Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec problem between IOS switch and Nortel Alteon firewall

Hi,

I'm trying to bring up an IPSec tunnel between a Cisco IOS 6500 switch and a third party Nortel Alteon firewall.

Stage 1 is failing but the policy configuration looks the same at each end.

Debug output:

*Mar 31 15:33:39.836: ISAKMP:(0:5:HW:2): beginning Main Mode exchange

*Mar 31 15:33:39.836: ISAKMP:(0:5:HW:2): sending packet to 10.129.224.158 my_por

t 500 peer_port 500 (I) MM_NO_STATE

*Mar 31 15:33:39.848: ISAKMP (0:268435461): received packet from 10.129.224.158

dport 500 sport 500 Global (I) MM_NO_STATE

*Mar 31 15:33:39.848: ISAKMP:(0:5:HW:2):Couldn't find node: message_id 124167445

2

*Mar 31 15:33:39.848: ISAKMP:(0:5:HW:2):Unknown Input: state = IKE_I_MM1, major,

minor = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Mar 31 15:33:39.848: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational m

ode failed with peer at 10.129.224.158

I can't find any explanation of the "couldn't find node" error anywhere on CCO. The debug reports a response from the peer on protocol 500 so it looks like the two peers can see each other.

Anyone got any ideas?

2 REPLIES

Re: IPSec problem between IOS switch and Nortel Alteon firewall

Hi

you need to verify the following parameters on both the sides to overcome this error message...

Encryption DES or 3DES

Hash MD5 or SHA

Diffie-Hellman Group 1 or 2

Authentication {rsa-sig | rsa-encr | pre-share

for more info do refer this link..

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#processing_main

regds

New Member

Re: IPSec problem between IOS switch and Nortel Alteon firewall

Thanks for the response.

From what the engineer working on the Nortel told me the parameters matched ours so there was no obvious reason why the tunnel didn't come up.

Having changed their end from pre-share to rsa and then back again the tunnel came up!

Strange.

1148
Views
0
Helpful
2
Replies