Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

871 to Bordermanager site to site VPN

I am trying to configure a site to site VPN from an 871 with IOS 12.4(6)T and SDM 2.3 to a Novell Bordermanager 3.8.4 firewall.

I can't get past the initial IKE-SA handshake when the Bordermanager server's IKE logging screen shows the following information:

Final IKE (phase 1) SA lifetime is 3600 secs

4-19-2006 6:33:24 pm IKE-SA is created. rekey time = 2700 encr=5,hash=1,auth=1,lifesec=3600

4-19-2006 6:33:24 pm dst=,time=3819809

4-19-2006 6:33:29 pm Invalid payload length - ID-PAYLOAD payload

4-19-2006 6:33:29 pm Processed ID-PAYLOAD unsuccessful - Received the message in the wrong state. Lost our reply, dst=

4-19-2006 6:33:29 pm Failed to create IKE-SA - Received the message in the wrong state. Lost our reply , dst =

Has anyone had success in connecting any Cisco VPN appliance to a Bordermanager firewall? I think that it has much to do with Cisco's vs. Novell's way of doing things.


Re: 871 to Bordermanager site to site VPN

As long as both the sides support the standards, things must work out fine. Check your IKE policies on both the sides to exact match for at least one policy on both sides. If there are not matching policies on both sides, IKE SAs will not be established. Also check the IPSEC parameters such as transform-sets, crypto-maps, interesting traffic, PFS settings etc. to match on both ends. Also check if the UDP/500 (for IKE) and IP/50(for ESP) or IP/51(for AH) traffic can pass freely between the two peers. Most of the time these are the issues that prevent the tunnel to come up.