[FW1] Unsuccessful VPN from Cisco PIX to FW1 4.1 SP2

Thu, 05 Oct 2000 08:07:04 -0700 


I have been unsuccessful in connecting Cisco PIX to
Checkpoint FW1.  

I got thorugh level 1 handshaking, but never through level 2.
The error conedition that is shown by the PIX log is

ISAKMP: reserved not zero on payload 5!

The fix is to switch to checkpoint.

Cisco support spent 8 - 10 hours supporting us. But we did 
not find the magic incantation.  One thing is clear.
Managing the checkpoint FW through a GUI is much much much
easier than the command line interface to the PIX.

FYI, Here is the error state.

This is Check Point VPN-1(TM) & FireWall-1(R) Version 4.1 Build 41716
[VPN + DES + STRONG]


greg





Crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest xxx.xxx.xxx.xxx
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
Return status is IKMP_NO_ERROR
Crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest xxx.xxx.xxx.xxx 
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload
       next-payload : 8
       type         : 1
       protocol     : 17
       port         : 500
       length       : 8
ISAKMP (0): Total payload length: 12
Return status is IKMP_NO_ERROR
Crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest xxx.xxx.xxx.xxx
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP: Created a peer node for xxx.xxx.xxx.xxx
ISAKMP (0:0): Need config/address
ISAKMP (0:0): initiating peer config to xxx.xxx.xxx.xxx. ID = -459157782
(0xe4a1ce ba)modecfg: sa: 812e5898, new mess id= e4a1ceea

Return status is IKMP_NO_ERROR
Crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest xxx.xxx.xxx.xxx
ISAKMP: reserved not zero on payload 5!
Crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest xxx.xxx.xxx.xxx
ISAKMP: reserved not zero on payload 5!IPSEC(ipsec_encap): crypto map
check deny




_______________________________________________________________
Greg Polanski                    mailto:[EMAIL PROTECTED]
ADC Telecommunications, Inc.     952-946-2270
MS 85                            952-946-2465 FAX
PO Box 1101                      612-538-1833 pager
Minneapolis, MN  55440-1101      [EMAIL PROTECTED]
_______________________________________________________________


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to