We help IT Professionals succeed at work.

cisco vpn phase 1 negotiation failing

chillicom asked
Last Modified: 2012-05-09
I am having an issue with phase 1 negotiation between 2 cisco routers. Any suggestions would be most welcome ! I do not have access to the client router but I have enclosed config of my router (changed ip) and the description of the customers setup.

my router:
ip cef

multilink bundle-name authenticated

 log config
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp policy 2
 hash md5
 authentication pre-share
crypto isakmp policy 3
 encr 3des
 authentication pre-share

crypto isakmp key t3st address
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP3-DES-MD5 esp-3des esp-md5-hmac

crypto map SDM_CMAP_1 2 ipsec-isakmp
 description Tunnel to
 set peer
 set transform-set ESP3-DES-MD5
 set pfs group1
 match address 101

interface FastEthernet0/0
 bandwidth 100000
 ip address
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1300
 duplex auto
 speed auto
interface FastEthernet0/1
 bandwidth 100000
 ip address
 ip flow ingress
 ip tcp adjust-mss 1400
 duplex auto
 speed auto
interface ATM0/0/0
 no ip address
 no atm ilmi-keepalive
interface ATM0/0/0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
interface Dialer0
 mtu 1492
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username jkh password 0 7
 crypto map SDM_CMAP_1
ip forward-protocol nd
ip route Dialer0
ip route
ip route
ip route

ip http server
ip http authentication local
no ip http secure-server
ip flow-export source FastEthernet0/1
ip flow-export version 5
ip flow-export destination 2055
ip nat inside source static tcp 5900 interface Dialer0 5900
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 3389 3389 route-map SDM_RMAP_1 extendable
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip
access-list 101 deny   ip
access-list 101 deny   ip
access-list 101 permit ip any
access-list 104 permit ip
access-list 105 permit ip
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
 match ip address 101

end point router:

Given below the details from ac side
The VPN parameters are :

ac VPN device: Cisco 7206

ac Peer IP:

ac Encryption Domain:


ISAKMP Encryption: 3DES

ISAKMP DH Group: Group 2

ISAKMP Key Mode: Main Mode

ISAKMP Key Lifetime: 86400 secs

Perfect Forward Secrecy: Off

IPSEC Encapsulation: Tunnel Mode

IPSEC Protocol Type: ESP

IPSEC Cipher Algorithm: 3DES

IPSEC Authentication: HMAC-MD5

IPSEC Lifetime: 3600 sec

Port details:

"Customer to :  

ICMP: echo and echo reply

HTTP: TCP8002, 80

GEMS diags: TCP 7979
X-windows: TCP6000-6200


 to Customer:  

ICMP: echo and echo reply


ssh: TCP22

Telnet: TCP23, 2327, 2328

HTTP: TCP80, 8080

Rexec: TCP512

VNC: TCP5800, 5900

MR firmware diagnostics: TCP8100"

tests#show cry isa sa | sec  MM_NO_STATE          0    0 ACTIVE  MM_NO_STATE          0    0 ACTIVE (deleted)

Watch Question

This one is on us!
(Get your first solution completely free - no credit card required)


Excellent - thank you very much - worked perfectly!!!

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.