Hightower_8
asked on
Cisco PIX 515e VPN to non-cisco peer
Hey guys & girls,
I'm having a problem with getting a vpn tunnel setup between our cisco pix and a hosting company's GNATBOX 500.
All the settings, as I can see are setup the same. It seems to do phase 1 ok then starts phase 2 but just can't finish it.
Here is my conf + the latest debug info.
Many thanks,
HT
-----------
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
enable password encrypted
passwd encrypted
hostname pix
domain-name thefirm.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.0.0.128 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.128 255.255.255.192
access-list VPNBRIM_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
access-list NO_NAT permit ip any 10.0.0.128 255.255.255.192
access-list NO_NAT permit ip 10.0.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list NO_NAT permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_cryptomap_10 permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 88.88.88.88 255.255.255.248
ip address inside 10.0.0.1 255.255.255.0
ip address DMZ 172.16.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool IPSEC 10.0.0.150-10.0.0.160
ip local pool IPSECB 10.0.0.161-10.0.0.162
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
global (DMZ) 10 interface
nat (inside) 0 access-list NO_NAT
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 10 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 88.88.88.89 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host 10.0.0.51 XXXXX timeout 5
http server enable
http 10.0.0.67 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 200.20.20.20
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 10 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client configuration address initiate
crypto map outside_map client configuration address respond
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 200.20.20.20 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp keepalive 30
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpnusers address-pool IPSEC
vpngroup vpnusers dns-server 10.0.0.51 10.0.0.52
vpngroup vpnusers default-domain omnifone.com
vpngroup vpnusers split-tunnel 101
vpngroup vpnusers idle-time 1800
vpngroup vpnusers password ********
vpngroup VPNBRIM address-pool IPSECB
vpngroup VPNBRIM dns-server 10.0.0.51 10.0.0.52
vpngroup VPNBRIM default-domain omnifone.com
vpngroup VPNBRIM split-tunnel VPNBRIM_splitTunnelAcl
vpngroup VPNBRIM idle-time 36000
vpngroup VPNBRIM password ********
ssh timeout 5
console timeout 0
pix#
-------------------
ISAKMP msg received
crypto_isakmp_process_bloc
00
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x0
validate_payload: len 80
valid_payload:
valid_sa:
valid_transform:
isadb_create_sa:
crypto_isakmp_init_phase1_
is_auth_policy_configured:
gen_cookie:
gen_cookie:
OAK_MM exchange
oakley_process_mm:
OAK_MM_NO_STATE
process_isakmp_packet:
process_sa: mess_id 0x0
ISAKMP (0): processing SA payload. message ID = 0
check_isakmp_proposal:
is_auth_policy_configured:
is_auth_policy_configured:
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption 3DES-CBC
ISAKMP: auth pre-share
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP (0): atts are acceptable. Next payload is 0
crypto_generate_DH_paramet
DH_ALG_PHASE1
process_sa: DONE - status 0x0
delete_sa_offers:
process_isakmp_packet: OAK_MM
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
construct_header: message_id 0x0
construct_isakmp_sa: auth 7
set_proposal: protocol 0x1, proposal_num 1, extra_info 0x7
return status is IKMP_NO_ERROR
throw: mess_id 0x0
send_response:
isakmp_send: ip 200.20.20.20, port 500
ISAKMP msg received
crypto_isakmp_process_bloc
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154
validate_payload: len 200
valid_payload:
valid_payload:
valid_payload:
OAK_MM exchange
oakley_process_mm:
OAK_MM_SA_SETUP
process_isakmp_packet:
process_ke:
ISAKMP (0): processing KE payload. message ID = 0
crypto_generate_DH_paramet
DH_ALG_PHASE2
process_isakmp_packet: OAK_MM
process_nonce:
ISAKMP (0): processing NONCE payload. message ID = 0
process_isakmp_packet: OAK_MM
pix_create_skeys:
skey_pre_shar:
process_vendor_id:
ISAKMP (0): processing vendor id payload
not cisco peer
process_udp_enc_vendor_id:
process_isakmp_packet: OAK_MM
construct_header: message_id 0x0
construct_ke:
need_cert_from_peer:
construct_nonce:
construct_xauthv6_vendor_i
construct_dpd_vendor_id:
construct_unity_vendor_id:
construct_vendor_id:
return status is IKMP_NO_ERROR
throw: mess_id 0x0
send_response:
isakmp_send: ip 200.20.20.20, port 500
ISAKMP msg received
crypto_isakmp_process_bloc
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154
isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x7844a8, len 40
des_encdec:
validate_payload: len 68
valid_payload:
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
PEER_REAPER_TIMER
ISAKMP msg received
crypto_isakmp_process_bloc
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154
isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x834108, len 40
des_encdec:
validate_payload: len 68
valid_payload:
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
SESSION_IDLE_TIMER
PEER_REAPER_TIMER
ISAKMP msg received
crypto_isakmp_process_bloc
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154
isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x853c88, len 40
des_encdec:
validate_payload: len 68
valid_payload:
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
ISAKMP msg received
crypto_isakmp_process_bloc
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154
isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x7f3488, len 40
des_encdec:
validate_payload: len 68
valid_payload:
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
PEER_REAPER_TIMER
ISAKMP msg received
crypto_isakmp_process_bloc
00
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154
isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x8cdf88, len 40
des_encdec:
validate_payload: len 68
valid_payload:
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
QM_TIMER
ISAKMP (0): deleting SA: src 200.20.20.20, dst 88.88.88.88
REAPER_TIMER
ISADB: reaper checking SA 0x10dcaa4, conn_id = 0
ISADB: reaper checking SA 0x10de154, conn_id = 0 DELETE IT!
