Cisco Support Community
Community Member

PIX vpn to Nortel box


I'm working on a tunnel between the PIX and Nortel 4500. However, the tunnel didn't not work, I checked the isakmp SA is established. Looks like it stuck on IPSEC, I checked the ISAKMP & IPSEC parameter are fine. Below is the debug output :

crypto_isakmp_process_block:src:, dest: spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing NOTIFY payload 24578 protocol 1

spi 0, message ID = 0

ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with

ISAKMP (0): deleting SA: src, dst

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload

next-payload : 8

type : 2

protocol : 17

port : 500

length : 26

ISAKMP (0): Total payload length: 30

return status is IKMP_NO_ERROR

ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify

ISAKMP (0): sending NOTIFY message 24576 protocol 1

VPN Peer: ISAKMP: Peer ip: Ref cnt incremented to:2 Total VPN Peers:4

crypto_isakmp_process_block:src:, dest: spt:500 dpt:500

ISAKMP: error, msg not encryptedno d

ISADB: reaper checking SA 0x13a811c, conn_id = 0

ISADB: reaper checking SA 0x13a9804, conn_id = 0

ISADB: reaper checking SA 0x13b0af4, conn_id = 0

ISADB: reaper checking SA 0x13c1a54, conn_id = 0 DELETE IT!

Any thought ?

Cisco Employee

Re: PIX vpn to Nortel box


From the logs "SA is doing pre-shared key authentication using id type ID_FQDN".

Since you are doing pre-shared key for authentication, the Isakmp Identity should be address and not hostname.

Configure "isakmp identity address" on the Pix and try to bring up the tunnel.

I hope it helps.



Community Member

Re: PIX vpn to Nortel box

It works now. Thanks

Community Member

Re: PIX vpn to Nortel box

I am having a similar problem. Do you know if the ISAKMP identity can be set on a peer by peer basis? It seems to be a global ISAKMP value, and I have many tunnels already configured successfully, with no desire to change the parameter except for this particular tunnel to a nortel device. Thanks in advance...


Cisco Employee

Re: PIX vpn to Nortel box


I dont think it is possible to set isakmp identity per peer basis. In case if you want to enable isakmp identity address as well as hostname on the same pix/asa, there is command that can do this. But, you need a minimum of 7.0 to enable this configuration.

"isakmp identity automatic"

Determines ISAKMP negotiation by connection type:

IP address for preshared key

Cert Distinguished Name for certificate authentication

Please refer the below URL for details:

Let me know if it helps.



CreatePlease to create content