[vpn-help] Unable to negotiate phase 1 parameters with Cisco 2611

Matthew Grooms mgrooms at shrew.net
Sun Mar 14 22:02:06 CDT 2010

On 3/14/2010 11:33 AM, Nikolaj Griscenko wrote:
> Hello,
> I can‘t establish an IPSec session between WinXP shrewsoft client 2.1.5
> and Cisco 2611 (12.4-1a IOS). Unable to negotiate phase 1 pre-shared key
> authentication parameter. I configured Cisco to use isakmp client
> configuration group „VPN“ and dynamic ipsec tunnels. Phase 1 parameters are:
> Encryption: 3des
> DH Group: 2
> Hash: md5
> Authentication: pre-shared key
> Lifetime: 28800 s
> I also tried configuring shrewsoft without specifying a VPN group
> parameter, and it passed the phase 1 successfully, but could not pass
> phase 2. Is it something wrong with Cisco or Client config?

You will have to forgive me. Once upon a time I managed a lot of Cisco 
gear but these days my IOS is a bit rusty :) Maybe this document could help?


You basically want to configure the router in the same manner you would 
for the Cisco VPN client and then use the appropriate settings on the 
Shrew client. However, those settings entirely depend on how the router 
is configured and I don't have an IOS device in my lab to provide test 
samples or configurations with. If you are unsure of the settings, you 
can start with the Cisco VPN Client and a Cisco document, then export 
the PCF and import it into the Shrew Soft client.

Hope this helps,


More information about the vpn-help mailing list