crypto_gen_isakmp_delete:
isadb_free_isakmp_sa:
VPN Peer:ISAKMP: Peer Info for 200.20.20.20/500 not found - peers:2
ISADB: reaper checking SA 0x10dcaa4, conn_id = 0
ISADB: reaper checking SA 0x10deafc, conn_id = 0
SESSION_IDLE_TIMER
PEER_REAPER_TIMER
ISAKMP msg received
crypto_isakmp_process_bloc
00
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x0
ISAKMP: sa not found for ike msg
I'm having a problem with getting a vpn tunnel setup between our cisco pix and a hosting company's GNATBOX 500.
All the settings, as I can see are setup the same. It seems to do phase 1 ok then starts phase 2 but just can't finish it.
Here is my conf + the latest debug info.
Many thanks,
HT
-----------
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
enable password encrypted
passwd encrypted
hostname pix
domain-name thefirm.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.0.0.128 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.128 255.255.255.192
access-list VPNBRIM_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
access-list NO_NAT permit ip any 10.0.0.128 255.255.255.192
access-list NO_NAT permit ip 10.0.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list NO_NAT permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_cryptomap_10 permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 88.88.88.88 255.255.255.248
ip address inside 10.0.0.1 255.255.255.0
ip address DMZ 172.16.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool IPSEC 10.0.0.150-10.0.0.160
ip local pool IPSECB 10.0.0.161-10.0.0.162
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
global (DMZ) 10 interface
nat (inside) 0 access-list NO_NAT
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 10 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 88.88.88.89 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host 10.0.0.51 XXXXX timeout 5
http server enable
http 10.0.0.67 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 200.20.20.20
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 10 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client configuration address initiate
crypto map outside_map client configuration address respond
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 200.20.20.20 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp keepalive 30
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpnusers address-pool IPSEC
vpngroup vpnusers dns-server 10.0.0.51 10.0.0.52
vpngroup vpnusers default-domain omnifone.com
vpngroup vpnusers split-tunnel 101
vpngroup vpnusers idle-time 1800
vpngroup vpnusers password ********
vpngroup VPNBRIM address-pool IPSECB
vpngroup VPNBRIM dns-server 10.0.0.51 10.0.0.52
vpngroup VPNBRIM default-domain omnifone.com
vpngroup VPNBRIM split-tunnel VPNBRIM_splitTunnelAcl
vpngroup VPNBRIM idle-time 36000
vpngroup VPNBRIM password ********
ssh timeout 5
console timeout 0
pix#
-------------------
ISAKMP msg received
crypto_isakmp_process_bloc
00
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x0
validate_payload: len 80
valid_payload:
valid_sa:
valid_transform:
isadb_create_sa:
crypto_isakmp_init_phase1_
is_auth_policy_configured:
gen_cookie:
gen_cookie:
OAK_MM exchange
oakley_process_mm:
OAK_MM_NO_STATE
process_isakmp_packet:
process_sa: mess_id 0x0
ISAKMP (0): processing SA payload. message ID = 0
check_isakmp_proposal:
is_auth_policy_configured:
is_auth_policy_configured:
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption 3DES-CBC
ISAKMP: auth pre-share
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP (0): atts are acceptable. Next payload is 0
crypto_generate_DH_paramet
DH_ALG_PHASE1
process_sa: DONE - status 0x0
delete_sa_offers:
process_isakmp_packet: OAK_MM
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
construct_header: message_id 0x0
construct_isakmp_sa: auth 7
set_proposal: protocol 0x1, proposal_num 1, extra_info 0x7
return status is IKMP_NO_ERROR
throw: mess_id 0x0
send_response:
isakmp_send: ip 200.20.20.20, port 500
ISAKMP msg received
crypto_isakmp_process_bloc
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154
validate_payload: len 200
valid_payload:
valid_payload:
valid_payload:
OAK_MM exchange
oakley_process_mm:
OAK_MM_SA_SETUP
process_isakmp_packet:
process_ke:
ISAKMP (0): processing KE payload. message ID = 0
crypto_generate_DH_paramet
DH_ALG_PHASE2
process_isakmp_packet: OAK_MM
process_nonce:
ISAKMP (0): processing NONCE payload. message ID = 0
process_isakmp_packet: OAK_MM
pix_create_skeys:
skey_pre_shar:
process_vendor_id:
ISAKMP (0): processing vendor id payload
not cisco peer
process_udp_enc_vendor_id:
process_isakmp_packet: OAK_MM
construct_header: message_id 0x0
construct_ke:
need_cert_from_peer:
construct_nonce:
construct_xauthv6_vendor_i
construct_dpd_vendor_id:
construct_unity_vendor_id:
construct_vendor_id:
return status is IKMP_NO_ERROR
throw: mess_id 0x0
send_response:
isakmp_send: ip 200.20.20.20, port 500
ISAKMP msg received
crypto_isakmp_process_bloc
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154
isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x7844a8, len 40
des_encdec:
validate_payload: len 68
valid_payload:
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
PEER_REAPER_TIMER
ISAKMP msg received
crypto_isakmp_process_bloc
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154
isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x834108, len 40
des_encdec:
validate_payload: len 68
valid_payload:
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
SESSION_IDLE_TIMER
PEER_REAPER_TIMER
ISAKMP msg received
crypto_isakmp_process_bloc
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154
isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x853c88, len 40
des_encdec:
validate_payload: len 68
valid_payload:
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
ISAKMP msg received
crypto_isakmp_process_bloc
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154
isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x7f3488, len 40
des_encdec:
validate_payload: len 68
valid_payload:
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
PEER_REAPER_TIMER
ISAKMP msg received
crypto_isakmp_process_bloc
00
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x10de154
isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x8cdf88, len 40
des_encdec:
validate_payload: len 68
valid_payload:
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
QM_TIMER
ISAKMP (0): deleting SA: src 200.20.20.20, dst 88.88.88.88
REAPER_TIMER
ISADB: reaper checking SA 0x10dcaa4, conn_id = 0
ISADB: reaper checking SA 0x10de154, conn_id = 0 DELETE IT!
crypto_gen_isakmp_delete:
isadb_free_isakmp_sa:
VPN Peer:ISAKMP: Peer Info for 200.20.20.20/500 not found - peers:2
ISADB: reaper checking SA 0x10dcaa4, conn_id = 0
ISADB: reaper checking SA 0x10deafc, conn_id = 0
SESSION_IDLE_TIMER
PEER_REAPER_TIMER
ISAKMP msg received
crypto_isakmp_process_bloc
00
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x0
ISAKMP: sa not found for ike msg
ASKER
Hi Irmoore,
I added the no-config-mode but it still does the same.
I added the no-config-mode but it still does the same.
You also have a non-existant acl applied to the interface
>access-group outside_access_in in interface outside
This breaks the sysopt...
Make sure that commands reference defined access-lists.
Since you don't have any inbound access lists defined, how about just removing the acl from the interface?
no access-group outside_access_in in interface outside
>access-group outside_access_in in interface outside
This breaks the sysopt...
Make sure that commands reference defined access-lists.
Since you don't have any inbound access lists defined, how about just removing the acl from the interface?
no access-group outside_access_in in interface outside
ASKER
Sorry bud there a few access-list for "outside_access_in" - I seem to have taken them out by mistake before posting up the config.
> ISAKMP: reserved not zero on payload 5!
> ISAKMP: malformed payload
> PEER_REAPER_TIMER
ISAKMP is failing to negotiate between the peers, and the unused ISAKMP session is being reaped (ie removed from the table).
