This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

cisco to asl

Hi,

I try using cisco router as VPN client in NET to NET connection. I use router cisco 831 for internet connection. I use NAT to hide clients behind router. When I try to establish VPN connection on ASL side I receive this message:

protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0

Thanks

This thread was automatically locked due to age.

0 Ken Bantoft over 22 years ago

The Cisco appears to have a buggy IPSec implementation:

RFC 2407, section 4.6.2 states :

  During Phase 1 negotiations, the ID port and protocol fields MUST be
  set to zero or to UDP port 500.  If an implementation receives any
  other values, this MUST be treated as an error and the security
  association setup MUST be aborted.

So the Cisco is proposing UDP port 0, which according to the RFC is invalid.

Open a TAC call with Cisco...
Cancel
Vote Up 0 Vote Down

Cancel
0 ojrad over 22 years ago in reply to Ken Bantoft

Hi,

Is it possible that this behavior is connected with NAT?

It seems that others have the same problems connectiong  cisco routers 800 series with Frees/wan. It is posible to resolve the problem patching the fress/wan so that accepts 17/0 connections.

Can we expect this patch in Astaro (I know it is not valid)?

                                                                    Ojrad
Cancel
Vote Up 0 Vote Down

Cancel