I have an issue trying to set up a VPN between a Vigor 2600 Annex A router with firmware v2.3.6_UK and a Cisco PIX running 6.3(3).
The encryption on the Vigor is set to
IPSEC dial-out only with preshared keys and 3DES with authentication
The PIX transform set is up match the Vigor config.
When I try to connect from the Vigor to the PIX the key exchange appears to be successful as the PIX reports a “QM_IDLE” state.
However data will not pass over the link.
In PDM under the Monitor -> VPN Statistics -> IPSec VPNs, the Error Pkts count increases and the reported error is that “Packets are arriving without an SA”
A debug of the PIX when a data transfer attempt occurs is shown below (IP addresses have been changed) :-
ISADB: reaper checking SA 0x120172c, conn_id = 0
crypto_isakmp_process_block:src:vigor_2600_public_ip, dest:my_pix_public_ip spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 0 against priority 20 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 28800
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 1
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 28800
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 1
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 28800
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 1
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 20 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 28800
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 0 against priority 40 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 28800
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 1
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:vigor_2600_public_ip, dest:my_pix_public_ip spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:vigor_2600_public_ip, dest:my_pix_public_ip spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 0
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Peer ip:vigor_2600_public_ip/500 Ref cnt incremented to:2 Total VPN Peers:1
crypto_isakmp_process_block:src:vigor_2600_public_ip, dest:my_pix_public_ip spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:vigor_2600_public_ip, dest:my_pix_public_ip spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
I have checked on the Cisco website for an explanation of the “ISAKMP:reserved no zero on payload 5!” error message and it says that the ISAKMP keys need to be re-keyed or reset. I have since set both ends to “abcd” and the same error still occurs.
After extensive testing with other Vigor 2600 routers ,I have now downgraded the PIX to 6.2(3) and the VPN has come up straight away.
So it would seem that there is an interoperability issue between the Vigor 2600 router and PIX 6.3(3) software
