Cisco Support Community
Community Member

Ike proposal in VPN3000

I am trying to connect Vpn tunnel between VPN3000 (only basegroup with pre-shared key) and Pix 501. The Pix has dynamic assigned ip adress on the outside interface. I get an error "Xauth required but selected Proposal does not support xauth,

Check priorities of ike xauth proposals in ike proposal list" when trying to connect. I have checked the basegroup for IPSEC:SA (ESP-DES-MD5)and then the Configuration | Policy Management | Traffic Management | Security Associations for ESP-DES-MD5. In this configuration the IKE Proposal was set to IKE-DES-MD5. And when i looked in there the Authentication Mode are "preshared keys" as it should be. I don´t no any other place to look. Here is my Pix config.

access-list inside_access_in permit ip any any

access-list outside_access_in permit icmp any any echo-reply

access-list test permit ip

access-list crypto-acl permit ip

global (outside) 15 interface

nat (inside) 15 0 0

static (inside,outside) access-list test 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address crypto-acl

crypto map outside_map 20 set peer

crypto map outside_map 20 set transform-set ESP-DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address netmask no-xauth no-config-mode

isakmp keepalive 10 10

isakmp log 100

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

I would be very grateful for an answer. /Jonny

Community Member

Re: Ike proposal in VPN3000

authentication mode for IKE and SA should be:

preshared-key (XAuth)

CreatePlease to create content