Site to Site VPN with IOS to Checkpoint - I'm lost

Unanswered Question
Nov 14th, 2008

Hi all,

I need to setup a site 2 site IKE VPN-tunnel, the configuration kinda speaks for itself, but in short the idea is to only use the secondairy DSL interface for a dedicated IPSec tunnel to a remote location.

When the tunnel is being initiated, it fails on Phase1:

The awkward thing is:

ISAKMP: reserved not zero on ID payload!

%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 111.111.111.111 failed its sanity check or is malformed

Would indicate a mismatch in the preshared key (or does it?!). I tripple checked that....

Kinda lost now, any thinking along and/or help appreciated!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ajagadee Fri, 11/14/2008 - 08:26

Hi,

Yes, the debug message "ISAKMP: reserved not zero on ID payload!" means that the PSK does not match on both the sides.

Also, can you add the "no-xauth" option to the PSK Statement in the Configuration.

crypto isakmp key cisco address 1.1.1.1 no-xauth

Regards

Arul

*Pls rate if it helps*

keesvanbeekict Wed, 11/19/2008 - 01:29

It'll probably won't be earlier than this friday than I can give it a try, but I will and report/rate back ;-)

I'm not sure why using the no-xauth would make a difference though...

"no-xauth:

(Optional) Use this keyword if router-to-router IPSec is on the same crypto map as a Virtual Private Network (VPN)-client-to-Cisco-IOS IPSec. This keyword prevents the router from prompting the peer for extended authentication (Xauth) information (username and password). "

Worth a shot :-)

Actions

This Discussion