Phase1 SA establishment failing between Cisco Router and Netscreen

Unanswered Question
Nov 28th, 2006
User Badges:

Hi,


I am trying to setup a tunnel between a Cisco router (2800) and Netscreen.


The tunnel does not come up and the debug output on cisco shows "phase 1 SA policy not acceptable!".


The configuration of all the parameters and life times are matched at both the ends.


Any thing specific to be checked / configured to make this work?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ajagadee Tue, 11/28/2006 - 18:31
User Badges:
  • Cisco Employee,

Hello,


"Phase 1 SA Policy not acceptable" basically means the Phase 1 parameters are not matching on the VPN Servers.


If possible, can you post the full debugs from the VPN Device.


Regards,

Arul


** Please rate all helpful posts **

mastram4u Tue, 11/28/2006 - 19:58
User Badges:

: ISAKMP:(0:0:N/A:0):Looking for a matching key for x.x.x.x in default

: ISAKMP:(0:0:N/A:0): : success

: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching x.x.x.x

: ISAKMP:(0:0:N/A:0): local preshared key found

: ISAKMP : Scanning profiles for xauth ...

: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy

: ISAKMP: encryption 3DES-CBC

: ISAKMP: hash MD5

: ISAKMP: default group 2

: ISAKMP: auth pre-share

: ISAKMP: life type in seconds

: ISAKMP: life duration (VPI) of 0x80 0x51 0x1 0x0

: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!

: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0

: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 5 policy

: ISAKMP: encryption 3DES-CBC

: ISAKMP: hash MD5

: ISAKMP: default group 2

: ISAKMP: auth pre-share

: ISAKMP: life type in seconds

: ISAKMP: life duration (VPI) of 0x80 0x51 0x1 0x0

: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!

: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0

: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy

: ISAKMP: encryption 3DES-CBC

: ISAKMP: hash MD5

: ISAKMP: default group 2

: ISAKMP: auth pre-share

: ISAKMP: life type in seconds

: ISAKMP: life duration (VPI) of 0x80 0x51 0x1 0x0

: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!

: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0

: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 15 policy

: ISAKMP: encryption 3DES-CBC

: ISAKMP: hash MD5

: ISAKMP: default group 2

: ISAKMP: auth pre-share

: ISAKMP: life type in seconds

: ISAKMP: life duration (VPI) of 0x80 0x51 0x1 0x0

: ISAKMP:(0:0:N/A:0):Lifetime duration offered does not match policy!

: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0

: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 20 policy

: ISAKMP: encryption 3DES-CBC

: ISAKMP: hash MD5

: ISAKMP: default group 2

: ISAKMP: auth pre-share

: ISAKMP: life type in seconds

: ISAKMP: life duration (VPI) of 0x80 0x51 0x1 0x0

: ISAKMP:(0:0:N/A:0):Lifetime duration offered does not match policy!

: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0

: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 25 policy

: ISAKMP: encryption 3DES-CBC

: ISAKMP: hash MD5

: ISAKMP: default group 2

: ISAKMP: auth pre-share

: ISAKMP: life type in seconds

: ISAKMP: life duration (VPI) of 0x80 0x51 0x1 0x0

: ISAKMP:(0:0:N/A:0):Lifetime duration offered does not match policy!

: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0

: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 65535 policy

: ISAKMP: encryption 3DES-CBC

: ISAKMP: hash MD5

: ISAKMP: default group 2

: ISAKMP: auth pre-share

: ISAKMP: life type in seconds

: ISAKMP: life duration (VPI) of 0x80 0x51 0x1 0x0

: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!

: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0

: ISAKMP:(0:0:N/A:0):no offers accepted!

: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local y.y.y.y remote x.x.x.x)

: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: construct_fail_ag_init

: ISAKMP:(0:0:N/A:0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE

: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.


: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (I) MM_NO_STATE (peer x.x.x.x)


ajagadee Mon, 12/04/2006 - 22:39
User Badges:
  • Cisco Employee,

Hi,


In your crypto isakmp key configuration, can you make sure that there is no-xauth configured. For example


crypto isakmp key cisco address x.x.x.x no-xauth


If you have the "no-xauth" configured and the tunnel still does not come up, do post the router's configuration.


Regards,

Arul


** Please rate all helpful posts **



Actions

This Discussion