Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN 857W to Pix515 Problem

Hello,

I've a Pix 515 with 10 VPN with 501 that works well.

I try to configure a 857W to do this and have some problem :

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 20 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 1

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 65535 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 65535 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 65535 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 1

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): no offers accepted!

ISAKMP (0): SA not acceptable!

return status is IKMP_ERR_TRANS

Pix Config :

sysopt connection permit-ipsec

sysopt connection permit-l2tp

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5

crypto map outside_map_1 170 match address TOULOUSE-MAP

crypto map outside_map_1 170 set peer 81.x.x.x

crypto map outside_map_1 170 set transform-set ESP-DES-MD5

isakmp key ******** address 81.x.x.x netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

and the 857W :

crypto isakmp policy 2

hash md5

group 2

crypto isakmp key vpnkeyadministrat0r address 213.223.x.x

!

!

crypto ipsec transform-set ESD-DES-MD5 esp-des esp-md5-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to213.223.x.x

set peer 213.223.x.x

set transform-set ESD-DES-MD5

match address 101

1 REPLY
Cisco Employee

Re: VPN 857W to Pix515 Problem

You're failing ISAKMP because your proposals don't match. On the 837 do:

crypto isakmp policy 2

   authentication pre-share

IOS routers (and PIX's for that matter) default to using certificates for Phase 1 authentication, so you have to actually tell them to use the pre-shared key.

220
Views
0
Helpful
1
Replies
CreatePlease to create content