VPN OK on 1812 - not on 2811 !!!

Answered Question
Jun 9th, 2010
User Badges:


I'm loosing my mind... I configured a remote IPSec VPN client access on 2 routers 1812. It works like  charm.

I take the same config and apply it on a 2811, it doesn't work...Error during IPsec phase 2.

I re-re-re-re-rechecked the config, it's perfectly matching the config done on the 1812. (and I use same template for 876, 1841,....)

I tried 4 different IOS 12.2.24T3 Adventerprise, 12.2.15T13 adventerprise and Advipservices, and also 12.2.25c adventerprise. Nothing changes.... still the same error...

I've apply this config on another 2811, same issue. Is there anything wrong with this model concerning IPsec VPN client config ???? Or should I use a specific IOS ?

Thanks for sharing your experience,



Config is:

aaa new-model



aaa authentication login default local

aaa authentication login userauth local

aaa authentication ppp default local

aaa authorization exec default local

aaa authorization network groupauth local


crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp client configuration group mmrouter008
key xxxxxxxxxxxxxxxx
domain xxxxxxx.com
acl 134
crypto isakmp profile mmrouter008
   match identity group mmrouter008
   client authentication list userauth
   isakmp authorization list groupauth
   client configuration address respond
crypto ipsec transform-set vpnuser_trans esp-3des esp-md5-hmac
crypto dynamic-map mydynamicmap 10
set transform-set vpnuser_trans
set isakmp-profile mmrouter008
crypto map MAPPP 100 ipsec-isakmp dynamic mydynamicmap
int fa0/0
crypto map MAPPP
ip local pool POOL_VPN
access-list 134 permit ip
Correct Answer by Federico Coto F... about 7 years 1 month ago


Should work as you said.

What is the error specifically that you get regarding phase 2?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Correct Answer
Federico Coto F... Wed, 06/09/2010 - 15:02
User Badges:
  • Green, 3000 points or more


Should work as you said.

What is the error specifically that you get regarding phase 2?


olivier.jessel Thu, 06/10/2010 - 00:08
User Badges:

Hi Frederico,

Here is the log of the VPN connection. (debug cryp isakmp)

The error I can see is:

ISAKMP:(0:1:SW:1): phase 2 SA policy not acceptable! (local remote
ISAKMP: set new node -1712530148 to QM_IDLE

I precise that is the VPN router.

It's just strange. I use this config many times and it's the first time I have such problem.


olivier.jessel Thu, 06/10/2010 - 00:39
User Badges:

wwooooo OK I found out the issue.

I have HSRP on the interface where the crypto map is applied.

The router replies with the physical IP address and not with the virtual IP address. Then IPSec phase 2 fails !

Does anyone knows how to make both working together ???

Thanks in advance


olivier.jessel Thu, 06/10/2010 - 02:15
User Badges:

OK, I finally fix this HSRP+IPsec dynamic map config.

Now it works. I'm gonna test all of this when I will cofigure the second HSRP router.

Thanks again for your help ;-)




This Discussion