[vpn-help] Unable to negotiate phase 1 parameters with Cisco 2611

Nikolaj Griscenko n.griscenko at gmail.com
Sat Mar 20 05:57:24 CDT 2010

I've configured Cisco acording to the link you advised and connected
successfully. Thanks a lot.


-----Original Message-----
From: Matthew Grooms [mailto:mgrooms at shrew.net] 
Sent: Monday, March 15, 2010 5:02 AM
To: Nikolaj Griscenko
Cc: vpn-help at lists.shrew.net
Subject: Re: [vpn-help] Unable to negotiate phase 1 parameters with Cisco

On 3/14/2010 11:33 AM, Nikolaj Griscenko wrote:
> Hello,
> I can't establish an IPSec session between WinXP shrewsoft client 2.1.5
> and Cisco 2611 (12.4-1a IOS). Unable to negotiate phase 1 pre-shared key
> authentication parameter. I configured Cisco to use isakmp client
> configuration group "VPN" and dynamic ipsec tunnels. Phase 1 parameters
> Encryption: 3des
> DH Group: 2
> Hash: md5
> Authentication: pre-shared key
> Lifetime: 28800 s
> I also tried configuring shrewsoft without specifying a VPN group
> parameter, and it passed the phase 1 successfully, but could not pass
> phase 2. Is it something wrong with Cisco or Client config?

You will have to forgive me. Once upon a time I managed a lot of Cisco 
gear but these days my IOS is a bit rusty :) Maybe this document could help?


You basically want to configure the router in the same manner you would 
for the Cisco VPN client and then use the appropriate settings on the 
Shrew client. However, those settings entirely depend on how the router 
is configured and I don't have an IOS device in my lab to provide test 
samples or configurations with. If you are unsure of the settings, you 
can start with the Cisco VPN Client and a Cisco document, then export 
the PCF and import it into the Shrew Soft client.

Hope this helps,


More information about the vpn-help mailing list