[c-nsp] Cisco to Checkpoint VPN

Jee Kay jeekay at gmail.com
Fri Feb 16 09:16:20 EST 2007


I'm trying to set up a Cisco to Checkpoint VPN. As far as I can tell
everything is set up right (access-lists/IKE IDs match both sides,
PSKs have been reverified a hundred times, etc), but during the
negotiation we run into this:

Feb 16 14:13:29.400 GMT: ISAKMP:(0:77:HW:2): sending packet to x.y.z.t
my_port 500 peer_port 500 (I) MM_KEY_EXCH
Feb 16 14:13:29.404 GMT: ISAKMP:(0:77:HW:2):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
Feb 16 14:13:29.404 GMT: ISAKMP:(0:77:HW:2):Old State = IKE_I_MM4  New
State = IKE_I_MM5
Feb 16 14:13:29.488 GMT: ISAKMP (0:268435533): received packet from
x.y.z.t dport 500 sport 500 Global (I) MM_KEY_EXCH
Feb 16 14:13:39.404 GMT: ISAKMP:(0:77:HW:2): retransmitting phase 1
MM_KEY_EXCH...
Feb 16 14:13:39.404 GMT: ISAKMP (0:268435533): incrementing error
counter on sa, attempt 1 of 5: retransmit phase 1

To me it seems like we send the key exchange packet, the remote end
(x.y.z.t) replies correctly but we completely ignore it. 10 seconds
later we then retransmit the initial packet which then continues until
the session times out and is removed.

Does anyone know why the Cisco appears to be ignoring the MM_KEY_EXCH
packet reply from the remote end?

Thanks,
Ras


More information about the cisco-nsp mailing list