ISAKMP: reserved not zero on payload 5!

markfen · ‎04-14-2003

I'm trying to establish a VPN with a PIX 515E using a Solaris 9

client.

The Solaris client is the initiator, The phase 1 IKE

exchange fails , the PIX does not like something

in the 5th packet in main mode. I got this from

the PIX debug log:

ISAKMP: reserved not zero on payload 5!

What does this mean ?

This is using native Solaris IPsec, preshared keys.

Cisco software version 6.1

afakhan · ‎04-14-2003

Hi,

It means you need to re-enter preshared keys on the two sides.

Thx

Afaq

markfen · ‎04-15-2003

Hello Afaq,

This helped - actually the problem was Solaris uses preshared

keys in hex, Cisco uses ASCII :-)

I still get this message, but the negotiation gets further this time

despite the above error. The failure point is now in phase 2:

IPSEC(validate_transform_proposal): invalid local address x.x.x.x

Where x.x.x.x is the IP address of the PIX

I saw an article on your website which mentioned this - I need

to use:

crypto map map-name local-address interface-id

The documentation does not cover this command ( unless

I overlooked it )

Thanks again.

gfullage · ‎04-16-2003

This is usually a fairly generic error when it comes to the PIX. The "local-address" command you're referring to is an IOS router command, not a PIX command, so that's why you're not seeing it.

Check your transforms, ACL's, etc on both sides, make sure they match properly.