cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1549
Views
0
Helpful
1
Replies

IPSec: Preshared authentication offered but does not match policy

Hi All,

I have an issue with a Site to site VPN.

Our site is a Cisco 2900 - The remote is a Juniper.

I recieve the following message in the debug during Phase 1 negotiation:

ISAKMP:(0):Checking ISAKMP transform 1 against priority 11 policy

ISAKMP:      encryption AES-CBC

ISAKMP:      keylength of 256

ISAKMP:      hash SHA

ISAKMP:      default group 2

ISAKMP:      auth pre-share

ISAKMP:      life type in seconds

ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80

ISAKMP:(0):Preshared authentication offered but does not match policy!

ISAKMP:(0):atts are not acceptable. Next payload is 0

ISAKMP:(0):no offers accepted!

ISAKMP:(0): phase 1 SA policy not acceptable! (local My.IP.ADD.RES remote RE.MO.TE.IP)

ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init

ISAKMP:(0): Failed to construct AG informational message.

ISAKMP:(0): sending packet to RE.MO.TE.IP my_port 500 peer_port 500 (R) AG_NO_STATE

I have the following config on my policy:

crypto isakmp policy 11

encr aes 256

authentication pre-share

group 2

lifetime 28800

It looks to match with what is comming in..

Can someone tell me what the "Preshared authentication offered but does not match policy!" message does exactly means?

What can be the main cause of this error message?

Thanks in advance

1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

I wonder if it is the Juniper end that is not doing preshared authentication? Clearly there is some mismatch between what you have configured and what is configured on the Juniper. So a review of both sides would be appropriate.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: