[c-nsp] vpn l2l issue - pix 506E to an asa5510

dalton daltons at panix.com
Thu Dec 24 06:46:57 EST 2009 

Hi all,

I am having a strange issue trying to establish a tunnel between a pix
506E and an ASA5510.

sh isa sa on my pix shows tunnel status as failing at MM_KEY_EXCH

i have verified the phase 1 settings and key to be correct here,

also running the pix in debug mode, it appears the pix is passing phase 1.

I am natting the destination nets here, and am wondering if perhaps this
is causing the issue.

Phase 2 settings and acls also appear to be correct, tho in some sense i
can't seem to get beyond phase 1 according to the pix.

Any insight would be greatly appreciated. Pix debug output is below.

Thanks alot,
dalton

ISAKMP (0): Checking ISAKMP transform 4 against priority 18 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 28800
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.x.x, dest:x.x.x.x spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match MINE hash
hash received: 88 37 3a f4 5e bc 63 c4 9a fd 62 1b d a3 73 ea
my nat hash  : 79 d4 19 aa 2e 88 fb b7 46 52 64 6e 11 5a 21 23
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT match HIS hash
ISAKMP: Locking UDP_ENC struct 0xf5267c from crypto_ikmp_udp_enc_ike_init,
count 1
ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 0
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src: x.x.x.x, dest:x.x.x.x spt:500 dpt:500
ISAKMP: error, msg not encrypted
crypto_isakmp_process_block:src:x.x.x.x, dest:x.x.x.x spt:500 dpt:500
ISAKMP: sa not found for ike msg

More information about the cisco-nsp mailing list