Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.

IPSec: Preshared authentication offered but does not match policy

Hi All,

I have an issue with a Site to site VPN.

Our site is a Cisco 2900 - The remote is a Juniper.

I recieve the following message in the debug during Phase 1 negotiation:

ISAKMP:(0):Checking ISAKMP transform 1 against priority 11 policy

ISAKMP:      encryption AES-CBC

ISAKMP:      keylength of 256

ISAKMP:      hash SHA

ISAKMP:      default group 2

ISAKMP:      auth pre-share

ISAKMP:      life type in seconds

ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80

ISAKMP:(0):Preshared authentication offered but does not match policy!

ISAKMP:(0):atts are not acceptable. Next payload is 0

ISAKMP:(0):no offers accepted!

ISAKMP:(0): phase 1 SA policy not acceptable! (local My.IP.ADD.RES remote RE.MO.TE.IP)

ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init

ISAKMP:(0): Failed to construct AG informational message.

ISAKMP:(0): sending packet to RE.MO.TE.IP my_port 500 peer_port 500 (R) AG_NO_STATE

I have the following config on my policy:

crypto isakmp policy 11

encr aes 256

authentication pre-share

group 2

lifetime 28800

It looks to match with what is comming in..

Can someone tell me what the "Preshared authentication offered but does not match policy!" message does exactly means?

What can be the main cause of this error message?

Thanks in advance

Everyone's tags (2)
Hall of Fame Super Gold

IPSec: Preshared authentication offered but does not match polic

I wonder if it is the Juniper end that is not doing preshared authentication? Clearly there is some mismatch between what you have configured and what is configured on the Juniper. So a review of both sides would be appropriate.



CreatePlease to create content