Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Crypto isakmp identity

I have 3 routers 837, each one of them with a VPN to the others.

I have authentication pre-share and crypto isakmp identity hostname (because I need VPN clients).

When I put debug crypto isakmp I got the next:

*Mar 1 00:14:16.231: ISAKMP: received ke message (1/1)

*Mar 1 00:14:16.231: ISAKMP (0:0): SA request profile is (NULL)

*Mar 1 00:14:16.231: ISAKMP: Created a peer struct for, peer port


*Mar 1 00:14:16.231: ISAKMP: Locking peer struct 0x8179BE5C, IKE refcount 1 for


*Mar 1 00:14:16.231: ISAKMP (0:0): Setting client config settings 8156AEE0

*Mar 1 00:14:16.231: ISAKMP (0:0): (Re)Setting client xauth list and state

*Mar 1 00:14:16.231: ISAKMP: local port 500, remote port 500

*Mar 1 00:14:16.235: ISAKMP: set new node 0 to CONF_XAUTH

*Mar 1 00:14:16.235: ISAKMP: insert sa successfully sa = 8156B30C

*Mar 1 00:14:16.235: ISAKMP (0:1): Can not start Aggressive mode, trying Main m


*Mar 1 00:14:16.235: ISAKMP: Looking for a matching key for in de


*Mar 1 00:14:16.235: ISAKMP (0:1): No pre-shared key with!

*Mar 1 00:14:16.235: ISAKMP (0:1): No Cert or pre-shared address key.

*Mar 1 00:14:16.235: ISAKMP (0:1): construct_initial_message: Can not start Mai

n mode

*Mar 1 00:14:16.235: ISAKMP (0:1): purging SA., sa=8156B30C, delme=8156B30C

*Mar 1 00:14:16.235: ISAKMP (0:1): purging node -1284547857

*Mar 1 00:14:16.239: ISAKMP: Unlocking IKE struct 0x8179BE5C for declare_sa_dea

d(), count 0

Both routers have this configuration:

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

I see this with sh crypto isakmp key

acabats#sh crypto isakmp key

Keyring Hostname/Address Preshared Key

default girona acabats

barcelona acalona

and the other

barcelona#sh crypto isakmp key

Hostname/Address Preshared Key

default acabats acalona : girona barcelona

But I don't know the meaning of the default.

Can anybody help me, please?

New Member

Re: Crypto isakmp identity

It looks to me that your PreShared keys do not match.

Try setting all the routers with the same Preshared Key and (this isn't exactly the most secure method but it works) add this command

crypto isakmp key *insert preshared key here* address

There may be better ways of fixing this, but this is a fall back option.

New Member

Re: Crypto isakmp identity

What are your crypto access-lists?

Do you have the following statement(s)

isakmp key ***** address x.x.x.x netmask

isakmp identy address

The PIX has default ISAKMP Policy, if you do not specify certian isakmp options or the same options this the PIX will use its default. This might be what it is, but I'm not sure what acalona and girona are?