12-23-2005 02:46 AM - edited 02-21-2020 02:10 PM
I'm trying to set up an IOS router VPN to a Nortel Contivity box.
My crypto settings are:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address x.x.x.x
!
!
crypto ipsec transform-set TRANS esp-3des esp-md5-hmac
!
crypto map MAP 10 ipsec-isakmp
set peer x.x.x.x
set transform-set TRANS
match address CRYPTO-ACL
The contivity is set for ESP 3DES with MD5 integrity, and the IKE settings are 3des with group 2. I dont have Nortel experience or access.
The debugs indicate that MM exchange starts, the pre-shared key is found but then a message indicates `Notify has no hash. Rejected'
I also see %CRYPTO-6-IKMP_MODE_FAILURE: pasting this into the error message decoder points mt to a document that discusses X509 certificates, no use at all as far as I can see.
Is there anyting else needs setting up on the Nortel box?
12-23-2005 03:11 AM
Hi
under your IKE policy can u configure hash md5 and check ??
crypto isakmp policy 10
hash md5
regds
12-23-2005 04:28 AM
Thanks,
tried that, no difference. From the debug I see that the negotiation reaches QM_IDLE, then receives a P1 delete message from the remote end.
12-23-2005 06:05 AM
Can you try with Group 1 instead of Grp 2. I remember having seen this error when there was DH Group Mismatch. Another thing can you change on the Peer at remote end ? If not you could force the peer at your end.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide