Announcement

Collapse
No announcement yet.

Cisco to Juniper VPN - Vendor ID

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco to Juniper VPN - Vendor ID

    Hi Guys,
    I am trying to setup a VPN tunnel between my Cisco 837 (Version 12.2(13)ZH4) and my principal's Juniper on the other side. I can see they talk to each other and exchange keys, but tunnel never goes up.
    As a test, I created another tunnel to Cisco 851 and it worked perfectly.

    I have been told by the Juniper's administrator do disable sending the vendor ID because of these entries in the isakmp debug log:
    ISAKMP (0:1): constructed NAT-T vendor-03 ID
    ISAKMP (0:1): constructed NAT-T vendor-02 ID
    processing vendor id payload
    vendor ID seems Unity/DPD but major 59 mismatch


    I searched around but I did not find how to disable sending the vendor ID on Cisco 837.

    Any clues?

    Thanks,
    Alex

  • #2
    debug crypto isakmp log:

    287: ISAKMP: received ke message (1/1)
    287: ISAKMP (0:0): SA request profile is (NULL)
    287: ISAKMP: local port 500, remote port 500
    287: ISAKMP: set new node 0 to QM_IDLE
    287: ISAKMP: insert sa successfully sa = 8151CF2C
    287: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
    291: ISAKMP: Looking for a matching key for xxx.xxx.xxx.xxx in default : success
    291: ISAKMP (0:1): found peer pre-shared key matching xxx.xxx.xxx.xxx
    291: ISAKMP (0:1): constructed NAT-T vendor-03 ID
    291: ISAKMP (0:1): constructed NAT-T vendor-02 ID
    291: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    291: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1
    291: ISAKMP (0:1): beginning Main Mode exchange
    291: ISAKMP (0:1): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) MM_NO_STATE
    379: ISAKMP (0:1): received packet from xxx.xxx.xxx.xxx dport 500 sport 500 Global (I) MM_NO_STATE
    379: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    379: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_I_MM2
    379: ISAKMP (0:1): processing SA payload. message ID = 0
    379: ISAKMP (0:1): processing vendor id payload
    379: ISAKMP (0:1): vendor ID seems Unity/DPD but major 59 mismatch
    383: ISAKMP (0:1): processing vendor id payload
    383: ISAKMP (0:1): vendor ID is DPD
    383: ISAKMP (0:1): processing vendor id payload
    383: ISAKMP (0:1): vendor ID seems Unity/DPD but major 102 mismatch
    383: ISAKMP: Looking for a matching key for xxx.xxx.xxx.xxx in default : success
    383: ISAKMP (0:1): found peer pre-shared key matching xxx.xxx.xxx.xxx
    383: ISAKMP (0:1) local preshared key found
    383: ISAKMP : Scanning profiles for xauth ...
    383: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy
    387: ISAKMP: encryption 3DES-CBC
    387: ISAKMP: hash SHA
    387: ISAKMP: default group 2
    387: ISAKMP: auth pre-share
    387: ISAKMP: life type in seconds
    387: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
    387: ISAKMP (0:1): atts are acceptable. Next payload is 0
    611: ISAKMP (0:1): processing vendor id payload
    611: ISAKMP (0:1): vendor ID seems Unity/DPD but major 59 mismatch
    611: ISAKMP (0:1): processing vendor id payload
    615: ISAKMP (0:1): vendor ID is DPD
    615: ISAKMP (0:1): processing vendor id payload
    615: ISAKMP (0:1): vendor ID seems Unity/DPD but major 102 mismatch
    615: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    615: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM2
    619: ISAKMP (0:1): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) MM_SA_SETUP
    619: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    619: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM3
    703: ISAKMP (0:1): received packet from xxx.xxx.xxx.xxx dport 500 sport 500 Global (I) MM_SA_SETUP
    703: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    703: ISAKMP (0:1): Old State = IKE_I_MM3 New State = IKE_I_MM4
    707: ISAKMP (0:1): processing KE payload. message ID = 0
    983: ISAKMP (0:1): processing NONCE payload. message ID = 0
    983: ISAKMP: Looking for a matching key for xxx.xxx.xxx.xxx in default : success
    983: ISAKMP (0:1): found peer pre-shared key matching xxx.xxx.xxx.xxx
    987: ISAKMP (0:1): SKEYID state generated
    987: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    987: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM4
    003: ISAKMP (0:1): Send initial contact
    003: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
    003: ISAKMP (1): ID payload
    next-payload : 8
    type : 1
    addr : xxx.xxx.xxx.xxx
    protocol : 17
    port : 500
    length : 8
    003: ISAKMP (1): Total payload length: 12
    007: ISAKMP (0:1): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) MM_KEY_EXCH
    007: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    007: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM5
    087: ISAKMP (0:1): received packet from xxx.xxx.xxx.xxx dport 500 sport 500 Global (I) MM_KEY_EXCH
    095: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    095: ISAKMP (0:1): Old State = IKE_I_MM5 New State = IKE_I_MM6
    095: ISAKMP (0:1): processing ID payload. message ID = 0
    095: ISAKMP (0:1): processing HASH payload. message ID = 0
    099: ISAKMP (0:1): SA has been authenticated with xxx.xxx.xxx.xxx
    099: ISAKMP (0:1): peer matches *none* of the profiles
    099: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    099: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_I_MM6
    099: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    103: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
    103: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -347920718
    103: ISAKMP (0:1): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) QM_IDLE
    103: ISAKMP (0:1): Node -347920718, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
    107: ISAKMP (0:1): Old State = IKE_QM_READY New State = IKE_QM_I_QM1
    107: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    107: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
    187: ISAKMP (0:1): received packet from xxx.xxx.xxx.xxx dport 500 sport 500 Global (I) QM_IDLE
    187: ISAKMP: set new node 2139258604 to QM_IDLE
    195: ISAKMP (0:1): processing HASH payload. message ID = 2139258604
    195: ISAKMP (0:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 1
    spi 0, message ID = 2139258604, sa = 8151CF2C
    195: ISAKMP (0:1): peer does not do paranoid keepalives.
    195: ISAKMP (0:1): deleting SA reason "recevied fatal informational" state (I) QM_IDLE (peer xxx.xxx.xxx.xxx) input queue 0
    195: ISAKMP (0:1): deleting node 2139258604 error FALSE reason "informational (in) state 1"
    199: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
    199: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
    199: ISAKMP: set new node -1906347570 to QM_IDLE
    199: ISAKMP (0:1): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) QM_IDLE
    199: ISAKMP (0:1): purging node -1906347570
    199: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    199: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
    203: ISAKMP (0:1): deleting SA reason "" state (I) QM_IDLE (peer xxx.xxx.xxx.xxx) input queue 0
    203: ISAKMP (0:1): deleting node -347920718 error FALSE reason ""
    203: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    203: ISAKMP (0:1): Old State = IKE_DEST_SA New State = IKE_DEST_SA

    Comment

    Working...
    X