Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Failed IPSEC L2L Tunnel between CVPN3000 and Zyxell Router

Hi

We have a CVPN3015 and we have tried to connected it to Zyxell Prestige 652 router with a IPSec LAN to LAN Tunnel.

The connection data are:

IPSEC Key mode: IKE

IPSEC Protocol: ESP

Encapsulation: Tunnel

Encryption Algorithm: DES

Autherntication Algorithm: MD5

SA Life Time: 28800

Key Group: DH1

Negotiation Mode: Main

Perfect Forward Secrery: Disabled

And the Pre Shared Key is the same.

The IKE Phase I is correct (the message is):

2477 01/09/2004 12:21:20.790 SEV=4 IKE/119 RPT=180 x.x.x.x

Group [L2L: name]

PHASE 1 COMPLETED

But in the IKE Phase II, is disconnected by this error message:

2477 01/09/2004 12:21:20.790 SEV=4 IKE/119 RPT=180 x.x.x.x

Group [L2L: name]

PHASE 1 COMPLETED

2478 01/09/2004 12:21:20.790 SEV=4 AUTH/22 RPT=180

User [L2L: name] Group [L2L: name] connected, Session

Type: IPSec/LAN-to-LAN

2480 01/09/2004 12:21:20.790 SEV=4 AUTH/84 RPT=180

LAN-to-LAN tunnel to headend device x.x.x.x connected

2481 01/09/2004 12:21:20.940 SEV=5 IKE/68 RPT=180 x.x.x.x

Group [L2L: name]

Received non-routine Notify message: Invalid ID info (18)

2483 01/09/2004 12:21:20.960 SEV=5 IKE/50 RPT=181 x.x.x.x

Group [L2L: name]

Connection terminated for peer L2L: name.

Reason: Peer Terminate

Remote Proxy N/A, Local Proxy N/A

2486 01/09/2004 12:21:20.960 SEV=4 AUTH/23 RPT=180 x.x.x.x

User [L2L: name] Group [L2L: name] disconnected: duration: 0:00:00

What Does the error message "Received non-routine Notify message: Invalid ID info (18)" mean?

What is the problem?

Thanks in advance

Angel Luis Gonzalez

Amena

3 REPLIES
Cisco Employee

Re: Failed IPSEC L2L Tunnel between CVPN3000 and Zyxell Router

The specific details about this log message are (soon to be available on www.cisco.com):

Explanation:

Notify messages that cause this event are not explicitly handled in the notify processing code.

Recommended Action:

Examine the specific reason information to determine the action to take. Many notifies indicate a configuration setting that the peer does not like.

So, what does "Invalid ID info (18)" mean? It means that the Zyxell router included a value in one of its ISAKMP packets (probably the ID Payload) that the VPN3000 didn't like, probably because it's non -standard.

Can you check with the Zyxell people and see if they say that it's possible to build a tunnel between these devices. There may be some specific configuration of the device that you need to do.

New Member

Re: Failed IPSEC L2L Tunnel between CVPN3000 and Zyxell Router

This generally means your network lists do not match exactly. Make sure the networks in your local and remote network lists match what the Zyxell is using (of course in the opposite order).

HTH,

Mike

New Member

Re: Failed IPSEC L2L Tunnel between CVPN3000 and Zyxell Router

Hi,

We encountered the same problem with ipsec to an Checkpoint firewall.

First we made a mistake in the subnet mask, which seems to cause the same error message. So, check that you have exactly the same subnet/mask configured at both sides.

At this moment we can ping from the laptop behind the concentrator to the laptop behind the checkpoint, but not the other way around.

When we use a router with ipsec config instead of the concentrator, everything works like a dream.

We have opened a TAC case....

205
Views
0
Helpful
3
Replies