Firewall Wizards mailing list archives
RE: Symantec firewall/vpn & Nortel Contivity 2700 branch office tunnel
From: TSimons () Delphi-Tech com
Date: Sat, 15 Nov 2003 08:34:20 -0500
Looking at your last log line: 11/12/2003 14:35:35 0 ISAKMP [03] Unprotected Notify: Invalid SPI in proposal in message from XX.XX.XX.X being dropped ...try going into the advanced settings on the 200R and adjusting the SPI level. Also, please post all the vpn settings (IKE and ISAKMP), and post the logs replacing each firewalls IP with a unique string. IE Nortel = N.N.N.N; SFVA200R = S.S.S.S In my experience, the Nortel will have to throw out the renegotiation, so all timeout values should be lower on the Nortel than the SFVA200R. I just worked through symantec support with this (except with a global tunnel to a VR1100) ...so I'm pretty versed in the 200r, and can try to help with your nortel issues with more details. Thanks, ~Todd -----Original Message----- From: Scott Thomas To: firewall-wizards () honor icsalabs com Sent: 11/14/2003 10:31 AM Subject: [fw-wiz] Symantec firewall/vpn & Nortel Contivity 2700 branch office tunnel Does anyone have any advice on getting a Symantec firewall/vpn 200R version V1.R5T to talk to a Nortel Contivity 2700. The IPsec settings seem to be the same on both ends but it is producing this error: 11/12/2003 14:35:34 0 BoTest [01] ---------------Branch Office Test Initiated: [XX.XX.XXX.XXX:XX.XX.X.XXX]--------------- 11/12/2003 14:35:34 0 BoTest [01] o Initiating the first connection within the branch-office tunnel.... 11/12/2003 14:35:34 0 Branch Office [01] IPSEC branch office connection initiated to rem[XX.XX.XX.X-255.255.255.0]@[XX.XX.XX.X] loc[XX.XX.XX.X-255.255.255.240] 11/12/2003 14:35:34 0 Security [11] Session: IPSEC[XX.XX.XX.X] attempting login 11/12/2003 14:35:34 0 Security [01] Session: IPSEC[XX.XX.XX.X] has no active sessions 11/12/2003 14:35:34 0 Security [01] Session: IPSECXX.XX.XX.X] Optimal has no active accounts 11/12/2003 14:35:35 0 Security [01] Session: IPSEC[XX.XX.XX.X]:213330 SHARED-SECRET authenticate attempt... 11/12/2003 14:35:35 0 Security [01] Session: IPSEC[XX.XX.XX.X]:213330 attempting authentication using LOCAL 11/12/2003 14:35:35 0 Security [11] Session: IPSEC[XX.XX.XX.X]:213330 authenticated using LOCAL 11/12/2003 14:35:35 0 Security [11] Session: IPSEC[XX.XX.XX.X]:213330 bound to group /Base/i2_3rd_party_Symantec/Optimal 11/12/2003 14:35:35 0 Security [01] Session: IPSEC[XX.XX.XX.X]:213330 using group filter permit all 11/12/2003 14:35:35 0 Security [01] Session: IPSEC[XX.XX.XX.X]:213330 LOCAL IN FILTER 1 permit UDP any any EQ 67 FILTER 1 permit UDP any any EQ 68 11/12/2003 14:35:35 0 Security [01] Session: IPSEC[XX.XX.XX.X]:213330 LOCAL IN FILTER 1 permit UDP any any EQ 67 FILTER 1 permit UDP any any EQ 68 11/12/2003 14:35:35 0 Security [11] Session: IPSEC[XX.XX.XX.X]:213330 authorized 11/12/2003 14:35:35 0 Security [11] Session: network IPSEC[XX.XX.XX.X-255.255.255.0] attempting login 11/12/2003 14:35:35 0 Security [11] Session: network IPSEC[XX.XX.XX.X-255.255.255.0] logged in from gateway [XX.XX.XX.X] 11/12/2003 14:35:35 0 ISAKMP [02] ISAKMP SA established with XX.XX.XX.X 11/12/2003 14:35:35 0 ISAKMP [03] Unprotected Notify: Invalid SPI in proposal in message from XX.XX.XX.X being dropped TIA Scott _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Symantec firewall/vpn & Nortel Contivity 2700 branch office tunnel TSimons (Nov 16)