11-28-2006 03:19 PM - edited 03-09-2019 04:57 PM
Hi,
I am trying to setup a tunnel between a Cisco router (2800) and Netscreen.
The tunnel does not come up and the debug output on cisco shows "phase 1 SA policy not acceptable!".
The configuration of all the parameters and life times are matched at both the ends.
Any thing specific to be checked / configured to make this work?
11-28-2006 06:31 PM
Hello,
"Phase 1 SA Policy not acceptable" basically means the Phase 1 parameters are not matching on the VPN Servers.
If possible, can you post the full debugs from the VPN Device.
Regards,
Arul
** Please rate all helpful posts **
11-28-2006 07:58 PM
: ISAKMP:(0:0:N/A:0):Looking for a matching key for x.x.x.x in default
: ISAKMP:(0:0:N/A:0): : success
: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching x.x.x.x
: ISAKMP:(0:0:N/A:0): local preshared key found
: ISAKMP : Scanning profiles for xauth ...
: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
: ISAKMP: encryption 3DES-CBC
: ISAKMP: hash MD5
: ISAKMP: default group 2
: ISAKMP: auth pre-share
: ISAKMP: life type in seconds
: ISAKMP: life duration (VPI) of 0x80 0x51 0x1 0x0
: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!
: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 5 policy
: ISAKMP: encryption 3DES-CBC
: ISAKMP: hash MD5
: ISAKMP: default group 2
: ISAKMP: auth pre-share
: ISAKMP: life type in seconds
: ISAKMP: life duration (VPI) of 0x80 0x51 0x1 0x0
: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!
: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
: ISAKMP: encryption 3DES-CBC
: ISAKMP: hash MD5
: ISAKMP: default group 2
: ISAKMP: auth pre-share
: ISAKMP: life type in seconds
: ISAKMP: life duration (VPI) of 0x80 0x51 0x1 0x0
: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!
: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 15 policy
: ISAKMP: encryption 3DES-CBC
: ISAKMP: hash MD5
: ISAKMP: default group 2
: ISAKMP: auth pre-share
: ISAKMP: life type in seconds
: ISAKMP: life duration (VPI) of 0x80 0x51 0x1 0x0
: ISAKMP:(0:0:N/A:0):Lifetime duration offered does not match policy!
: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 20 policy
: ISAKMP: encryption 3DES-CBC
: ISAKMP: hash MD5
: ISAKMP: default group 2
: ISAKMP: auth pre-share
: ISAKMP: life type in seconds
: ISAKMP: life duration (VPI) of 0x80 0x51 0x1 0x0
: ISAKMP:(0:0:N/A:0):Lifetime duration offered does not match policy!
: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 25 policy
: ISAKMP: encryption 3DES-CBC
: ISAKMP: hash MD5
: ISAKMP: default group 2
: ISAKMP: auth pre-share
: ISAKMP: life type in seconds
: ISAKMP: life duration (VPI) of 0x80 0x51 0x1 0x0
: ISAKMP:(0:0:N/A:0):Lifetime duration offered does not match policy!
: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 65535 policy
: ISAKMP: encryption 3DES-CBC
: ISAKMP: hash MD5
: ISAKMP: default group 2
: ISAKMP: auth pre-share
: ISAKMP: life type in seconds
: ISAKMP: life duration (VPI) of 0x80 0x51 0x1 0x0
: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
: ISAKMP:(0:0:N/A:0):no offers accepted!
: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local y.y.y.y remote x.x.x.x)
: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: construct_fail_ag_init
: ISAKMP:(0:0:N/A:0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.
: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (I) MM_NO_STATE (peer x.x.x.x)
12-04-2006 10:39 PM
Hi,
In your crypto isakmp key configuration, can you make sure that there is no-xauth configured. For example
crypto isakmp key cisco address x.x.x.x no-xauth
If you have the "no-xauth" configured and the tunnel still does not come up, do post the router's configuration.
Regards,
Arul
** Please rate all helpful posts **
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide