Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Cisco Router - Cisco Asa

Hello Experts,

I'm trying to create a VPN with a cisco router and a Cisco ASA 5510 version 7.2(2)

This is the output I get from the debug in the router (debug crypto isa err)

VPNGTWY_02(config)#

*Dec 11 17:00:09.354: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!

*Dec 11 17:00:09.354: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0

*Dec 11 17:00:10.146: ISAKMP:(0:178:SW:1):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer x.x.x.x)

In good theory The Cisco Asa (which I don't have control) has the following:

Phase 1:

PRESHARED KEY 123

encryption protocol: IPSEC

Diffie Hellman: GRUPO2

encryption: 3DES

hast: SHA

lifetime: 86400 SEGUNDOS

Mode: MAIN

My questions are as follows:

1- Can somebody provide me with the correct isakmp configuration for phase 1?

2- What is the command to set up the tunnel in Main mode?

3- Any ideas what that error message means?

Thanks,

Randall

2 REPLIES
Hall of Fame Super Blue

Re: VPN Cisco Router - Cisco Asa

Randall

It looks like it is getting past phase 1 ie. QM_IDLE.

When it doesn't work if you do "sh crypto isa" what is the output.

Could you post your router settings for phase 1 and 2 off the router and off the ASA.

Jon

New Member

Re: VPN Cisco Router - Cisco Asa

Hi Jon,

Thanks for your response. I appreciate your help.

This is the info:

--> On Firewall:

Phase 1

crypto isakmp enable WAN

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key *

--> On router Phase 1

crypto isakmp policy 21

encr 3des

authentication pre-share

group 2

*********PHASE 2*********

--> Firewall

Phase 2

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac (possible configuration in ASA for BcoUno)

crypto map WAN_map 20 match address WAN_20_cryptomap

crypto map WAN_map 20 set pfs

crypto map WAN_map 20 set peer 1.1.1.1

crypto map WAN_map 20 set transform-set ESP-3DES-SHA

crypto map WAN_map interface WAN

--> Phase 2 Router

crypto ipsec transform-set test3des esp-3des esp-sha-hmac

crypto map 3desmap 17 ipsec-isakmp

set peer 2.2.2.2

set transform-set test3des

set pfs group2

match address vpn

ip access-list extended vpn

permit ip 10.0.4.0 0.0.0.255 10.0.5.0 0.0.0.255

493
Views
0
Helpful
2
Replies
CreatePlease to create content