IPSec Interconnection Fails between the SVN3000 and Nortel Device

Latest reply: Apr 13, 2016 08:56:30 853 1 0 0
The IPSec VPN connection between the SVN3000 and Nortel device passed phase 1 but failed phase 2 of IKE negotiation.
IKE negotiation failure information:
Failure in phase 2 of IKE negotiation:
[SVN3000]dis ike sa
connection-id                    peer                               flag                phase   doi 
----------------------------------------------------------   
116                   NONE          2    IPSEC
115          10.10.3.75                     RD            1     IPSEC      
Alarm Information
None
  • x
  • convention:

Osaideo Created Apr 13, 2016 08:56:30 Helpful(0) Helpful(0)

Handling Process
The SVN3000 cannot interconnect with the Nortel device because the Nortel device does not support the IPSec protocol used by the SVN3000.
Solution 1:
Replace the Nortel device or use the security device that supports the standard IPSec protocol.
Solution 2:
Develop new software that supports the non-standard IPSec negotiation for interconnecting with the Nortel device.
Root Cause
When this problem occurs, run the Debug command, and then capture the packets for ***ysis.
1.       Run the Debug command.
The following information is displayed on the Nortel device.

*15:35:58 tEvtLgMgr 0 : tIsakmp [03] Error notification (No proposal chosen) received from 10.10.3.77
*15:35:58 tEvtLgMgr 0 : tIsakmp [03] No SPI on Notify message after Phase 1 - dropping it
*15:35:58 tEvtLgMgr 0 : tIsakmp [03] Error notification (No proposal chosen) received from 10.10.3.77
*15:35:58 tEvtLgMgr 0 : tIsakmp [03] No SPI on Notify message after Phase 1 - dropping it

The information shows that no proposal is available.
2.       Capture and ***yze the packets.


It is concluded that the Nortel device cannot identify the IPSec protocol used by the SVN3000. After the SVN3000 sends packets and informs the Nortel device that the packets carry NAT-D payload, the Nortel device responds with the message illegal type of payload.
Solution
Suggestions
The SVN3000 supports only the tunnel encapsulation mode, whereas the Nortel device supports only the transport encapsulation mode.
The Nortel device uses the non-standard IPSec protocol, which causes the interconnection failure. The R&D has no plan for developing a customized software version for interconnecting with the Nortel device. Therefore, the only solution is to replace the Nortel device in IPSec VPN connection.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top