09-09-2006 05:24 AM - edited 03-03-2019 01:55 PM
We try to establish an ipsec connection between two devices.
The cisco router says:
Sep 9 13:09:41.603 UTC: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
Sep 9 13:09:41.603 UTC: ISAKMP: encryption 3DES-CBC
Sep 9 13:09:41.603 UTC: ISAKMP: hash MD5
Sep 9 13:09:41.603 UTC: ISAKMP: default group 1
Sep 9 13:09:41.603 UTC: ISAKMP: auth pre-share
Sep 9 13:09:41.603 UTC: ISAKMP: life type in seconds
Sep 9 13:09:41.603 UTC: ISAKMP: life duration (VPI) of 0x0 0x0 0x2 0x58
Sep 9 13:09:41.603 UTC: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!
Sep 9 13:09:41.603 UTC: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
Sep 9 13:09:41.603 UTC: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 65535 policy
Sep 9 13:09:41.603 UTC: ISAKMP: encryption 3DES-CBC
Sep 9 13:09:41.603 UTC: ISAKMP: hash MD5
Sep 9 13:09:41.603 UTC: ISAKMP: default group 1
Sep 9 13:09:41.603 UTC: ISAKMP: auth pre-share
Sep 9 13:09:41.603 UTC: ISAKMP: life type in seconds
Sep 9 13:09:41.603 UTC: ISAKMP: life duration (VPI) of 0x0 0x0 0x2 0x58
Sep 9 13:09:41.607 UTC: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
But the client device has 3 des and md5 configured:; G1+ Advanced SNA IPSec CR Router 5 157 Version 10.6.13TM
enable
assign-access-list 101
;
template 1 default
template 1 isakmp tdes md5
template 1 destination-address
template 1 life duration seconds 10m
;
template 3 default
template 3 dynamic esp tdes sha1
template 3 source-address ppp1
template 3 destination-address
template 3 life duration seconds 10m
;
map-template 101 3
The cisco:
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
Any ideas ?
Regards
bjornarsb
09-09-2006 07:01 AM
Bjornarsb,
In the log, it shows the router using default-group 1 while in the config it shows you entered group 2 under the ISAKMP policy 1.
Can you change the ISAKMP policy to group 1 and see if it agrees with the clients ?
Seeing the whole router config will help me understand better.
09-09-2006 07:28 AM
did'nt help.
Here is the config:
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key johadmin address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60 periodic
!
crypto ipsec security-association idle-time 60
!
crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac
!
crypto dynamic-map DYNMAP 10
set transform-set dmvpnset
!
!
crypto map LABMAP 10 ipsec-isakmp dynamic DYNMAP
!
!
!
!
!
interface Loopback0
ip address 172.29.252.16 255.255.255.255
!
interface FastEthernet0/0
description ### mot rutercluster ###
ip address 172.29.251.16 255.255.255.192
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.7.16 255.255.255.0 secondary
ip address
duplex auto
speed auto
crypto map LABMAP
!
09-09-2006 07:48 AM
Bjornarsb,
You are using MD5 at the client side while on the router side MD5 is missing
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key johadmin address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60 periodic
You should have
crypto isakmp policy 1
encr 3des
hash md5
.....
09-09-2006 09:53 AM
thanks !
I had it configured but not group 1
at det same time.
09-09-2006 10:18 AM
Good call Edison, that should correct this issue, Take care and keep up the posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide