Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
412
Views
0
Helpful
2
Replies

Site to Site VPN with IOS to Checkpoint - I'm lost

keesvanbeekict
Level 1
Level 1

‎11-14-2008 04:59 AM - edited ‎02-21-2020 03:06 AM

Hi all,

I need to setup a site 2 site IKE VPN-tunnel, the configuration kinda speaks for itself, but in short the idea is to only use the secondairy DSL interface for a dedicated IPSec tunnel to a remote location.

When the tunnel is being initiated, it fails on Phase1:

The awkward thing is:

ISAKMP: reserved not zero on ID payload!

%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 111.111.111.111 failed its sanity check or is malformed

Would indicate a mismatch in the preshared key (or does it?!). I tripple checked that....

Kinda lost now, any thinking along and/or help appreciated!

Preview file
6 KB
Preview file
3 KB
0 Helpful
2 Replies 2

ajagadee
Cisco Employee
Cisco Employee

‎11-14-2008 08:26 AM

Hi,

Yes, the debug message "ISAKMP: reserved not zero on ID payload!" means that the PSK does not match on both the sides.

Also, can you add the "no-xauth" option to the PSK Statement in the Configuration.

crypto isakmp key cisco address 1.1.1.1 no-xauth

Regards

Arul

*Pls rate if it helps*

0 Helpful

keesvanbeekict
Level 1
Level 1
In response to ajagadee

‎11-19-2008 01:29 AM

It'll probably won't be earlier than this friday than I can give it a try, but I will and report/rate back ;-)

I'm not sure why using the no-xauth would make a difference though...

"no-xauth:

(Optional) Use this keyword if router-to-router IPSec is on the same crypto map as a Virtual Private Network (VPN)-client-to-Cisco-IOS IPSec. This keyword prevents the router from prompting the peer for extended authentication (Xauth) information (username and password). "

Worth a shot :-)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card