Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX515 IPSEC VPN tunnel

Trying to build a VPN tunnel from a 827 DSL router to a Pix515, I have built over 80 of these to the same PIX and had no problems. Now every one I build is telling me the below message in my debugging of ipsec and isakmp. If anyone knows what this means and possibly a fix, please let me know. The problem seems to start at the line that says "01:44:00: ISAKMP (0:32): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3"

01:43:58: IPSEC(sa_request): ,

(key eng. msg.) src= 67.112.8.42, dest= 65.210.17.66,

src_proxy= 10.5.113.0/255.255.255.0/0/0 (type=4),

dest_proxy= 10.0.0.0/255.0.0.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0x139AA2D9(328901337), conn_id= 0, keysize= 0, flags= 0x4004

01:43:58: ISAKMP: received ke message (1/1)

01:43:58: ISAKMP: local port 500, remote port 500

01:43:58: ISAKMP (0:32): beginning Main Mode exchange

01:43:58: ISAKMP (0:32): sending packet to 65.210.17.66 (I) MM_NO_STATE

01:43:58: ISAKMP (0:32): received packet from 65.210.17.66 (I) MM_NO_STATE

01:43:58: ISAKMP (0:32): processing SA payload. message ID = 0

01:43:58: ISAKMP (0:32): found peer pre-shared key matching 65.210.17.66

01:43:58: ISAKMP (0:32): Checking ISAKMP transform 1 against priority 10 policy

01:43:58: ISAKMP: encryption DES-CBC

01:43:58: ISAKMP: hash MD5

01:43:58: ISAKMP: default group 1

01:43:58: ISAKMP: auth pre-share

01:43:58: ISAKMP: life type in seconds

01:43:58: ISAKMP: life duration (basic) of 3600

01:43:58: ISAKMP (0:32): atts are acceptable. Next payload is 0

01:43:59: ISAKMP (0:32): SA is doing pre-shared key authentication using id type

ID_IPV4_ADDR13.1

01:43:59: ISAKMP (0:32): sending packet to 65.210.17.66 (I) MM_SA_SETUP

01:43:59: ISAKMP (0:32): received packet from 65.210.17.66 (I) MM_SA_SETUP

01:43:59: ISAKMP (0:32): processing KE payload. message ID = 0

01:43:59: ISAKMP (0:32): processing NONCE payload. message ID = 0

01:43:59: ISAKMP (0:32): found peer pre-shared key matching 65.210.17.66

01:43:59: ISAKMP (0:32): SKEYID state generated

01:43:59: ISAKMP (0:32): processing vendor id payload

01:43:59: ISAKMP (0:32): processing vendor id payload

01:43:59: ISAKMP (0:32): processing vendor id payload

01:43:59: ISAKMP (0:32): speaking to another IOS box!

01:43:59: ISAKMP (32): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

01:43:59: ISAKMP (32): Total payload length: 12

01:43:59: ISAKMP (0:32): sending packet to 65.210.17.66 (I) MM_KEY_EXCH

01:43:59: ISAKMP (0:32): received packet from 65.210.17.66 (I) MM_KEY_EXCH

01:43:59: ISAKMP (0:32): processing ID payload. message ID = 0

01:43:59: ISAKMP (0:32): processing HASH payload. message ID = 0

01:43:59: ISAKMP (0:32): SA has been authenticated with 65.210.17.66

01:43:59: ISAKMP (0:32): beginning Quick Mode exchange, M-ID of 1533428816

01:43:59: ISAKMP (0:32): sending packet to 65.210.17.66 (I) QM_IDLE

01:44:00: ISAKMP (0:32): received packet from 65.210.17.66 (I) QM_IDLE

01:44:00: ISAKMP (0:32): processing HASH payload. message ID = -1063731131

01:44:00: ISAKMP (0:32): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 328901337, message ID = -1063731131

01:44:00: ISAKMP (0:32): deleting spi 328901337 message ID = 1533428816

01:44:00: ISAKMP (0:32): deleting node 1533428816 error TRUE reason "delete_larv

al"

01:44:00: ISAKMP (0:32): deleting node -1063731131 error FALSE reason "informati

onal (in) state 1"

  • Other Security Subjects
1 REPLY
New Member

Re: PIX515 IPSEC VPN tunnel

What version of PIX code are you running? I would check that against bug tracker to see if there are any known issues. Other than that, you’ll probably have to talk to tac to see what’s going on.

100
Views
0
Helpful
1
Replies
This widget could not be displayed.