Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

12.3(1) to 4.0.1 without xauth -phase 1 chokes

testing new IOS and client

host (with client 4.0.1) > 2621router > host

using following config

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname Router

memory-size iomem 10

ip subnet-zero


ip audit notify log

ip audit po max-events 100

no ip domain lookup

mpls ldp logging neighbor-changes

no ftp-server write-enable



xsm vdm

xsm edm

xsm history vdm

xsm history edm



crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp client configuration address-pool local myPOOL


crypto isakmp client configuration group myGROUP

key xxx

pool myPOOL



crypto ipsec transform-set mySET esp-des esp-md5-hmac

crypto mib topn interval 60


crypto dynamic-map myDYNMAP 10

set transform-set mySET



crypto map myMAP client configuration address respond

crypto map myMAP 10 ipsec-isakmp dynamic myDYNMAP



interface FastEthernet0/0

ip address

duplex auto

speed auto


interface Serial0/0

no ip address



interface FastEthernet0/1

ip address

duplex auto

speed auto

crypto map myMAP


interface Serial0/1

no ip address



ip local pool myPOOL


ip classless

ip http server

ip http secure-server

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4



client configured with same group name and password (myGROUP xxx)

client can't connect and debug shows this

*Mar 1 03:43:26.075: ISAKMP (0:1): Checking ISAKMP transform 14 against priority 10 policy

*Mar 1 03:43:26.075: ISAKMP: encryption DES-CBC

*Mar 1 03:43:26.075: ISAKMP: hash MD5

*Mar 1 03:43:26.075: ISAKMP: default group 2

*Mar 1 03:43:26.079: ISAKMP: auth pre-share

*Mar 1 03:43:26.079: ISAKMP: life type in seconds

*Mar 1 03:43:26.079: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Mar 1 03:43:26.079: ISAKMP (0:1): Preshared authentication offered but does not match policy!

*Mar 1 03:43:26.079: ISAKMP (0:1): atts are not acceptable. Next payload is 0

have entered same Group name and password ,

any ideas why debug says preshare auth doesn't match policy?

Cisco Employee

Re: 12.3(1) to 4.0.1 without xauth -phase 1 chokes

Even though you're not doing XAuth, the router still needs to authenticate the group and key, so you still need the aaa config stuff. Add the following:

> aaa new-model

> aaa authentication login userauthen none

> aaa authorization network groupauthor local

> crypto map myMAP client authentication list userauthen

> crypto map myMAP isakmp authorization list groupauthor

This'll tell the router to do no user authentication (XAuth), but to authenticate the group locally on the router, which is where you've configured the group name and key.

CreatePlease to create content