[VPN] debug string of isakmp
Engelhard M. Labiro
engelhard at netmarks.co.jp
Wed Nov 6 02:46:37 EST 2002
Hi Alberto,
From the following line :
> ISAKMP: unsupported proxy id type IPV4_ADDR_RANGE
Seems like the other end of PIX501 is trying to negotiate a Phase2 SA
with a network using an IP address range. "IP Addr range" means a range
of IP addressess, something like this one: "10.1.1.1 to 10.1.1.11" .
It doesn`t use VSLM to subnet the network. As long as I know,
to negotiate a Phase 2, one can use " a host" , "a network" or "an IP
address range". I think the PIX doesn`t support "an IP address range"
yet, thats why it couldn`t match the proposal that the other end
offered. You may check the other end of VPN device and try change to
a VLSM subnetted network instead.
Someone should correct me if I am wrong.
Regards,
Engel.
On Sun, 3 Nov 2002 12:00:59 +0100
"Alberto Pesce" <palberto at libero.it> wrote:
> Hello to everybody!
> I have a problem: I'm trying to debug a VPN on CISCO PIX501
>
> After the ping made by a host on the network of PIX 501 I get what follows:
> How can I interpret them?
>
> debug crypto isakmp
> .....
> ISAKMP: unsupported proxy id type IPV4_ADDR_RANGE
> ISAKMP: IPSec policy invalidated proposal
> ISAKMP (0): SA not acceptable!
> ISAKMP (0): sending NOTIFY message 14 protocol 3
> return status is IKMP_ERR_NO_RETRANS
> crypto_isakmp_process_block: src A.xxx.xxx.xxx, dest B.xxx.xxx.xxx
> ISAKMP (0): processing DELETE payload. message ID = 2276755429
> ISAKMP (0): deleting SA: src B.xxx.xxx.xxx, dst A.xxx.xxx.xxx
> return status is IKMP_NO_ERR_NO_TRANS
> ISADB: reaper checking SA 0x80948730, conn_id = 0 DELETE IT!
>
> I hope I have given to you all the informations in order to let you help me.
> I wait for your suggestions,
>
> Thank You
>
>
>
>
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
>
More information about the VPN
mailing list