Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX to Watchguard VPN Problem

Status
Not open for further replies.
kirby449

kirby449

Technical User
Jun 15, 2003
47
GB
Hi Guys

We are having trouble setting up a PIX (6.3) to Watchguard (7.0) IPSec VPN. Both Watchguard and PIX are using SHA, ESP-3DES, DH group1 for Phase 1 and Phase 2. Phase 1 seems to be ok from Debugs, but Phase 2 keeps coming back with Hash Verification Failed errors and Malformed Payload errors. I have set the PIX up to another PIX with no problems at all. I have set the security association lifetimes on the PIX to the default values on the Watchguard (8MB and 1 hour).

Still no luck though - anyone any ideas?

Cheers!!!


Debug from PIX

ISAKMP (0): hash verification failed for 3501828352!
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmitting phase 2 (0/3)... mess_id 0x24c7b133
crypto_isakmp_process_block:src:xxx.xxx.xxx.xxx, dest:xxx.xxx.xxx.xxx spt:500 dpt:5
00
ISAKMP (0): hash verification failed for 1824539235!
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:xxx.xxx.xxx.xxx, dest:xxx.xxx.xxx.xxx spt:500 dpt:5
00
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
ISAKMP (0): retransmitting phase 2 (3/4)... mess_id 0x502eb93
crypto_isakmp_process_block:src:xxx.xxx.xxx.xxx, dest:xxx.xxx.xxx.xxx spt:500 dpt:5
00
ISAKMP: error, msg not encrypted
ISAKMP (0): beginning Quick Mode exchange, M-ID of 1787866854:6a90aee6
ISAKMP (0): deleting SA: src xxx.xxx.xxx.xxx, dst xxx.xxx.xxx.xxx
crypto_isakmp_process_block:src:xxx.xxx.xxx.xxx, dest:xxx.xxx.xxx.xxx spt:500 dpt:5
00
ISAKMP: drop msg for deleted sa
ISADB: reaper checking SA 0xaf0b54, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:xxx.xxx.xxx.xxx/500 Ref cnt decremented to:0 Total VPN Pe
ers:1
VPN Peer: ISAKMP: Deleted peer: ip:xxx.xxx.xxx.xxx/500 Total VPN peers:0
 
Sort by date Sort by votes
Hi

Got a similar problem PIX to PIX working fine. We also use our PIX for remote users to connect via the Cisco VPN client using radius authentication. If I disable both this authentication and turn off NAT T on the PIX the other Firewall can connect fine.

However not much good for our remote users. Other end is a Fortigate 200.

Any help would be much appreciated.
Thanks

 
Upvote 0 Downvote
Hi,

I encounter the similiar problem before with my PIX 6.3(3) to a 3rd party VPN router which support IPsec.

If I disable NAT-T on PIX, I am able to connect to the 3rd party VPN router but my Cisco VPN client behind a PAT environment cannot connect.

If I enable NAT-T, my Cisco VPN client behind a PAT environment can connect but my branch office connection to the 3rd party VPN router doesn't work.

I am stumped.

Could there be bugs on PIX 6.3(3)?
 
Upvote 0 Downvote
Could there be bugs on the unspecified 3rd party VPN router? Possibly ... but it's impossible for anyone to say, as you've provided no information about it's make, model, capabilities or configuration.

If you're stumped, try running debug crypto isakmp and debug crypto ipsec on the pix, see whether phase 1 or phase 2 fails, then lookup the specific error message from the debug up on the cisco site. That should tell you why things are failing. Then contact the 3rd party router manufacturer and ask them if it supporst nat-t or not. If so, encapsulating over which port? Cisco like to use udp 4500. Checkpoint, for instance, don't. Perhaps it's configurable on the 3rd party vpn router. Ask the manufacturer.

Figure out if there are any nat devices between the pix and the 3rd party device. If so, but they support ipsec pass-through, the vpn will work even if the pix is behind the nat device (possibly a router at your end), but if you enable nat-t then during the phase 1 negotiations it will decide it needs to use nat-t, and potentially the 3rd party vpn router cannot support nat-t, and so the tunnel setup fails.

This is all broadly speaking of course as there is very little information to go on.

As for the pix to pix config that works fine, but where one end is a fortigate 200, and vpn clients are involved somehow, from the description I can't figure out what's actually failing, so i can't really help with that

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
326
hairlessupportmonkey
hairlessupportmonkey
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
780
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
806
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
324
gkittelson
gkittelson

Part and Inventory Search

Sponsor

Back
Top