Re: IPsec phase 1

bjornarsb · ‎09-09-2006

We try to establish an ipsec connection between two devices.

The cisco router says:

Sep 9 13:09:41.603 UTC: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy

Sep 9 13:09:41.603 UTC: ISAKMP: encryption 3DES-CBC

Sep 9 13:09:41.603 UTC: ISAKMP: hash MD5

Sep 9 13:09:41.603 UTC: ISAKMP: default group 1

Sep 9 13:09:41.603 UTC: ISAKMP: auth pre-share

Sep 9 13:09:41.603 UTC: ISAKMP: life type in seconds

Sep 9 13:09:41.603 UTC: ISAKMP: life duration (VPI) of 0x0 0x0 0x2 0x58

Sep 9 13:09:41.603 UTC: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!

Sep 9 13:09:41.603 UTC: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0

Sep 9 13:09:41.603 UTC: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 65535 policy

Sep 9 13:09:41.603 UTC: ISAKMP: encryption 3DES-CBC

Sep 9 13:09:41.603 UTC: ISAKMP: hash MD5

Sep 9 13:09:41.603 UTC: ISAKMP: default group 1

Sep 9 13:09:41.603 UTC: ISAKMP: auth pre-share

Sep 9 13:09:41.603 UTC: ISAKMP: life type in seconds

Sep 9 13:09:41.603 UTC: ISAKMP: life duration (VPI) of 0x0 0x0 0x2 0x58

Sep 9 13:09:41.607 UTC: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!

But the client device has 3 des and md5 configured:; G1+ Advanced SNA IPSec CR Router 5 157 Version 10.6.13TM

enable

assign-access-list 101

;

template 1 default

template 1 isakmp tdes md5

template 1 destination-address

template 1 life duration seconds 10m

;

template 3 default

template 3 dynamic esp tdes sha1

template 3 source-address ppp1

template 3 destination-address

template 3 life duration seconds 10m

;

map-template 101 3

The cisco:

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

Any ideas ?

Regards

bjornarsb

Edison Ortiz · ‎09-09-2006

Bjornarsb,

In the log, it shows the router using default-group 1 while in the config it shows you entered group 2 under the ISAKMP policy 1.

Can you change the ISAKMP policy to group 1 and see if it agrees with the clients ?

Seeing the whole router config will help me understand better.

bjornarsb · ‎09-09-2006

did'nt help.

Here is the config:

crypto isakmp policy 1

encr 3des

authentication pre-share

crypto isakmp key johadmin address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 60 periodic

!

crypto ipsec security-association idle-time 60

!

crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac

!

crypto dynamic-map DYNMAP 10

set transform-set dmvpnset

!

crypto map LABMAP 10 ipsec-isakmp dynamic DYNMAP

!

interface Loopback0

ip address 172.29.252.16 255.255.255.255

!

interface FastEthernet0/0

description ### mot rutercluster ###

ip address 172.29.251.16 255.255.255.192

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.7.16 255.255.255.0 secondary

ip address

duplex auto

speed auto

crypto map LABMAP

!

Edison Ortiz · ‎09-09-2006

Bjornarsb,

You are using MD5 at the client side while on the router side MD5 is missing

crypto isakmp policy 1

encr 3des

authentication pre-share

crypto isakmp key johadmin address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 60 periodic

You should have

crypto isakmp policy 1

encr 3des

hash md5

.....

bjornarsb · ‎09-09-2006

thanks !

I had it configured but not group 1

at det same time.

sdoremus33 · ‎09-09-2006

Good call Edison, that should correct this issue, Take care and keep up the posts