CRYPTO-4-IKE_DEFAULT_POLICY_ACCEPTED - ?

Unanswered Question
Apr 30th, 2009
User Badges:

What does it mean? I saw an explanation such as:

Error Message

I have this error:

%CRYPTO-4-IKE_DEFAULT_POLICY_ACCEPTED : IKE default policy was matched and is being used.


Explanation The default policy is being used because the local configured policies did not match with the peer's policies.


Recommended Action Unavailable.

____________________________________

But what should I do?

Here is my config:

R1:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 1800

!

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 2

!

crypto isakmp key ts address xxx.175.97.74

crypto isakmp key ts-licon address xxx.234.213.46

crypto isakmp key tS-irkTS address xxx.241.208.10

!

crypto ipsec security-association lifetime seconds 1200

!

crypto ipsec transform-set km4set esp-3des esp-sha-hmac

crypto ipsec transform-set liconset ah-sha-hmac esp-aes

crypto ipsec transform-set irktsset ah-md5-hmac esp-aes

!

crypto ipsec profile IRKTS

set security-association lifetime seconds 3600

set transform-set irktsset

!

crypto ipsec profile KM4

set security-association lifetime seconds 3600

set transform-set km4set

!

crypto ipsec profile LICON

set security-association lifetime seconds 3600

set transform-set liconset

!

interface Tunnel26

bandwidth 2000

ip address 192.168.251.2 255.255.255.252

qos pre-classify

tunnel source XXX.XXX.133.13

tunnel destination XXX.XXX.208.10

tunnel mode ipsec ipv4

tunnel protection ipsec profile IRKTS




R2:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 1800

crypto isakmp key tS-irkTS address XXX.XXX.113.13

!

crypto ipsec security-association lifetime seconds 1200

!

crypto ipsec transform-set irktsset ah-md5-hmac esp-aes

!

crypto ipsec profile IRKTS

set security-association lifetime seconds 3600

set transform-set irktsset

!

interface Tunnel26

bandwidth 2000

ip address 192.168.251.1 255.255.255.252

qos pre-classify

tunnel source XXX.XXX.208.10

tunnel destination XXX.XXX.133.13

tunnel mode ipsec ipv4

tunnel protection ipsec profile IRKTS


Please help. Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
yahsiel2004 Thu, 08/22/2013 - 13:15
User Badges:
  • Gold, 750 points or more

Did you ever figure this out?


HTH

Regards,

Yosh

robert.vizitiu1 Mon, 10/12/2015 - 01:02
User Badges:

Hi,

 

The message means the 2 policies for negotiating IKE Phase 1 doesn't match.

You should configure on R2 also the following policy:

 

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 2

Actions

This Discussion