02-10-2003 08:10 AM - edited 02-21-2020 12:20 PM
Hi all,
I have a big problem about a very simple configuration:
a VPN between a client Cisco and a Firewall Cisco.
The crypto ipsec isa command dispaly the following output:
ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share
And from the client side it seems that there are any respons from the remote peer
Please let me know as soon as possible
Bye
02-10-2003 10:17 AM
On the Pix are you DES or 3DES?
I think if you are DES you have to use "hash md5" in your isakmp policy. If that doesn't work try an older client version such as the latest 3.5x.
Or get the 3DES key:)
02-10-2003 01:52 PM
Hello!
If you are using DES make sure that you have following commands in your config:
isakmp policy priority 1 authentication-preshare
isakmp policy priority 1 encryption des
isakmp policy priority 1 hash md5
isakmp policy priority 1 group2
isakmp policy priority 1 lifetime 86400
also in your ipsec config you should have:
crypto ipsec transform-set your set esp-des esp-md5-hmac
just use name of your set
it should work
good luck
Anton
02-11-2003 12:50 PM
Hi,
VPN Client 3.6 does support for DES/SHA is no longer available. Pls refer the below URL for the same:
http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/3_6/361_clnt.htm#xtocid18
Regards.
Arul
02-12-2003 12:53 AM
Thanks all,
All seems to work correctly with this configuration:
- the encryption and verification: DES/MD5
- Client version 3.5.4
I am going to try with the newer client version
Bye GV
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide