1st & 2nd phase proposals

Unanswered Question
Sep 17th, 2008
User Badges:

Hi ive got a cisco 877 and a netscreen 5gt.

The netscreen is configured as the hub with phase 1 pre-g2-3des-sha, and phase 2 set to nopfs-esp-3des-md5. How would I configure my transform sets on the cisco 877? Can anyone help?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Istvan_Rabai Wed, 09/17/2008 - 09:21
User Badges:
  • Gold, 750 points or more

Hi Colin,


Phase 1:

crypto isakmp policy 10

encryption 3des

hash sha

authentication pre-share

group 2


Phase 2:

crypto ipsec transform-set MYTRANS esp-3des esp-md5-hmac


Cheers:

Istvan

crmljc1976 Fri, 09/26/2008 - 01:02
User Badges:

it wont let me enter hash sha under crypto isakmp policy 10. Why is that?

Istvan_Rabai Fri, 09/26/2008 - 08:59
User Badges:
  • Gold, 750 points or more

Hi,


Probably your IOS image doesn't have this feature.


Try using "hash md5" and if it works, configure netscreen the same way.


Cheers:

Istvan



ajagadee Fri, 09/26/2008 - 10:42
User Badges:
  • Cisco Employee,

Hi,


SHA is the default hashing algorithm for ISAKMP policy and that is why you are probably not seeing it in the running configuration.


For example, I have SHA Configured under ISAKMP Policy 10 on my router but it does not show in the running configuration.


crypto isakmp policy 10

encr 3des

authentication pre-share

group 2


But, if I run the command "Show crypto ISAKMP Policy", I can see it in there.


R16-2821c#sh crypto isakmp policy


Global IKE policy

Protection suite of priority 10

encryption algorithm: Three key triple DES

hash algorithm: Secure Hash Standard

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

lifetime: 86400 seconds, no volume limit

Protection suite of priority 20


Regards,

Arul


** Please rate all helpful posts **

crmljc1976 Wed, 10/01/2008 - 00:51
User Badges:

hi keep getting phase 2 no policy exists for proxy id received on the netscreen ,all phase 1 and 2 configured correctly. Has anyone got any experience programming netscreen5gt and cisco 877 VPNs. Thanks

Actions

This Discussion