12-11-2007 11:17 AM - edited 02-21-2020 03:25 PM
Hello Experts,
I'm trying to create a VPN with a cisco router and a Cisco ASA 5510 version 7.2(2)
This is the output I get from the debug in the router (debug crypto isa err)
VPNGTWY_02(config)#
*Dec 11 17:00:09.354: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!
*Dec 11 17:00:09.354: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
*Dec 11 17:00:10.146: ISAKMP:(0:178:SW:1):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer x.x.x.x)
In good theory The Cisco Asa (which I don't have control) has the following:
Phase 1:
PRESHARED KEY 123
encryption protocol: IPSEC
Diffie Hellman: GRUPO2
encryption: 3DES
hast: SHA
lifetime: 86400 SEGUNDOS
Mode: MAIN
My questions are as follows:
1- Can somebody provide me with the correct isakmp configuration for phase 1?
2- What is the command to set up the tunnel in Main mode?
3- Any ideas what that error message means?
Thanks,
Randall
12-11-2007 11:57 AM
Randall
It looks like it is getting past phase 1 ie. QM_IDLE.
When it doesn't work if you do "sh crypto isa" what is the output.
Could you post your router settings for phase 1 and 2 off the router and off the ASA.
Jon
12-12-2007 01:34 PM
Hi Jon,
Thanks for your response. I appreciate your help.
This is the info:
--> On Firewall:
Phase 1
crypto isakmp enable WAN
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
--> On router Phase 1
crypto isakmp policy 21
encr 3des
authentication pre-share
group 2
*********PHASE 2*********
--> Firewall
Phase 2
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac (possible configuration in ASA for BcoUno)
crypto map WAN_map 20 match address WAN_20_cryptomap
crypto map WAN_map 20 set pfs
crypto map WAN_map 20 set peer 1.1.1.1
crypto map WAN_map 20 set transform-set ESP-3DES-SHA
crypto map WAN_map interface WAN
--> Phase 2 Router
crypto ipsec transform-set test3des esp-3des esp-sha-hmac
crypto map 3desmap 17 ipsec-isakmp
set peer 2.2.2.2
set transform-set test3des
set pfs group2
match address vpn
ip access-list extended vpn
permit ip 10.0.4.0 0.0.0.255 10.0.5.0 0.0.0.255
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide