Hi Everyone, I have a lab with (3) 2500series routers IOS 12.2. Have setup an ipsec vpn between the far side routers, but the ipsec sa is not establishing. After debugging isakmp to see if they establish phase 1, I get the following error:
03:52:45: ISAKMP: reserved not zero on ID payload!
03:52:45: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 172.16.0.100 failed its sanity check or is malformed
Here is the complete debug:
Boston#debug crypto isakmp
03:52:34: ISAKMP (0:0): received packet from 172.16.0.100 (N) NEW SA
03:52:34: ISAKMP: local port 500, remote port 500
03:52:34: ISAKMP (0:2): processing SA payload. message ID = 0
03:52:34: ISAKMP (0:2): found peer pre-shared key matching 172.16.0.100
The second means that an ISAKMP message failed verification for the correct length. The following is from Cisco's error decoder:
1. %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from [IP_address] failed its sanity check or is malformed
A quick verification check is done on all received ISAKMP messages to ensure that all component payload types are valid and that the sum of their individual lengths equals the total length of the received message. This message i ndicates a failed verification check. Persistently bad messages could mean a denial-of-service attack or bad decryption.
Recommended Action: Contact the administrator of the remote peer.
Verify your crypto settings on both devices match, all the way to the SA lifetimes. Run a 'sh run' on both devices and check your crypto statements line by line. If they match and are all correct, remove all the lines, clear your SAs, and apply the lines once again. This way you know you started with a clean slate.
I am having the exact same problem. This is part of a hub and spoke VPN network (the hub runs a dynamic crypto map). The IOS version on the remote is 12.3(7)T2, while the hub runs 12.2(13)T3. I have tried all the suggestions above but to no avail. Please see a sample of my debugs below.
*Mar 10 02:25:10: ISAKMP: received ke message (1/1)
*Mar 10 02:25:10: ISAKMP: set new node 0 to QM_IDLE
*Mar 10 02:25:10: ISAKMP:(0:1:HW:2):SA is still budding. Attached new ipsec request to it. ([local address], [remote address])
*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):Old State = IKE_I_MM1 New State = IKE_DEST_SA
*Mar 10 02:25:58: ISAKMP: received ke message (3/1)
*Mar 10 02:25:58: ISAKMP:(0:1:HW:2):peer does not do paranoid keepalives.
Admittedly, I am at my wits' end with this one. The worst thing is that it has worked in the lab before. The only difference between the lab and field is the internet connection (ADSL pppoe vs. Cable).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...