02-09-2007 01:02 PM - edited 03-11-2019 02:31 AM
PIX515 has the following isakmp policy.
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
Outside IPSec VPN peers will not connect if the isakmp policy is set to 3DES-SHA. D-LINK, Linksys, SonicWall WatchGuard, etc must have the phase 1 set to 3DES-MD5 which is my highest priority shown above.
Any clue why negotiation isn't happening?
02-09-2007 01:30 PM
hello,
you can turn on debug and check what's happening.
debug crypto ipsec
debug crypto isakmp
HTH, PRI
02-09-2007 01:53 PM
Here's a cut of the error messages.
Feb 07 11:22:31 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:22:35 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:22:41 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:22:50 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:22:50 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:22:50 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:22:51 172.16.xx.xx local4.err %PIX-3-713902: Group = 68.85.xxx.xxx, IP = 68.85.xxx.xxx, QM FSM error (P2 struct &0x29f80b0, mess id 0xc0abab34)!
Feb 07 11:22:51 172.16.xx.xx local4.debug %PIX-7-715065: Group = 68.85.xxx.xxx, IP = 68.85.xxx.xxx, IKE QM Initiator FSM error history (struct &0x29f80b0)
Feb 07 11:22:51 172.16.xx.xx local4.debug %PIX-7-713906: Group = 68.85.xxx.xxx, IP = 68.85.xxx.xxx, sending delete/delete with reason message
Feb 07 11:22:52 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:22:53 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:22:59 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:23:04 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:23:11 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:23:12 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:23:20 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:23:20 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping
Feb 07 11:23:23 172.16.xx.xx local4.err %PIX-3-713902: Group = 68.85.xxx.xxx, IP = 68.85.xxx.xxx, QM FSM error (P2 struct &0x31eb6a8, mess id 0xca21d6f7)!
02-10-2007 02:53 AM
hello,
have you got pfs = yes in your config.
anyways, this error which you are getting could be due to if one of the side have configured IKEv2 instead of IKEv1.
HTH, PRI
02-10-2007 05:45 PM
HI .. this sort of errors are generally related to mismatches between the peers .. I suggest making sure that Phase 1 and 2 parameters are the same in the PIX and the other peer.
I hope it helps .. please rate it if it does!!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: