cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
452
Views
0
Helpful
3
Replies

VPN between Cisco 3620 and Linksys RV042

maciej.lisinski
Level 1
Level 1

I have a problem. I try connect Cisco 3620 and Linksys RV042 by site-to-site VPN and I can't establish 1 phase of ISAKMP. From "show log" I get erorr:%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 83.17.159.254 failed its sanity check or is malformed. and from "debug crypto isakmp error" I get the output:

4d07h: ISAKMP (0:0): received packet from 83.17.159.254 dport 500 sport 500 Glob

al (N) NEW SA

4d07h: ISAKMP: Created a peer struct for 83.17.159.254, peer port 500

4d07h: ISAKMP: Locking peer struct 0x630776D4, IKE refcount 1 for crypto_ikmp_co

nfig_initialize_sa

4d07h: ISAKMP (0:0): Setting client config settings 62C50FF0

4d07h: ISAKMP: local port 500, remote port 500

4d07h: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 62

A55DF0

4d07h: ISAKMP (0:4): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

4d07h: ISAKMP (0:4): Old State = IKE_READY New State = IKE_R_MM1

4d07h: ISAKMP (0:4): processing SA payload. message ID = 0

4d07h: ISAKMP (0:4): processing vendor id payload

4d07h: ISAKMP (0:4): vendor ID is DPD

4d07h: ISAKMP: Looking for a matching key for 83.17.159.254 in default : success

4d07h: ISAKMP (0:4): found peer pre-shared key matching 83.17.159.254

4d07h: ISAKMP (0:4) local preshared key found

4d07h: ISAKMP : Scanning profiles for xauth ...

4d07h: ISAKMP (0:4): Checking ISAKMP transform 0 against priority 3 policy

4d07h: ISAKMP: life type in seconds

4d07h: ISAKMP: life duration (basic) of 28800

4d07h: ISAKMP: encryption DES-CBC

4d07h: ISAKMP: hash SHA

4d07h: ISAKMP: auth pre-share

4d07h: ISAKMP: default group 2

4d07h: ISAKMP (0:4): atts are acceptable. Next payload is 0

4d07h: ISAKMP (0:4): processing vendor id payload

4d07h: ISAKMP (0:4): vendor ID is DPD

4d07h: ISAKMP (0:4): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

4d07h: ISAKMP (0:4): Old State = IKE_R_MM1 New State = IKE_R_MM1

4d07h: ISAKMP: Error: payload length of VENDOR 0 < 4

4d07h: ISAKMP (0:4): sending packet to 83.17.159.254 my_port 500 peer_port 500 (

R) MM_SA_SETUP

4d07h: ISAKMP (0:4): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

4d07h: ISAKMP (0:4): Old State = IKE_R_MM1 New State = IKE_R_MM2

4d07h: ISAKMP (0:4): received packet from 83.17.159.254 dport 500 sport 500 Glob

al (R) MM_SA_SETUP

4d07h: ISAKMP (0:4): phase 1 packet is a duplicate of a previous packet.

4d07h: ISAKMP (0:4): retransmitting due to retransmit phase 1

4d07h: ISAKMP (0:4): retransmitting phase 1 MM_SA_SETUP...

4d07h: ISAKMP (0:4): retransmitting phase 1 MM_SA_SETUP...

4d07h: ISAKMP (0:4): incrementing error counter on sa: retransmit phase 1

4d07h: ISAKMP (0:4): retransmitting phase 1 MM_SA_SETUP

4d07h: ISAKMP (0:4): sending packet to 83.17.159.254 my_port 500 peer_port 500 (

R) MM_SA_SETUP

4d07h: ISAKMP (0:4): retransmitting phase 1 MM_SA_SETUP...

4d07h: ISAKMP (0:4): incrementing error counter on sa: retransmit phase 1

4d07h: ISAKMP (0:4): retransmitting phase 1 MM_SA_SETUP

4d07h: ISAKMP (0:4): sending packet to 83.17.159.254 my_port 500 peer_port 500 (

R) MM_SA_SETUP

4d07h: ISAKMP (0:4): retransmitting phase 1 MM_SA_SETUP...

4d07h: ISAKMP (0:4): incrementing error counter on sa: retransmit phase 1

4d07h: ISAKMP (0:4): retransmitting phase 1 MM_SA_SETUP

4d07h: ISAKMP (0:4): sending packet to 83.17.159.254 my_port 500 peer_port 500 (

R) MM_SA_SETUP

4d07h: ISAKMP (0:4): received packet from 83.17.159.254 dport 500 sport 500 Glob

I check my pre-shared key several times and are smilar on both routers, I can't find any information what's wrong.

Thanks for any help

Regards

Mac Foxx

3 Replies 3

spremkumar
Level 9
Level 9

hi

Do find the possible reason for the log message.

%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from [IP_address] failed its sanity check or is malformed

A quick verification check is done on all received ISAKMP messages to ensure that all component payload types are valid and that the sum of their individual lengths equals the total length of the received message. This message indicates a failed verification check. Persistently bad messages could mean a denial-of-service attack or bad decryption.

Can you revert whether the ISAKMP configurations are the same on both the boxes ?

Can you check up the same on both the Cisco box related to hash,encryption and group if you have set under ISAKMP config with the config set in the linksys box ?.

regds

samuelhk1
Level 1
Level 1

Hi,

If you have config it successfully. Can you send me the config on Cisco router and Linksys router? Many Thanks.

Sam.

It dosn't work but If you want some configuration look here http://www.tek-tips.com/viewthread.cfm?qid=1196669

It maybe usefull for you

Mac

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: