View Single Post
  #3   (View Single Post)  
Old 12th April 2011
copetts copetts is offline
New User
 
Join Date: Apr 2011
Posts: 2
Default

Thank you for your reply

I think that this is not the case, in my ipsec.conf i don't use hmac-sha2 protocol.
In meantime I' ve find the solution to the error:
Apr 8 16:20:37 fire1 isakmpd[18227]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.0.0.0/255.0.0.0, responder id 172.16.196.16/255.255.255.240
Apr 8 16:20:37 fire1 isakmpd[18227]: dropped message from <remotefw> port 500 due to notification type INVALID_ID_INFORMATION

I added also the nat ip address in the ipsec.conf:
ike esp from { 172.16.196.16/28, 172.16.1.0/24, 172.29.128.96/27, 172.20.44.224/27, 172.20.43.192/27 } to 10.0.0.0/8 local <myfw_pub_ip> peer <remotefw_pub_ip> \
main auth hmac-md5 enc 3des quick auth hmac-md5 enc 3des group none psk XXXXXXXXXX
and I've tried to change the modp1024 with none to fix the second error, it seems work fine, but sometime appear still an error:

isakmpd[27703]: message_parse_payloads: reserved field non-zero: 5
Apr 12 12:06:39 fire1 isakmpd[27703]: dropped message from <remotefw> port 500 due to notification type PAYLOAD_MALFORMED
Reply With Quote