Re: isakmp policy initiator does not negotiate PIX515e 7.2(1)

flippedflop · ‎02-09-2007

PIX515 has the following isakmp policy.

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

Outside IPSec VPN peers will not connect if the isakmp policy is set to 3DES-SHA. D-LINK, Linksys, SonicWall WatchGuard, etc must have the phase 1 set to 3DES-MD5 which is my highest priority shown above.

Any clue why negotiation isn't happening?

zulqurnain · ‎02-09-2007

hello,

you can turn on debug and check what's happening.

debug crypto ipsec

debug crypto isakmp

HTH, PRI

flippedflop · ‎02-09-2007

Here's a cut of the error messages.

Feb 07 11:22:31 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:22:35 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:22:41 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:22:50 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:22:51 172.16.xx.xx local4.err %PIX-3-713902: Group = 68.85.xxx.xxx, IP = 68.85.xxx.xxx, QM FSM error (P2 struct &0x29f80b0, mess id 0xc0abab34)!

Feb 07 11:22:51 172.16.xx.xx local4.debug %PIX-7-715065: Group = 68.85.xxx.xxx, IP = 68.85.xxx.xxx, IKE QM Initiator FSM error history (struct &0x29f80b0) , : QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent

Feb 07 11:22:51 172.16.xx.xx local4.debug %PIX-7-713906: Group = 68.85.xxx.xxx, IP = 68.85.xxx.xxx, sending delete/delete with reason message

Feb 07 11:22:52 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:22:53 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:22:59 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:23:04 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:23:11 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:23:12 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:23:20 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:23:23 172.16.xx.xx local4.err %PIX-3-713902: Group = 68.85.xxx.xxx, IP = 68.85.xxx.xxx, QM FSM error (P2 struct &0x31eb6a8, mess id 0xca21d6f7)!

zulqurnain · ‎02-10-2007

hello,

have you got pfs = yes in your config.

anyways, this error which you are getting could be due to if one of the side have configured IKEv2 instead of IKEv1.

HTH, PRI

Fernando_Meza · ‎02-10-2007

HI .. this sort of errors are generally related to mismatches between the peers .. I suggest making sure that Phase 1 and 2 parameters are the same in the PIX and the other peer.

I hope it helps .. please rate it if it does!!!