Re: Nortel to IOS VPN

aacole · ‎12-23-2005

I'm trying to set up an IOS router VPN to a Nortel Contivity box.

My crypto settings are:

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco address x.x.x.x

!

crypto ipsec transform-set TRANS esp-3des esp-md5-hmac

!

crypto map MAP 10 ipsec-isakmp

set peer x.x.x.x

set transform-set TRANS

match address CRYPTO-ACL

The contivity is set for ESP 3DES with MD5 integrity, and the IKE settings are 3des with group 2. I dont have Nortel experience or access.

The debugs indicate that MM exchange starts, the pre-shared key is found but then a message indicates `Notify has no hash. Rejected'

I also see %CRYPTO-6-IKMP_MODE_FAILURE: pasting this into the error message decoder points mt to a document that discusses X509 certificates, no use at all as far as I can see.

Is there anyting else needs setting up on the Nortel box?

spremkumar · ‎12-23-2005

Hi

under your IKE policy can u configure hash md5 and check ??

crypto isakmp policy 10

hash md5

regds

aacole · ‎12-23-2005

Thanks,

tried that, no difference. From the debug I see that the negotiation reaches QM_IDLE, then receives a P1 delete message from the remote end.

attrgautam · ‎12-23-2005

Can you try with Group 1 instead of Grp 2. I remember having seen this error when there was DH Group Mismatch. Another thing can you change on the Peer at remote end ? If not you could force the peer at your end.

HTH