So you're not even getting to phase 2 (IPSEC).
I would turn off this:
isakmp nat-traversal 20
..seeming neither end is behind NAT.
This should be a simple issue to sort out. All ISAKMP needs is a matching ISAKMP policy at both ends - 3DES, SHA, Group 2, lifetime, pre-shared key. Once at this stage there should be a tunnel up, so that IPSEC can negotiate. This we will deal with later... !
I've not seen a Gnatbox before - but is there a place to put these parameters in, or are there some other fields in there, or advanced tabs that contain ISAKMP / IKE parameters that could be upsetting this ?
> ISAKMP: malformed payload
> PEER_REAPER_TIMER
ISAKMP is failing to negotiate between the peers, and the unused ISAKMP session is being reaped (ie removed from the table).
So you're not even getting to phase 2 (IPSEC).
I would turn off this:
isakmp nat-traversal 20
..seeming neither end is behind NAT.
This should be a simple issue to sort out. All ISAKMP needs is a matching ISAKMP policy at both ends - 3DES, SHA, Group 2, lifetime, pre-shared key. Once at this stage there should be a tunnel up, so that IPSEC can negotiate. This we will deal with later... !
I've not seen a Gnatbox before - but is there a place to put these parameters in, or are there some other fields in there, or advanced tabs that contain ISAKMP / IKE parameters that could be upsetting this ?
ASKER
Hi Tim,
Yeah the Gnatbox has a matching policy -3DES-MD5- DH group 2 - life time is the same 3600 and the pre-shared key is the same.
The Gnatbox isn't behind NAT but is running NAT for it's inside network, the PIX is not behind NAT but running NAT for the inside as well.
Removing the "isakmp nat-traversal 20" will that affect my client to PIX vpn users in any way?
Yeah the Gnatbox has a matching policy -3DES-MD5- DH group 2 - life time is the same 3600 and the pre-shared key is the same.
The Gnatbox isn't behind NAT but is running NAT for it's inside network, the PIX is not behind NAT but running NAT for the inside as well.
Removing the "isakmp nat-traversal 20" will that affect my client to PIX vpn users in any way?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Tim, Irmoore,
I have taken out the "isakmp nat-traversal 20" line and then run the debug again. The debug is still the same.
I have taken out the "isakmp nat-traversal 20" line and then run the debug again. The debug is still the same.
> life time is the same 3600
Make sure this is seconds, and not minutes. Some firewalls I've seen express this as minutes, which spoils the fun somewhat.
What do the Gnatbox logs say ? They may hold some useful information.
Make sure this is seconds, and not minutes. Some firewalls I've seen express this as minutes, which spoils the fun somewhat.
What do the Gnatbox logs say ? They may hold some useful information.
ASKER
Hi Tim,
I can confirm that the "3600" is in seconds. This Gnatbox is over at our hosting company and I'm told the dubug is very thin on the ground and doesn't show any attempts from the PIX to connect.
It's a tough one to troubleshoot as I really need to get over there and see for myself what it is doing.
I can confirm that the "3600" is in seconds. This Gnatbox is over at our hosting company and I'm told the dubug is very thin on the ground and doesn't show any attempts from the PIX to connect.
It's a tough one to troubleshoot as I really need to get over there and see for myself what it is doing.
In that case, are there any firewalls in between you and the hosting company that could be blocking the tunnel ?
If the Gnatbox isn't even seeing a connect request then something pretty basic is wrong here.
If the Gnatbox isn't even seeing a connect request then something pretty basic is wrong here.
ASKER
Hi Tim,
Network connectivity between the two firewalls is ok as we currently access boxes behind the Gnat box. We just can't get the tunnel to work. After explaining this to my manager it looks like we might scrap the Gnatbox as we didn't pay for it and get a PIX in there instead.
Network connectivity between the two firewalls is ok as we currently access boxes behind the Gnat box. We just can't get the tunnel to work. After explaining this to my manager it looks like we might scrap the Gnatbox as we didn't pay for it and get a PIX in there instead.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well it's worth a go I guess.
ASKER
Hi Tim & Irmoore,
100% sorry for the delay on this, I thought I had closed it down. Must have dreamt it.....too much work on my mind I guess!
Anyway the firm decided to ditch the gant box as it was free and get another Pix 515e.
I guess I can do something worth while with these points for you guys??
Thanks,
HT
isakmp key ******** address 200.20.20.20 netmask 255.255.255.255 no-xauth no-config-mode
^^^^^