Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

LAN-to-LAN Dynamic VPN between PIX515E and BeWAN 6004

I'm trying to establish a VPN tunnel in dynamic mode between a PIX515E rel 6.3(1) and a BeWAN 6004. I need dynamic mode because the BeWAN is connected to a provider that is delivering his IP address when coming on line via the ADSL line.

The ISAKMP stucks in this state : MM_KEY_EXCH

I've seen the message : ISAKMP: reserved not zero on payload 5!

This usually indicates a problem with the key, but i've re-created a new key on both sides and rebooted the boxes.

I have tried a static configuration by watching the attributed IP address of the BeWAN and in this case it works !

Here is a sample debug ouput taken from the PIX in dynamic mode :

crypto_isakmp_process_block:src:62.62.228.16, dest:195.146.210.26 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 0 against priority 20 policy

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 28800

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: auth pre-share

ISAKMP: default group 1

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 28800

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: auth pre-share

ISAKMP: default group 1

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 28800

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: auth pre-share

ISAKMP: default group 1

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 20 policy

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 28800

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: auth pre-share

ISAKMP: default group 2

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:62.62.228.16, dest:195.146.210.26 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:62.62.228.16, dest:195.146.210.26 spt:500 dpt:500

ISAKMP: reserved not zero on payload 5!

crypto_isakmp_process_block:src:62.62.228.16, dest:195.146.210.26 spt:500 dpt:500

ISAKMP: reserved not zero on payload 5!

PIX-CHWIS(config)# sh crypto isa sa

Total : 1

Embryonic : 1

dst src state pending created

195.146.210.26 62.62.228.16 MM_KEY_EXCH 0 0

Has anybody an idea ? Will it work in dynamic mode ?

2 REPLIES
Cisco Employee

Re: LAN-to-LAN Dynamic VPN between PIX515E and BeWAN 6004

Should work in dynamic mode. You're correct in stating that the "reserved not zero on payload" usually means the ISAKMP key is wrong, or at least they differ on both sides. For dynamic mode you'll have a line in your config something like:

> isakmp key address 0.0.0.0

so make sure this is the key that you're changing. Other than that, can you post the config (xxxx out your passwords and IP addresses), maybe there's something in there. Can you get any debugs from the other side?

New Member

Re: LAN-to-LAN Dynamic VPN between PIX515E and BeWAN 6004

I've changed the right key.

I haven't debugs from the other side, but here's the config :

PIX-CHWIS# sh run

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

enable password xxxxxxxx encrypted

passwd xxxxxxx encrypted

hostname PIX-CHWIS

domain-name chwis.ch

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list compiled

access-list inside_access_in permit tcp host 192.42.172.117 host 195.146.194.238 eq smtp

access-list inside_access_in permit tcp host 192.42.172.118 host 195.146.194.238 eq smtp

access-list inside_access_in permit tcp host 192.42.172.117 host 195.146.194.38 eq pop3

access-list inside_access_in permit tcp host 192.42.172.118 host 195.146.194.38 eq pop3

access-list inside_access_in deny udp any any eq 7070

access-list inside_access_in deny tcp any any eq 554

access-list inside_access_in deny tcp any any eq 1755

access-list inside_access_in deny udp any any eq 1755

access-list inside_access_in permit ip host 192.42.172.20 10.25.0.0 255.255.0.0

access-list inside_access_in deny ip host 192.42.172.20 any

access-list inside_access_in deny ip host 192.42.172.51 any

access-list inside_access_in permit ip host 192.42.172.60 10.25.0.0 255.255.0.0

access-list inside_access_in deny ip host 192.42.172.60 any

access-list inside_access_in deny ip host 192.42.172.70 any

access-list inside_access_in permit ip host 192.42.172.90 10.25.0.0 255.255.0.0

access-list inside_access_in deny ip host 192.42.172.90 any

access-list inside_access_in deny ip host 192.42.172.100 any

access-list inside_access_in deny ip host 192.42.172.117 any

access-list inside_access_in deny ip host 192.42.172.118 any

access-list inside_access_in permit ip host 192.42.172.120 10.25.0.0 255.255.0.0

access-list inside_access_in deny ip host 192.42.172.120 any

access-list inside_access_in permit ip 192.42.172.0 255.255.255.0 any

access-list inside_outbound_nat0_acl permit ip 192.42.172.0 255.255.255.0 10.25.0.0 255.255.0.0

access-list outside_cryptomap_20 permit ip 192.42.172.0 255.255.255.0 10.25.0.0 255.255.0.0

access-list outside_access_in deny ip any any

pager lines 24

logging on

logging console warnings

logging buffered warnings

logging trap notifications

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside w.x.y.z 255.255.255.252

ip address inside 192.42.172.245 255.255.255.0

no ip address intf2

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

pdm location 192.42.172.127 255.255.255.255 inside

pdm location 192.42.172.240 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 192.42.172.0 255.255.255.0 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 y.z.w.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

ntp server 134.214.100.6 source outside

http server enable

http 192.42.172.240 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community chwis

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map RETRAITE 1 set transform-set ESP-3DES-MD5

crypto map dynmap 20 ipsec-isakmp dynamic RETRAITE

crypto map dynmap interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 28800

telnet 192.42.172.240 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 30

username yyyyyyyyyy password xxxxxxxx encrypted privilege 15

terminal width 80

Cryptochecksum:220a5e4e8ca2dde6ce83062a0b0cfc25

: end

PIX-CHWIS#

206
Views
0
Helpful
2
Replies
CreatePlease to create content