Re: 1st & 2nd phase proposals

crmljc1976 · ‎09-17-2008

Hi ive got a cisco 877 and a netscreen 5gt.

The netscreen is configured as the hub with phase 1 pre-g2-3des-sha, and phase 2 set to nopfs-esp-3des-md5. How would I configure my transform sets on the cisco 877? Can anyone help?

Istvan_Rabai · ‎09-17-2008

Hi Colin,

Phase 1:

crypto isakmp policy 10

encryption 3des

hash sha

authentication pre-share

group 2

Phase 2:

crypto ipsec transform-set MYTRANS esp-3des esp-md5-hmac

Cheers:

Istvan

crmljc1976 · ‎09-26-2008

it wont let me enter hash sha under crypto isakmp policy 10. Why is that?

Istvan_Rabai · ‎09-26-2008

Hi,

Probably your IOS image doesn't have this feature.

Try using "hash md5" and if it works, configure netscreen the same way.

Cheers:

Istvan

ajagadee · ‎09-26-2008

Hi,

SHA is the default hashing algorithm for ISAKMP policy and that is why you are probably not seeing it in the running configuration.

For example, I have SHA Configured under ISAKMP Policy 10 on my router but it does not show in the running configuration.

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

But, if I run the command "Show crypto ISAKMP Policy", I can see it in there.

R16-2821c#sh crypto isakmp policy

Global IKE policy

Protection suite of priority 10

encryption algorithm: Three key triple DES

hash algorithm: Secure Hash Standard

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

lifetime: 86400 seconds, no volume limit

Protection suite of priority 20

Regards,

Arul

** Please rate all helpful posts **

crmljc1976 · ‎10-01-2008

hi keep getting phase 2 no policy exists for proxy id received on the netscreen ,all phase 1 and 2 configured correctly. Has anyone got any experience programming netscreen5gt and cisco 877 VPNs. Thanks