Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX To ROUTER VPN PROBLEM

Status
Not open for further replies.
mike6767

mike6767

Technical User
Nov 28, 2003
10
0
0
US
I'm seting up a vpn between a pix to 3640 router that I just can't get the tunnel up
would someone look at this log and see if anything points to the problem.




Log Buffer (4096 bytes):

Nov 27 15:01:04.999: ISAKMP (0:2): purging node -568639019
Nov 27 15:01:04.999: ISAKMP (0:2): purging node 2105410201
Nov 27 15:01:14.999: ISAKMP (0:2): purging SA.
Nov 27 15:01:14.999: CryptoEngine0: delete connection 2
Nov 27 15:01:33.347: IPSEC(sa_request): ,
(key eng. msg.) src= 209.16.xx8.225, dest= 65.196.xx3.10,
src_proxy= 150.150.xx.0/255.255.192.0/0/0 (type=4),
dest_proxy= 65.196.xx.27/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0xF4E1E960(4108446048), conn_id= 0, keysize= 0, flags= 0x4005
Nov 27 15:01:33.347: ISAKMP: received ke message (1/1)
Nov 27 15:01:33.351: ISAKMP (0:2): beginning Main Mode exchange
Nov 27 15:01:33.351: ISAKMP (0:2): sending packet to 65.196.xx.10 (I) MM_NO_STATE
Nov 27 15:01:33.383: ISAKMP (0:2): received packet from 65.196.13.10 (I) MM_NO_STATE
Nov 27 15:01:33.383: ISAKMP (0:2): Notify has no hash. Rejected.
1w1d: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 65.196.xx.10
 
Sort by date Sort by votes
Hi Mike,

What I understand from the logs is that your Phase 1 is not being established and it says hash rejected which basicall means that either your pre shared key is not matching or it means that your data integrity of the packet is not being matched chek hash value on both sides they should be the same
crypto isakmp policy 15
hash md5 <------------------------- This line
authentication pre-share
 
Upvote 0 Downvote
It has been verified that pre-share keys matches & hash = md5 on both ends are the same; however my local end currently has another VPN configured which use a different crypto isakmp policy (10) from the crypto isakmp policy (20) that I’m using to tunnel between the PIX and the 3640. Can that be the problem? I’m little fussy on how a policy is assigned to any one tunnel when more then one crypto isakmp policy is in the configuration. Aren’t all polices in a crypto map applied until both ends agree on the one that matches?
 
Upvote 0 Downvote
HI Mike

Is it possible for you to send me the running configuration of both the devices i.e router and PIX

my email id is saurav_khanna@yahoo.com

you can remove the ip address for security reasons.


About your question it does not make a difference. All the policies are matched unless a match is found and sorry I overlooked a fact i.e. you are getting a spi it means that phase 1 was successful also send me the entire debugs.

Saurav

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

teknance
  • Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
392
GlobeTrekkerGal
GlobeTrekkerGal
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
236
sircles
sircles
sarahz2
  • Question
Best vpn safe and fast
Replies
4
Views
282
GlobeTrekkerGal
GlobeTrekkerGal
ramblingrebel
  • Locked
  • Question
Built-in Windows 10 VPN
Replies
1
Views
200
Joon Smith
Joon Smith
F
  • Solved
some IP Phone not working over site-to-site OpenVPN, packets modified on other side of tunnel
Replies
1
Views
2K
FrankSider12
F

Part and Inventory Search

Sponsor

Back
Top