08-29-2003 02:30 PM - edited 03-10-2019 01:27 PM
Hi!
I´ve got an implementation with a Cisco 1721 and a Contivity. We are trying to stablish the VPN but there are some error messages. The parameters on both sides are defined exactly the same way. The error messages are the following:
*Mar 1 00:28:47.215: ISAKMP (0:28): found peer pre-shared key matching 200
VPN_ACH#.32.81.125
*Mar 1 00:28:47.219: ISAKMP (0:28): constructed NAT-T vendor-03 ID
*Mar 1 00:28:47.219: ISAKMP (0:28): constructed NAT-T vendor-02 ID
*Mar 1 00:28:47.219: ISAKMP (0:28): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 00:28:47.219: ISAKMP (0:28): Old State = IKE_READY New State = IKE_I_MM
1
*Mar 1 00:28:47.219: ISAKMP (0:28): beginning Main Mode exchange
*Mar 1 00:28:47.219: ISAKMP (0:28): sending packet to 200.32.81.125 my_port 500
peer_port 500 (I) MM_NO_STATE
*Mar 1 00:28:47.255: ISAKMP (0:28): received packet from 200.32.81.125 dport 50
0 sport 500 Global (I) MM_NO_STATE
*Mar 1 00:28:47.255: ISAKMP (0:28): Notify has no hash. Rejected.
*Mar 1 00:28:47.259: ISAKMP (0:28): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 1 00:28:47.259: ISAKMP (0:28): Old State = IKE_I_MM1 New State = IKE_I_MM
1
VPN_ACH#
*Mar 1 00:29:00.119: ISAKMP (0:26): received packet from 200.32.81.125 dport 50
0 sport 500 Global (R) MM_NO_STATE
VPN_ACH#
*Mar 1 00:29:07.075: ISAKMP (0:25): purging node 1859208889
*Mar 1 00:29:07.075: ISAKMP (0:25): purging node 580752626
VPN_ACH#
*Mar 1 00:29:17.075: ISAKMP (0:25): purging SA., sa=81D473A0, delme=81D473A0
*Mar 1 00:29:17.079: ISAKMP (0:26): purging SA., sa=81273EB4, delme=81273EB4
*Mar 1 00:29:17.211: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 200.74.133.147, remote= 200.32.81.125,
local_proxy= 172.16.1.0/255.255.255.0/1/0 (type=4),
remote_proxy= 172.16.20.0/255.255.255.0/1/0 (type=4)
*Mar 1 00:29:17.211: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 200.74.133.147, remote= 200.32.81.125,
local_proxy= 172.16.1.0/255.255.255.0/1/0 (type=4),
remote_proxy= 172.16.20.0/255.255.255.0/1/0 (type=4)
VPN_ACH#,
protocol= ESP, transform= esp-des ,
lifedur= 3600s and 4608000kb,
spi= 0x4228E38(69373496), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 00:29:17.211: ISAKMP: received ke message (1/1)
*Mar 1 00:29:17.215: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 00:29:17.215: ISAKMP (0:28): SA is still budding. Attached new ipsec req
uest to it. (local 200.74.133.147, remote 200.32.81.125)
VPN_ACH#
*Mar 1 00:29:31.327: ISAKMP (0:27): purging node -244189571
*Mar 1 00:29:31.327: ISAKMP (0:27): purging node -1924907150
VPN_ACH#sjpow
*Mar 1 00:29:34.947: ISAKMP (0:0): received packet from 200.32.81.125 dport 500
sport 500 Global (N) NEW SA
*Mar 1 00:29:34.947: ISAKMP: local port 500, remote port 500
*Mar 1 00:29:34.947: ISAKMP: insert sa successfully sa = 81D473A0
*Mar 1 00:29:34.951: ISAKMP (0:29): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:29:34.951: ISAKMP (0:29): Old State = IKE_READY New State = IKE_R_MM
1
The configuration on the 1721 is the following:
crypto isakmp policy 110
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxx
crypto isakmp keepalive 90 10
!
!
crypto ipsec transform-set mine esp-des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 200.32.81.125
set transform-set mine
match address 102
!
interface Ethernet0
ip address x.x.x.147 255.255.255.248
half-duplex
crypto map mymap
!
access-list 102 permit icmp 172.16.1.0 0.0.0.255 172.16.20.0 0.0.0.255
access-list 102 permit tcp 172.16.1.0 0.0.0.255 172.16.20.0 0.0.0.255
What suggestions do you have. What can I check on the contivity side?
Thanks,
Mario
09-01-2003 12:49 AM
Hello.
According to your debugs peer with IP 200.32.71.125 did not encapsulate proper hash field into the second packet of IKE Main Mode exchenge. So 1721 simply discard that packet as it can't authenticate preshared key of the peer.
Check preshared key settings on another peer.
09-01-2003 06:55 AM
Hi Adriy!
At the beggining of the debugs there is a message that says that pre-share key matches. Does that mean that they authenticate?
You can see that line at the beggining of the debugs.
Thanks,
Mario
10-23-2003 01:57 PM
Did you find a solution to this problem? I am currently running a Cisco 1710 and trying to set up a VPN with a Nortel Contivity as well and seeing similar issues. ANy help would be great!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide