[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Unsuccessful VPN from Cisco PIX to FW1 4.1 SP2
I have been unsuccessful in connecting Cisco PIX to Checkpoint FW1. I got thorugh level 1 handshaking, but never through level 2. The error conedition that is shown by the PIX log is ISAKMP: reserved not zero on payload 5! The fix is to switch to checkpoint. Cisco support spent 8 - 10 hours supporting us. But we did not find the magic incantation. One thing is clear. Managing the checkpoint FW through a GUI is much much much easier than the command line interface to the PIX. FYI, Here is the error state. This is Check Point VPN-1(TM) & FireWall-1(R) Version 4.1 Build 41716 [VPN + DES + STRONG] greg Crypto_isakmp_process_block: src ..xxx.xxx, dest xxx.xxx.xxx.xxx OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption DES-CBC ISAKMP: hash SHA ISAKMP: default group 1 ISAKMP: auth pre-share ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR Return status is IKMP_NO_ERROR Crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest xxx.xxx.xxx.xxx OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 Return status is IKMP_NO_ERROR Crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest xxx.xxx.xxx.xxx OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated ISAKMP: Created a peer node for xxx.xxx.xxx.xxx ISAKMP (0:0): Need config/address ISAKMP (0:0): initiating peer config to xxx.xxx.xxx.xxx. ID = -459157782 (0xe4a1ce ba)modecfg: sa: 812e5898, new mess id= e4a1ceea Return status is IKMP_NO_ERROR Crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest xxx.xxx.xxx.xxx ISAKMP: reserved not zero on payload 5! Crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest xxx.xxx.xxx.xxx ISAKMP: reserved not zero on payload 5!IPSEC(ipsec_encap): crypto map check deny _______________________________________________________________ Greg Polanski mailto:[email protected] ADC Telecommunications, IncMSFAX PO Box 1pager Minneapolis, MN [email protected] _______________________________________________________________ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|