VPN Cisco Router - Cisco Asa

Unanswered Question
Dec 11th, 2007

Hello Experts,

I'm trying to create a VPN with a cisco router and a Cisco ASA 5510 version 7.2(2)

This is the output I get from the debug in the router (debug crypto isa err)


*Dec 11 17:00:09.354: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!

*Dec 11 17:00:09.354: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0

*Dec 11 17:00:10.146: ISAKMP:(0:178:SW:1):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer x.x.x.x)

In good theory The Cisco Asa (which I don't have control) has the following:

Phase 1:


encryption protocol: IPSEC

Diffie Hellman: GRUPO2

encryption: 3DES

hast: SHA

lifetime: 86400 SEGUNDOS

Mode: MAIN

My questions are as follows:

1- Can somebody provide me with the correct isakmp configuration for phase 1?

2- What is the command to set up the tunnel in Main mode?

3- Any ideas what that error message means?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Tue, 12/11/2007 - 11:57


It looks like it is getting past phase 1 ie. QM_IDLE.

When it doesn't work if you do "sh crypto isa" what is the output.

Could you post your router settings for phase 1 and 2 off the router and off the ASA.


ranbeckycr Wed, 12/12/2007 - 13:34

Hi Jon,

Thanks for your response. I appreciate your help.

This is the info:

--> On Firewall:

Phase 1

crypto isakmp enable WAN

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group ipsec-attributes

pre-shared-key *

--> On router Phase 1

crypto isakmp policy 21

encr 3des

authentication pre-share

group 2

*********PHASE 2*********

--> Firewall

Phase 2

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac (possible configuration in ASA for BcoUno)

crypto map WAN_map 20 match address WAN_20_cryptomap

crypto map WAN_map 20 set pfs

crypto map WAN_map 20 set peer

crypto map WAN_map 20 set transform-set ESP-3DES-SHA

crypto map WAN_map interface WAN

--> Phase 2 Router

crypto ipsec transform-set test3des esp-3des esp-sha-hmac

crypto map 3desmap 17 ipsec-isakmp

set peer

set transform-set test3des

set pfs group2

match address vpn

ip access-list extended vpn

permit ip


This Discussion