Problem setting up ESP tunnel, can't negotiate IKE SA

Unanswered Question
Mar 15th, 2007


I am trying to set up an ESP tunnel with a Cisco 871 and another device but can't seem to get it working. The peers start negotiating an IKE SA but only the first three or four (depending on which peer is the initiator) messages of ISAKMP are sent. The Key Exchange does not succeed and so no tunnel is set up. If anyone could provide a hint as to what could be the problem then I would greatly appreciate it.

I attach part of the log and the running config from the 871 and a Wireshark capture of the exchanged ISAKMP messages.

Thanks in advance,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
kaachary Thu, 03/15/2007 - 06:51


Couple of misconfigurations I noticed :

1: If the remote device is a non cisco device, disable PFS on both the devices.

2: The crypto ACL on the router should have only this statement :

access-list 100 permit ip host host

Let us know if this helps.


AKAnderson Thu, 03/15/2007 - 08:21


Thanks for your reply.

I changed the settings you suggested but as far as I can see it doesn't solve the problem. Still no IKE SA is set up and the log doesn't tell me anything new. Any other suggestions would be most welcome!

Regarding PFS: I will need PFS later but if I can get a tunnel up at all that would be a first step at least. Is it your experience that PFS will not work with a non Cisco device?


kaachary Fri, 03/16/2007 - 02:34

Please post the latest config and logs. And, yes, PFS usually has issues with non Cisco devices.


ggilbert Sat, 03/17/2007 - 09:06

We find the pre-shared key for the peer and then we get a response from the peer and that response contains NONE which is ZERO

2007-03-16 10:42:43 Local7.Debug 30136: 024910: Mar 16 10:43:31.280 PCTime: ISAKMP:received payload type 0

You should receive something back from the third party for key negotiation, but we don't.

Thats the problem.



Rate this post, if it helps!

AKAnderson Mon, 03/19/2007 - 01:55

I agree that that line in the log doesn't look good. But it seems to me that we get both a KE and a NONCE payload just like we should. The log says that the KE payload and then the NONCE payload are processed, before the payload type 0 is received. If this processing was OK then shouldn't the message be accepted and the initator identity etc be sent?

It was my understanding that a payload type 0 just marks the end of the ISAKMP packet so what I don't understand is why it is not treated as such. Can I see from the log if something is going wrong in the processing of the KE and/or NONCE payloads?

Thanks again,


AKAnderson Thu, 03/22/2007 - 01:47

The problem was with NAT-T. When I turned that off on the third party device it worked fine. PFS was not a problem.

However, I would like to use NAT-T so now my question is why the Cisco 871 neither sends nor understands the proper vendor id for RFC 3947 Negotiation of NAT-Traversal in the IKE? It seems to me that it sends vendor ids for three drafts preceding this RFC but not for the final version. Does it not support this RFC?


ggilbert Thu, 03/22/2007 - 07:34


What version of code are you running on your 871?

NAT-T is RFC compliant.



AKAnderson Fri, 03/23/2007 - 00:54

Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(4)T7, RELEASE SOFTWARE (fc1)


AKAnderson Tue, 03/27/2007 - 04:26

I have received confirmation from Cisco that this is a bug which should be fixed in version 12.4(11.4)T.



This Discussion