04-03-2003 05:12 PM - edited 02-21-2020 12:27 PM
During the establishment of a channel VPN between SonicWALL Firewall and PIX Firewall, I obtain the following message in the PIX executing the debug option:
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending INITIAL_CONTACT notify
crypto_isakmp_process_block: src remote peer (SonicWALL), dest local peer (PIX Firewall)
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 830869750
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: encaps is 1
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block: src remote peer (SonicWALL), dest local peer (PIX Firewall)
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src remote peer (SonicWALL), dest local peer (PIX Firewall)
I am using IP NAT in both sides of the connection, but the VPN is not established.
I am grateful for the help that they can give me in the matter.
Thanks in advance,
R.a.M.
04-03-2003 08:53 PM
Hi,
your ipsec phase II is failing, make sure that you dont have PFS turned on Sonic Wall side or any other IKE II parameter mismatching.
Thx
Afaq
04-03-2003 09:45 PM
This (ISAKMP: IPSec policy invalidated proposal) generally means your crypto access-lists aren't the exact opposite of each other. The sonicwall is trying to bring up a tunnel for a specific traffic pattern, which doesn't match wht the PIX is configured for. Make sure the crypto traffic is the exact opposite of each other on either end.
04-04-2003 04:35 AM
Ok!, here I send the configuration in both sides of the VPN:
PIX Firewall
access-list 20 permit tcp host
access-list vpn-name permit ip host
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto map NAME 3 ipsec-isakmp
crypto map NAME 3 match address vpn-name
crypto map NAME 3 set peer
crypto map NAME 3 set transform-set strong
crypto map NAME 3 set security-association lifetime seconds 86400
crypto map NAME interface outside
isakmp enable outside
isakmp key ######## address
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
SonicWALL
Security Association: NAME
IPSec Keying Mode: IKE using Preshared Secret
Name: NAME
IPSec Gateway Address:
Phase 1 DH Group: Group 1
SA Life time (secs): 86000
Phase 1 Encryp/Auth.: DES & MD5
Phase 2 Encryp/Auth.: Encrypt for CheckPoint (ESP DES HMAC MD5)
Shared Secret: ###########
Specify destination networks below
Network: Subnet Mask:
x.x.x.x 255.255.255.0
Thanks again!
R.a.M.
04-14-2003 11:40 AM
We were trying to connect a SonicWall to a Cisco VPN3000 concentrator with similar problems. Upgrading to Sonicwall firmware 6.4.0.1 did the trick.
04-21-2003 07:07 AM
With the upgrading of Sonicwall firmware the encryption work also?. What version it had the Sonicwall appliance before updating it?.
Thanks again,
R.a.M.
04-30-2003 12:47 PM
Previous version was 6.3.1.4. Upgraded to 6.40.01. The Sonicwall is at a different company than mine, so that's all I can tell you.
04-30-2003 01:17 PM
Ok!, thanks for your help!
R.a.M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide