1st & 2nd phase proposals

Unanswered Question
Sep 17th, 2008

Hi ive got a cisco 877 and a netscreen 5gt.

The netscreen is configured as the hub with phase 1 pre-g2-3des-sha, and phase 2 set to nopfs-esp-3des-md5. How would I configure my transform sets on the cisco 877? Can anyone help?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Istvan_Rabai Wed, 09/17/2008 - 09:21

Hi Colin,

Phase 1:

crypto isakmp policy 10

encryption 3des

hash sha

authentication pre-share

group 2

Phase 2:

crypto ipsec transform-set MYTRANS esp-3des esp-md5-hmac



crmljc1976 Fri, 09/26/2008 - 01:02

it wont let me enter hash sha under crypto isakmp policy 10. Why is that?

Istvan_Rabai Fri, 09/26/2008 - 08:59


Probably your IOS image doesn't have this feature.

Try using "hash md5" and if it works, configure netscreen the same way.



ajagadee Fri, 09/26/2008 - 10:42


SHA is the default hashing algorithm for ISAKMP policy and that is why you are probably not seeing it in the running configuration.

For example, I have SHA Configured under ISAKMP Policy 10 on my router but it does not show in the running configuration.

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

But, if I run the command "Show crypto ISAKMP Policy", I can see it in there.

R16-2821c#sh crypto isakmp policy

Global IKE policy

Protection suite of priority 10

encryption algorithm: Three key triple DES

hash algorithm: Secure Hash Standard

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

lifetime: 86400 seconds, no volume limit

Protection suite of priority 20



** Please rate all helpful posts **

crmljc1976 Wed, 10/01/2008 - 00:51

hi keep getting phase 2 no policy exists for proxy id received on the netscreen ,all phase 1 and 2 configured correctly. Has anyone got any experience programming netscreen5gt and cisco 877 VPNs. Thanks


This Discussion