Cisco Support Community
Community Member

Phase 2 help!

I am trying to set up a VPN with a service provider. Here is what they have given me for phase 2





PFS (On/Off):


DH Group:


Key Lifetime:


Autokey Keepalive (On/Off):


Replay Detection (On/Off):


Here is what I configured

crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac



crypto map VPN local-address Serial0/0/1:1

crypto map VPN 1 ipsec-isakmp

set peer

set security-association lifetime seconds 28800

set transform-set VPN

set pfs group5

match address SS_VPN

Currently Phase 2 is not working. Please let me know if you need more of the config.



Phase 2 help!

Are you sure phase 1 is completing successfully?

Those parameters that you mention are for Phase 1 and don't have anything to do with Phase 2.

Did they give you a preshared key (which is configured under the tunnel-group?) Also the pfs, although it is also DH, it is a second DH algorithm for extra security.  Double check if they have have the pfs configured also.

Either way, your config should look something like this (I have not included the NAT exempt statements):

access-list cryptoACL extended permit ip

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto map outside_map 1 match address cryptoACL crypto map outside_map 1 set peer crypto map outside_map 1 set transform-set esp-sha esp-sha-hmac crypto map outside_map interface outside
crypto isakmp enable outside

crypto isakmp policy 10 authentication pre-share encryption des hash sha group 1 lifetime 86400

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key cisco123

Please remember to rate and select a correct answer
VIP Purple

Re: Phase 2 help!

He is using an IOS-router, not an ASA.

Based on the info, the config looks fine. But the question is the same: Is Phase one finishing?

What is the output of "show crypto isakmp sa"? If it's not QM_IDLE, it should be debugged with "debug crypto isakmp".

Don't stop after you've improved your network! Improve the world by lending money to the working poor:

Phase 2 help!

Well, I overlooked that.  But would still check to see if the transform set matches the other end and if DH is configured in phase 2 also (pfs config).


Please remember to rate and select a correct answer
Community Member

Re: Phase 2 help!

Here are som show commands. There is zero output from debug crypto ipsec

MC-2550-DC-VG01#sh crypto isa sa


dst             src             state          conn-id    slot status

x.x.x.x        x.x.x.x       QM_IDLE           1055    0 ACTIVE

MC-2550-DC-VG01#sh crypto ips sa

interface: Serial0/0/1:1

    Crypto map tag: VPN, local addr x.x.x.x

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (

   remote ident (addr/mask/prot/port): (

   current_peer x.x.x.x port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x

     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1:1

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Output from debug crypto isa

*Aug 28 09:30:16.987 CST: ISAKMP:(1055):purging node 558338111


*Aug 28 09:30:20.827 CST: ISAKMP: set new node 1913143294 to QM_IDLE

*Aug 28 09:30:20.827 CST: ISAKMP:(1055):Sending NOTIFY DPD/R_U_THERE protocol 1

        spi 1200032232, message ID = 1913143294

*Aug 28 09:30:20.827 CST: ISAKMP:(1055): seq. no 0x3AB85382

*Aug 28 09:30:20.827 CST: ISAKMP:(1055): sending packet to x.x.x.x my_port 500 peer_port 500 (R) QM_IDLE                          

*Aug 28 09:30:20.827 CST: ISAKMP:(1055):Sending an IKE IPv4 Packet.

*Aug 28 09:30:20.827 CST: ISAKMP:(1055):purging node 1913143294

*Aug 28 09:30:20.827 CST: ISAKMP:(1055):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE

*Aug 28 09:30:20.827 CST: ISAKMP:(1055):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Aug 28 09:30:20.867 CST: ISAKMP (0:1055): received packet from x.x.x.x dport 500 sport 500 Global (R) Q                           M_IDLE

*Aug 28 09:30:20.871 CST: ISAKMP: set new node 580432525 to QM_IDLE

*Aug 28 09:30:20.871 CST: ISAKMP:(1055): processing HASH payload. message ID = 580432525

*Aug 28 09:30:20.871 CST: ISAKMP:(1055): processing NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 0, message ID = 580432525, sa = 4AE05AF0

*Aug 28 09:30:20.871 CST: ISAKMP:(1055): DPD/R_U_THERE_ACK received from peer x.x.x.x, sequence 0x3AB853                           82

and it repeats over and over

VIP Purple

Re: Phase 2 help!

   local  ident (addr/mask/prot/port): (

   remote ident (addr/mask/prot/port): (

You have to adjust your crypto-ACL and change the destination to the network that your peer gave you.

Don't stop after you've improved your network! Improve the world by lending money to the working poor:

Community Member

Re: Phase 2 help!

They gave me "any". I think that is what the all 0s means.

We are supposed to be able to send web traffic out of it and have them do the webfiltering.

VIP Purple

Re: Phase 2 help!

ok, qite uncommon, but then the remote identity is ok. Ask the other side if they see anything in the debugs.

Don't stop after you've improved your network! Improve the world by lending money to the working poor:

CreatePlease to create content