IPSec Negotiation IKE Protocols

Configuring Router Mode-config, Wild-card, Pre-shared Keys, no NAT

Document ID: 14135

Updated: Feb 17, 2005



In this sample configuration, a router is configured for mode configuration (get an IP address from the pool), wild-card, pre-shared keys (all PC clients share a common key), without Network Address Translation (NAT). An off-site user can enter the network and have an internal IP address assigned from the pool. To users, it appears that they are inside the network. Devices inside the network are set up with routes to the un-routable 10.2.1.x pool.



There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco IOS® Software 12.0.7T or later

  • Hardware that supports this software revision

  • CiscoSecure VPN Client 1.0/1.0.A or 1.1 (shown as 2.0.7/E or 2.1.12, respectively, go to Help > About to check)

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.


For more information on document conventions, refer to the Cisco Technical Tips Conventions .


In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only) .

Network Diagram

This document uses this network setup:



This document uses these configurations:

  • VPN Client

  • Router

VPN Client
Network Security policy: 

1- Myconn 
        My Identity = ip address
                Connection security: Secure 
                Remote Party Identity and addressing 
                        ID Type: IP subnet 
                        Port all Protocol all 

                Connect using secure tunnel 
                        ID Type: IP address 
                        Pre-shared key = cisco123

        Authentication (Phase 1) 
        Proposal 1 
                Authentication method: pre-shared key 
                Encryp Alg: DES 
                Hash Alg: MD5 
                SA life: Unspecified
                Key Group: DH 1 

        Key exchange (Phase 2) 
        Proposal 1 
                Encapsulation ESP 
                Encrypt Alg: DES 
                Hash Alg: MD5 
                Encap: tunnel 
                SA life: Unspecified 
                no AH 

2- Other Connections 
            Connection security: Non-secure 
            Local Network Interface 
                Name: Any 
                IP Addr: Any 
                Port: All 

version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname router
enable password ww
username cisco password 0 cisco
clock timezone EST -5
ip subnet-zero
cns event-service server

crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key cisco123 address        
crypto isakmp client configuration address-pool local ourpool
crypto ipsec transform-set trans1 esp-des esp-md5-hmac 
crypto dynamic-map dynmap 10
 set transform-set trans1 
crypto map intmap client configuration address initiate
crypto map intmap client configuration address respond
crypto map intmap 10 ipsec-isakmp dynamic dynmap
interface Ethernet0
 ip address
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
 crypto map intmap
interface Ethernet1
 ip address
 no ip directed-broadcast

ip local pool ourpool
ip classless
no ip http server
line con 0
 exec-timeout 0 0
 transport input none
line aux 0
line vty 0 4
 password ww


This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the Output Interpreter Tool (registered customers only) , which allows you to view an analysis of show command output.

  • show crypto engine connections active —Shows the encrypted and decrypted packets.

  • show crypto ipsec sa —Shows the phase 2 security associations.

  • show crypto isakmp sa —Shows the phase 1 security associations.

These debugs must be running on both IPSec routers (peers). Clearing security associations must be done on both peers.

  • debug crypto ipsec —Shows the IPSec negotiations of phase 2.

  • debug crypto isakmp —Shows the the ISAKMP negotiations of phase 1.

  • debug crypto engine —Shows the traffic that is encrypted.

  • clear crypto isakmp —Clears the security associations related to phase 1.

  • clear crypto sa —Clears the security associations related to phase 2.


There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Feb 17, 2005
Document ID: 14135