We managed to get the VPN to connect. The problem was that the PIX was configured to do AH and ESP encapsulation, but the Contivity only did ESP. Changed the PIX and everything started working... but we have a new issue.
The PIX is bringing up tons (more specifically hundreds) of tunnels and according to my IS guys reporting something like 180 networks behind the VPN (I have but one, and am doing no routing what-so-ever). I have been thus far unable to get them to clarify exactly what that (reporting 180 networks...) means. My biggest wonderment though is why the PIX is bringing up multiple tunnels. The IS folks are saying that it appears to them that the PIX takes the tunnel down, but the Contivity doesn't know about it, leaving the Contivity with what they call "ghost tunnels". When the PIX needs to connect again, a new tunnel is brought up. I am told that the Contivity is "several revisions back coded", but an upgrade has been applied and it is just a matter of change control to actually cut over to the new code (hence why no one has called Nortel yet, as they are likely going to say upgrade the code). Any ideas on this new aspect of VPN hell? :-) TIA Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS Senior QA Rep. BMC Software, Inc. (713) 918-2412 [EMAIL PROTECTED] http://www.bmc.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 13, 2002 02:41 To: [EMAIL PROTECTED] Subject: Fw: VPN between PIX and Contivity 4500 1. >firewall(config)# show crypto isakmp sa >Total : 1 >Embryonic : 1 > dst src state pending created > 1.1.1.1 2.2.2.2 MM_KEY_EXCH 0 0 Your VPN connection is on state MM_KEY_EXCH = Key exchange. When VPN is connection is build, state changes to QM_IDLE. 2. Did you try both commands ? debug crypto ipsec debug crypto isakmp Please send more debug logs 3. >ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN >return status is IKMP_NO_ERRORs= 0x4004 Debug log from my working VPN connection: .... ISAKMP (0): Checking ISAKMP transform 1 against priority 9 policy ISAKMP: encryption DES-CBC ISAKMP: hash SHA ISAKMP: default group 1 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR .... >My question is that last line, ID_FQDN. ..... I use "isakmp identity address" and in my debug appears line ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR At www.cisco.com in examples where is used "isakmp identity hostname" there is debug line "ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN" So I think there is problem with command "isakmp identity address". Is on Nortel Contivity 4500 Extranet switch configured something similar? When configuring PIX to PIX VPN tunel, you have to use this command on both sides of tunel. Martin _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
