IPSec Interconnection Fails between the SVN3000 and Nortel Device

Publication Date:  2012-07-20 Views:  132 Downloads:  0
Issue Description
The IPSec VPN connection between the SVN3000 and Nortel device passed phase 1 but failed phase 2 of IKE negotiation.
IKE negotiation failure information:
Failure in phase 2 of IKE negotiation:
[SVN3000]dis ike sa
connection-id                    peer                               flag                phase   doi  
----------------------------------------------------------    
116                   NONE          2    IPSEC
115          10.10.3.75                     RD            1     IPSEC      
Alarm Information
None
Handling Process
The SVN3000 cannot interconnect with the Nortel device because the Nortel device does not support the IPSec protocol used by the SVN3000.
Solution 1:
Replace the Nortel device or use the security device that supports the standard IPSec protocol.
Solution 2:
Develop new software that supports the non-standard IPSec negotiation for interconnecting with the Nortel device.
Root Cause
When this problem occurs, run the Debug command, and then capture the packets for analysis.
1.       Run the Debug command.
The following information is displayed on the Nortel device.
 
*15:35:58 tEvtLgMgr 0 : tIsakmp [03] Error notification (No proposal chosen) received from 10.10.3.77
*15:35:58 tEvtLgMgr 0 : tIsakmp [03] No SPI on Notify message after Phase 1 - dropping it
*15:35:58 tEvtLgMgr 0 : tIsakmp [03] Error notification (No proposal chosen) received from 10.10.3.77
*15:35:58 tEvtLgMgr 0 : tIsakmp [03] No SPI on Notify message after Phase 1 - dropping it
 
The information shows that no proposal is available.
2.       Capture and analyze the packets.


It is concluded that the Nortel device cannot identify the IPSec protocol used by the SVN3000. After the SVN3000 sends packets and informs the Nortel device that the packets carry NAT-D payload, the Nortel device responds with the message illegal type of payload.
Suggestions
The SVN3000 supports only the tunnel encapsulation mode, whereas the Nortel device supports only the transport encapsulation mode.
The Nortel device uses the non-standard IPSec protocol, which causes the interconnection failure. The R&D has no plan for developing a customized software version for interconnecting with the Nortel device. Therefore, the only solution is to replace the Nortel device in IPSec VPN connection.

END