Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec between cisco and D-Link DI-804V?


Is anybody successfully running ipsec between Cisco and D-Link DI-804V?

i'm having a problem with this. -- cisco -- internet -- di-804v --

If i replace either of them with FreeBSD box running racoon for isakmp,

everything works fine


crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key plapla address



crypto ipsec transform-set mart esp-3des esp-md5-hmac





crypto map staticmart 10 ipsec-isakmp

set peer

set transform-set mart

set pfs group1

match address 108


interface Serial2/0

ip address

crypto map staticmart


ip route Serial2/0


access-list 108 permit ip

I tracked the problem down to the point where cisco sends ID Payload

which appears to be different than DI-804V expects and this causes

negotiations to fail.

Any hints how to overcome it? Or i just have to accept that cisco's and

D-Link's implementations of ipsec are not compatible?

Cisco debug:

17:25:00: ISAKMP (0:1): SA is doing

pre-shared key authentication using id type ID_IPV4_ADDR

17:25:00: ISAKMP (1): ID payload

next-payload : 8

type : 1

addr :

protocol : 17

port : 0

length : 8

17:25:00: ISAKMP (1): Total payload length: 12

17:25:00: CryptoEngine0: generate hmac context for conn id 1

17:25:00: CryptoEngine0: clear dh number for conn id 1

17:25:00: ISAKMP (0:1): sending packet to my_port 500 peer_port 500 (R) MM_KEY_EXCH


17:25:00: ISAKMP (0:1): Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE


17:25:00: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

17:25:07: ISAKMP (0:1): received packet from dport 500 sport 500 (R) QM_IDLE

17:25:07: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.

17:25:07: ISAKMP (0:1): retransmitting due to retransmit phase 1

17:25:07: ISAKMP (0:1): retransmitting phase 1 QM_IDLE ...

17:25:07: ISAKMP (0:1): retransmitting phase 1 QM_IDLE ...

17:25:07: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

17:25:07: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. QM_IDLE

and DI-804V:

IPsec[26]:Initiating Main Mode

IKE[27]:[estnet] Initializing IKE Main Mode

IKE[28]:[estnet] TX >> MM_I1 :

IPsec[29]:Packet retransmission, timeout in 10 seconds for #1

IPsec[30]:NO outbound SA found

IKE[31]:[estnet] RX << MM_R1 :


IKE[33]:[estnet] TX >> MM_I2 :

IPsec[34]:Packet retransmission, timeout in 10 seconds for #1

IPsec[35]:Find_outsa() not found

IPsec[36]:NO outbound SA found

IKE[37]:[estnet] RX << MM_R2 :

IKE[38]:[estnet] TX >> MM_I3 :

IPsec[39]:Packet retransmission, timeout in 10 seconds for #1

IPsec[40]:Find_outsa() not found

IPsec[41]:NO outbound SA found

IKE[42]:[estnet] RX << MM_R3 :

IPsec[43]:loglog[3] protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0

IPsec[44]:Find_outsa() not found

IPsec[45]:NO outbound SA found

IPSec[46]:*52*DUMP SA: INBOUND:0/64 OUTBOUND:0/64

IPSec[47]:DUMP ST: 1/64

IPSec[48]:DUMP MEM_ALLOC: 24/75


IPsec[50]:Packet retransmission, timeout in 20 seconds for #1

IPsec[51]:Packet retransmission, timeout in 40 seconds for #1

New Member

Re: IPSec between cisco and D-Link DI-804V?

How do you configure the dlink router?

Does it configure for 3des as well?Because I think default should be des.


New Member

Re: IPSec between cisco and D-Link DI-804V?

both are configured for 3des and as i said, it works well with FreeBSD.

New Member

Re: IPSec between cisco and D-Link DI-804V?

Have you resolved the problem of using a dlink di-804v to the cisco?

If so could you post the solution


New Member

Re: IPSec between cisco and D-Link DI-804V?

No, i'm pretty sure it is bug in cisco ios or d-link is following standards too strictly. My CCO account is not good enough to open a ticket so i just have to wait in hope that next ios release or next di-804v firmware will solve the problem.