Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site to Site VPN with IOS to Checkpoint - I'm lost

Hi all,

I need to setup a site 2 site IKE VPN-tunnel, the configuration kinda speaks for itself, but in short the idea is to only use the secondairy DSL interface for a dedicated IPSec tunnel to a remote location.

When the tunnel is being initiated, it fails on Phase1:

The awkward thing is:

ISAKMP: reserved not zero on ID payload!

%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from failed its sanity check or is malformed

Would indicate a mismatch in the preshared key (or does it?!). I tripple checked that....

Kinda lost now, any thinking along and/or help appreciated!

Cisco Employee

Re: Site to Site VPN with IOS to Checkpoint - I'm lost


Yes, the debug message "ISAKMP: reserved not zero on ID payload!" means that the PSK does not match on both the sides.

Also, can you add the "no-xauth" option to the PSK Statement in the Configuration.

crypto isakmp key cisco address no-xauth



*Pls rate if it helps*

New Member

Re: Site to Site VPN with IOS to Checkpoint - I'm lost

It'll probably won't be earlier than this friday than I can give it a try, but I will and report/rate back ;-)

I'm not sure why using the no-xauth would make a difference though...


(Optional) Use this keyword if router-to-router IPSec is on the same crypto map as a Virtual Private Network (VPN)-client-to-Cisco-IOS IPSec. This keyword prevents the router from prompting the peer for extended authentication (Xauth) information (username and password). "

Worth a shot :-)