Site to Site VPN with IOS to Checkpoint - I'm lost

Unanswered Question
Nov 14th, 2008
User Badges:

Hi all,

I need to setup a site 2 site IKE VPN-tunnel, the configuration kinda speaks for itself, but in short the idea is to only use the secondairy DSL interface for a dedicated IPSec tunnel to a remote location.

When the tunnel is being initiated, it fails on Phase1:

The awkward thing is:

ISAKMP: reserved not zero on ID payload!

%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from failed its sanity check or is malformed

Would indicate a mismatch in the preshared key (or does it?!). I tripple checked that....

Kinda lost now, any thinking along and/or help appreciated!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ajagadee Fri, 11/14/2008 - 08:26
User Badges:
  • Cisco Employee,


Yes, the debug message "ISAKMP: reserved not zero on ID payload!" means that the PSK does not match on both the sides.

Also, can you add the "no-xauth" option to the PSK Statement in the Configuration.

crypto isakmp key cisco address no-xauth



*Pls rate if it helps*

keesvanbeekict Wed, 11/19/2008 - 01:29
User Badges:

It'll probably won't be earlier than this friday than I can give it a try, but I will and report/rate back ;-)

I'm not sure why using the no-xauth would make a difference though...


(Optional) Use this keyword if router-to-router IPSec is on the same crypto map as a Virtual Private Network (VPN)-client-to-Cisco-IOS IPSec. This keyword prevents the router from prompting the peer for extended authentication (Xauth) information (username and password). "

Worth a shot :-)


This Discussion