Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

IPsec phase 1

We try to establish an ipsec connection between two devices.

The cisco router says:

Sep 9 13:09:41.603 UTC: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy

Sep 9 13:09:41.603 UTC: ISAKMP: encryption 3DES-CBC

Sep 9 13:09:41.603 UTC: ISAKMP: hash MD5

Sep 9 13:09:41.603 UTC: ISAKMP: default group 1

Sep 9 13:09:41.603 UTC: ISAKMP: auth pre-share

Sep 9 13:09:41.603 UTC: ISAKMP: life type in seconds

Sep 9 13:09:41.603 UTC: ISAKMP: life duration (VPI) of 0x0 0x0 0x2 0x58

Sep 9 13:09:41.603 UTC: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!

Sep 9 13:09:41.603 UTC: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0

Sep 9 13:09:41.603 UTC: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 65535 policy

Sep 9 13:09:41.603 UTC: ISAKMP: encryption 3DES-CBC

Sep 9 13:09:41.603 UTC: ISAKMP: hash MD5

Sep 9 13:09:41.603 UTC: ISAKMP: default group 1

Sep 9 13:09:41.603 UTC: ISAKMP: auth pre-share

Sep 9 13:09:41.603 UTC: ISAKMP: life type in seconds

Sep 9 13:09:41.603 UTC: ISAKMP: life duration (VPI) of 0x0 0x0 0x2 0x58

Sep 9 13:09:41.607 UTC: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!

But the client device has 3 des and md5 configured:; G1+ Advanced SNA IPSec CR Router 5 157 Version 10.6.13TM

enable

assign-access-list 101

;

template 1 default

template 1 isakmp tdes md5

template 1 destination-address

template 1 life duration seconds 10m

;

template 3 default

template 3 dynamic esp tdes sha1

template 3 source-address ppp1

template 3 destination-address

template 3 life duration seconds 10m

;

map-template 101 3

The cisco:

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

Any ideas ?

Regards

bjornarsb

5 REPLIES
Hall of Fame Super Bronze

Re: IPsec phase 1

Bjornarsb,

In the log, it shows the router using default-group 1 while in the config it shows you entered group 2 under the ISAKMP policy 1.

Can you change the ISAKMP policy to group 1 and see if it agrees with the clients ?

Seeing the whole router config will help me understand better.

Bronze

Re: IPsec phase 1

did'nt help.

Here is the config:

crypto isakmp policy 1

encr 3des

authentication pre-share

crypto isakmp key johadmin address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 60 periodic

!

crypto ipsec security-association idle-time 60

!

crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac

!

crypto dynamic-map DYNMAP 10

set transform-set dmvpnset

!

!

crypto map LABMAP 10 ipsec-isakmp dynamic DYNMAP

!

!

!

!

!

interface Loopback0

ip address 172.29.252.16 255.255.255.255

!

interface FastEthernet0/0

description ### mot rutercluster ###

ip address 172.29.251.16 255.255.255.192

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.7.16 255.255.255.0 secondary

ip address

duplex auto

speed auto

crypto map LABMAP

!

Hall of Fame Super Bronze

Re: IPsec phase 1

Bjornarsb,

You are using MD5 at the client side while on the router side MD5 is missing

crypto isakmp policy 1

encr 3des

authentication pre-share

crypto isakmp key johadmin address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 60 periodic

You should have

crypto isakmp policy 1

encr 3des

hash md5

.....

Bronze

Re: IPsec phase 1

thanks !

I had it configured but not group 1

at det same time.

New Member

Re: IPsec phase 1

Good call Edison, that should correct this issue, Take care and keep up the posts

261
Views
0
Helpful
5
Replies