Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
667
Views
0
Helpful
2
Replies

VPN Cisco Router - Cisco Asa

ranbeckycr
Level 1
Level 1

‎12-11-2007 11:17 AM - edited ‎02-21-2020 03:25 PM

Hello Experts,

I'm trying to create a VPN with a cisco router and a Cisco ASA 5510 version 7.2(2)

This is the output I get from the debug in the router (debug crypto isa err)

VPNGTWY_02(config)#

*Dec 11 17:00:09.354: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!

*Dec 11 17:00:09.354: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0

*Dec 11 17:00:10.146: ISAKMP:(0:178:SW:1):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer x.x.x.x)

In good theory The Cisco Asa (which I don't have control) has the following:

Phase 1:

PRESHARED KEY 123

encryption protocol: IPSEC

Diffie Hellman: GRUPO2

encryption: 3DES

hast: SHA

lifetime: 86400 SEGUNDOS

Mode: MAIN

My questions are as follows:

1- Can somebody provide me with the correct isakmp configuration for phase 1?

2- What is the command to set up the tunnel in Main mode?

3- Any ideas what that error message means?

Thanks,

Randall

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎12-11-2007 11:57 AM

Randall

It looks like it is getting past phase 1 ie. QM_IDLE.

When it doesn't work if you do "sh crypto isa" what is the output.

Could you post your router settings for phase 1 and 2 off the router and off the ASA.

Jon

0 Helpful

ranbeckycr
Level 1
Level 1
In response to Jon Marshall

‎12-12-2007 01:34 PM

Hi Jon,

Thanks for your response. I appreciate your help.

This is the info:

--> On Firewall:

Phase 1

crypto isakmp enable WAN

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key *

--> On router Phase 1

crypto isakmp policy 21

encr 3des

authentication pre-share

group 2

*********PHASE 2*********

--> Firewall

Phase 2

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac (possible configuration in ASA for BcoUno)

crypto map WAN_map 20 match address WAN_20_cryptomap

crypto map WAN_map 20 set pfs

crypto map WAN_map 20 set peer 1.1.1.1

crypto map WAN_map 20 set transform-set ESP-3DES-SHA

crypto map WAN_map interface WAN

--> Phase 2 Router

crypto ipsec transform-set test3des esp-3des esp-sha-hmac

crypto map 3desmap 17 ipsec-isakmp

set peer 2.2.2.2

set transform-set test3des

set pfs group2

match address vpn

ip access-list extended vpn

permit ip 10.0.4.0 0.0.0.255 10.0.5.0 0.0.0.255

0 Helpful
Customers Also Viewed These Support Documents