Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
486
Views
0
Helpful
3
Replies

Conectivity problems between Cisco 1721 and Nortel Contivity

msocarras
Level 1
Level 1

‎08-29-2003 02:30 PM - edited ‎03-10-2019 01:27 PM

Hi!

I´ve got an implementation with a Cisco 1721 and a Contivity. We are trying to stablish the VPN but there are some error messages. The parameters on both sides are defined exactly the same way. The error messages are the following:

*Mar 1 00:28:47.215: ISAKMP (0:28): found peer pre-shared key matching 200

VPN_ACH#.32.81.125

*Mar 1 00:28:47.219: ISAKMP (0:28): constructed NAT-T vendor-03 ID

*Mar 1 00:28:47.219: ISAKMP (0:28): constructed NAT-T vendor-02 ID

*Mar 1 00:28:47.219: ISAKMP (0:28): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Mar 1 00:28:47.219: ISAKMP (0:28): Old State = IKE_READY New State = IKE_I_MM

1

*Mar 1 00:28:47.219: ISAKMP (0:28): beginning Main Mode exchange

*Mar 1 00:28:47.219: ISAKMP (0:28): sending packet to 200.32.81.125 my_port 500

peer_port 500 (I) MM_NO_STATE

*Mar 1 00:28:47.255: ISAKMP (0:28): received packet from 200.32.81.125 dport 50

0 sport 500 Global (I) MM_NO_STATE

*Mar 1 00:28:47.255: ISAKMP (0:28): Notify has no hash. Rejected.

*Mar 1 00:28:47.259: ISAKMP (0:28): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Mar 1 00:28:47.259: ISAKMP (0:28): Old State = IKE_I_MM1 New State = IKE_I_MM

1

VPN_ACH#

*Mar 1 00:29:00.119: ISAKMP (0:26): received packet from 200.32.81.125 dport 50

0 sport 500 Global (R) MM_NO_STATE

VPN_ACH#

*Mar 1 00:29:07.075: ISAKMP (0:25): purging node 1859208889

*Mar 1 00:29:07.075: ISAKMP (0:25): purging node 580752626

VPN_ACH#

*Mar 1 00:29:17.075: ISAKMP (0:25): purging SA., sa=81D473A0, delme=81D473A0

*Mar 1 00:29:17.079: ISAKMP (0:26): purging SA., sa=81273EB4, delme=81273EB4

*Mar 1 00:29:17.211: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 200.74.133.147, remote= 200.32.81.125,

local_proxy= 172.16.1.0/255.255.255.0/1/0 (type=4),

remote_proxy= 172.16.20.0/255.255.255.0/1/0 (type=4)

*Mar 1 00:29:17.211: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 200.74.133.147, remote= 200.32.81.125,

local_proxy= 172.16.1.0/255.255.255.0/1/0 (type=4),

remote_proxy= 172.16.20.0/255.255.255.0/1/0 (type=4)

VPN_ACH#,

protocol= ESP, transform= esp-des ,

lifedur= 3600s and 4608000kb,

spi= 0x4228E38(69373496), conn_id= 0, keysize= 0, flags= 0x400A

*Mar 1 00:29:17.211: ISAKMP: received ke message (1/1)

*Mar 1 00:29:17.215: ISAKMP: set new node 0 to QM_IDLE

*Mar 1 00:29:17.215: ISAKMP (0:28): SA is still budding. Attached new ipsec req

uest to it. (local 200.74.133.147, remote 200.32.81.125)

VPN_ACH#

*Mar 1 00:29:31.327: ISAKMP (0:27): purging node -244189571

*Mar 1 00:29:31.327: ISAKMP (0:27): purging node -1924907150

VPN_ACH#sjpow

*Mar 1 00:29:34.947: ISAKMP (0:0): received packet from 200.32.81.125 dport 500

sport 500 Global (N) NEW SA

*Mar 1 00:29:34.947: ISAKMP: local port 500, remote port 500

*Mar 1 00:29:34.947: ISAKMP: insert sa successfully sa = 81D473A0

*Mar 1 00:29:34.951: ISAKMP (0:29): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 1 00:29:34.951: ISAKMP (0:29): Old State = IKE_READY New State = IKE_R_MM

1

The configuration on the 1721 is the following:

crypto isakmp policy 110

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key xxxx

crypto isakmp keepalive 90 10

!

!

crypto ipsec transform-set mine esp-des esp-md5-hmac

!

crypto map mymap 10 ipsec-isakmp

set peer 200.32.81.125

set transform-set mine

match address 102

!

interface Ethernet0

ip address x.x.x.147 255.255.255.248

half-duplex

crypto map mymap

!

access-list 102 permit icmp 172.16.1.0 0.0.0.255 172.16.20.0 0.0.0.255

access-list 102 permit tcp 172.16.1.0 0.0.0.255 172.16.20.0 0.0.0.255

What suggestions do you have. What can I check on the contivity side?

Thanks,

Mario

Labels:
0 Helpful
3 Replies 3

a.lysyuk
Level 1
Level 1

‎09-01-2003 12:49 AM

Hello.

According to your debugs peer with IP 200.32.71.125 did not encapsulate proper hash field into the second packet of IKE Main Mode exchenge. So 1721 simply discard that packet as it can't authenticate preshared key of the peer.

Check preshared key settings on another peer.

0 Helpful

msocarras
Level 1
Level 1
In response to a.lysyuk

‎09-01-2003 06:55 AM

Hi Adriy!

At the beggining of the debugs there is a message that says that pre-share key matches. Does that mean that they authenticate?

You can see that line at the beggining of the debugs.

Thanks,

Mario

0 Helpful

vanagon2tdi
Level 1
Level 1
In response to msocarras

‎10-23-2003 01:57 PM

Did you find a solution to this problem? I am currently running a Cisco 1710 and trying to set up a VPN with a Nortel Contivity as well and seeing similar issues. ANy help would be great!

0 Helpful
Customers Also Viewed These Support Documents