-09-2007 01:02 PM - edited 03-11-2019 02:31 AM
PIX515 has the following isakmp policy.
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
Outside IPSec VPN peers will not connect if the isakmp policy is set to 3DES-SHA. D-LINK, Linksys, SonicWall WatchGuard, etc must have the phase 1 set to 3DES-MD5 which is my highest priority shown above.
Any clue why negotiation isn't happening?
02-09-2007 01:30 PM
hello,
you can turn on debug and check what's happening.
debug crypto ipsec
debug crypto isakmp
HTH, PRI
02-09-2007 01:53 PM
Here's a cut of the error messages.
Feb 07 11:22:31 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:22:35 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:22:41 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:22:50 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:22:50 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:22:50 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:22:51 172.16.xx.xx local4.err %PIX-3-713902: Group = 68.85.xxx.xxx, IP = 68.85.xxx.xxx, QM FSM error (P2 struct &0x29f80b0, mess id 0xc0abab34)!
Feb 07 11:22:51 172.16.xx.xx local4.debug %PIX-7-715065: Group = 68.85.xxx.xxx, IP = 68.85.xxx.xxx, IKE QM Initiator FSM error history (struct &0x29f80b0)
Feb 07 11:22:51 172.16.xx.xx local4.debug %PIX-7-713906: Group = 68.85.xxx.xxx, IP = 68.85.xxx.xxx, sending delete/delete with reason message
Feb 07 11:22:52 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:22:53 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:22:59 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:23:04 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:23:11 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:23:12 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:23:20 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:23:20 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:23:23 172.16.xx.xx local4.err %PIX-3-713902: Group = 68.85.xxx.xxx, IP = 68.85.xxx.xxx, QM FSM error (P2 struct &0x31eb6a8, mess id 0xca21d6f7)!
02-10-2007 02:53 AM
hello,
have you got pfs = yes in your config.
anyways, this error which you are getting could be due to if one of the side have configured IKEv2 instead of IKEv1.
HTH, PRI
02-10-2007 05:45 PM
HI .. this sort of errors are generally related to mismatches between the peers .. I suggest making sure that Phase 1 and 2 parameters are the same in the PIX and the other peer.
I hope it helps .. please rate it if it does!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide