Re: VPN between PIX and Contivity 4500

[MatoBo]

1. >firewall(config)# show crypto isakmp sa >Total     : 1 >Embryonic : 1 >        dst            src         state     pending    created >  1.1.1.1           2.2.2.2     MM_KEY_EXCH  0           0   Your VPN connection is on state MM_KEY_EXCH = Key exchange. When VPN is connection is build, state changes to QM_IDLE.   2. Did you try both commands ? debug crypto ipsec debug crypto isakmp Please send more debug logs   3. >ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN >return status is IKMP_NO_ERRORs= 0x4004   Debug log from my working VPN connection: .... ISAKMP (0): Checking ISAKMP transform 1 against priority 9 policy ISAKMP:      encryption DES-CBC ISAKMP:      hash SHA ISAKMP:      default group 1 ISAKMP:      auth pre-share ISAKMP:      life type in seconds ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR ....   >My question is that last line, ID_FQDN. ..... I use "isakmp identity address" and in my debug appears line ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR   At www.cisco.com in examples where is used "isakmp identity hostname" there is debug line "ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN" So I think there is problem with command  "isakmp identity address". Is on Nortel Contivity 4500 Extranet switch configured something similar? When configuring PIX to PIX VPN tunel, you have to use this command on both sides of tunel.   MatoBo