Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPsec VPN Problems Between Cisco 1711 & Netgear

I am trying to set up an IPsec VPN tunnel between a Cisco 1711 and Netgear FVS318 router/firewall. Phase1 is establishing but Phase2 is not. Debug output is provided below.

Netgear Settings:

Encryption: 3DES SHA-1 with Pre-share key, DH Group 2(1024 Bit), SA Lifetime 86400sec

ESP Configuration: 3DES SHA-1

Cisco Configuration:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ciscotest address REMOTE_IP
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set vpn ah-sha-hmac esp-3des esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
set peer REMOTE_IP
set transform-set vpn
match address 110
interface FastEthernet0
crypto map vpn
access-list 110 permit ip

Cisco Debug:

ISAKMP (0:268435457): received packet from REMOTE_IP dport 500 sport 500 Global (R) QM_IDLE
ISAKMP: set new node -425808973 to QM_IDLE
ISAKMP:(0:1:HW:2): processing HASH payload. message ID = -425808973
ISAKMP:(0:1:HW:2): processing SA payload. message ID = -425808973
ISAKMP:(0:1:HW:2):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      encaps is 1 (Tunnel)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0:1:HW:2):atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= WAN_IP, remote= REMOTE_IP,
    local_proxy= (type=4),
    remote_proxy= (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
Crypto mapdb : proxy_match
        src addr     :
        dst addr     :
        protocol     : 0
        src port     : 0
        dst port     : 0
IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-3des esp-sha-hmac }
ISAKMP:(0:1:HW:2): IPSec policy invalidated proposal
ISAKMP:(0:1:HW:2): phase 2 SA policy not acceptable! (local WAN_IP remote REMOTE_IP)
ISAKMP: set new node -2125033073 to QM_IDLE
        spi 2215118544, message ID = -2125033073
ISAKMP:(0:1:HW:2): sending packet to REMOTE_IP my_port 500 peer_port 500 (R) QM_IDLE
ISAKMP:(0:1:HW:2):purging node -2125033073
ISAKMP:(0:1:HW:2):deleting node -425808973 error TRUE reason "QM rejected"
ISAKMP (0:268435457): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:  for node -425808973: state = IKE_QM_READY
ISAKMP:(0:1:HW:2):Node -425808973, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(0:1:HW:2):Old State = IKE_QM_READY  New State = IKE_QM_READY
Sep 16 10:43:44 EST: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at REMOTE_IP

ISAKMP:(0:1:HW:2):purging node -425808973


Re: IPsec VPN Problems Between Cisco 1711 & Netgear

Phase 2 is not matching.

Make sure you use ESP instead of AH.

no crypto ipsec transform-set vpn ah-sha-hmac esp-3des esp-sha-hmac

crypto ipsec transform-set vpn esp-3des esp-sha-hmac

Please try again after clearing the SAs.


New Member

Re: IPsec VPN Problems Between Cisco 1711 & Netgear

i just took out AH as you mentioned, unfortunately it still does not work.

Re: IPsec VPN Problems Between Cisco 1711 & Netgear

Are you getting the same mismatch error in phase 2 after the change?

Is the netgear using Perfect Forward Secrecy setting on phase 2?