Showing results for 
Search instead for 
Did you mean: 

Cisco 2600 router as an IPSec client



Currently I'm using Cisco VPN client software to connect to a remote IPSec server on the workstations.

I want to to configure IPSec client on Cisco 2600 router which connects to the remote IPSec server so the workstations can access VPN subnet without using VPN software.

Anyone can guide me on how to configure IPSec client on the router?


20 Replies 20

I think it is because the encryption and hash algorithm doesn't match? Because when I connect from the Cisco VPN Client software I can see that the encryption is 128-bit AES and authentication is hmac-sha1.

But from the router log it is:

*Jan 19 14:32:34.868: ISAKMP:      encryption 3DES-CBC

*Jan 19 14:32:34.868: ISAKMP:      hash MD5

How do I change the encryption parameters?


Hi Adam,

It looks strange you didn't match iskmp policies but the phase1 was compleated.

Could you attach the logs from:

#debug crypto isakmp packet

#debug crypto isakmp detail

Kind regadrs


Hi Michal,

Attached is the isakmp debug log.


Hi Adam,

Sorry for my late responce I am a bit ill.

I have checked the logs and did small repro. To me it looks like the server is not supporting NEM:

This is from VPN server with NEM disabled:

Nov 30 00:13:56 [IKEv1 DEBUG]: Group = gsa3mle3, Username = cisco, IP =, MODE_CFG: Received request for DHCP hostname for DDNS is: R1!

Nov 30 00:13:56 [IKEv1]: Group = gsa3mle3, Username = cisco, IP =, Hardware Client connection rejected!  Network Extension Mode is not allowed for this group!

On client:

*Mar  1 00:45:56.387: ISAKMP:(1007): sending packet to my_port 500 peer_port 500 (I) CONF_ADDR   

*Mar  1 00:45:56.439: ISAKMP (0:1007): received packet from dport 500 sport 500 Global (I) CONF_ADDR   

*Mar  1 00:45:56.439: DGVPN:crypt_iv after decrypt, sa:650BE464


*Mar  1 00:45:56.443:

*Mar  1 00:45:56.443: ISAKMP: Information packet contents (flags 1, len 92):

*Mar  1 00:45:56.447:           HASH payload

*Mar  1 00:45:56.447:           DELETE payload

*Mar  1 00:45:56.459: ISAKMP: Information packet contents (flags 1, len 80):

*Mar  1 00:45:56.459:           HASH payload

*Mar  1 00:45:56.459:           DELETE payload

*Mar  1 00:45:56.459: DGVPN: crypt_iv after encrypt, sa:650BE464

Change it to client mode and try it.

Kind regards


Hi Michal,

Client mode works perfectly. Thank you so much for your help and get well soon.

Best regards


Emmanuel Valdez

Hi Adam,

Are you using Cisco Easy VPN on your central site? what are you using? (router, ASA,)

I saw your are using subinterfaces to setup your enviroment, I don´t really recommend that, you should to use 2 physical interfaces to setup correctly the remote VPN on your Cisco 2600.

Best regards.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers