IPSec Negotiation IKE Protocols

Configuring IPSec - Wild-card Pre-shared Keys with Cisco Secure VPN Client and No-mode Config

Document ID: 14148

Updated: Jan 19, 2006



This sample configuration illustrates a router configured for wild-card pre-shared keys—all PC clients share a common key. A remote user enters the network, keeping its own IP address; data between the PC of a remote user and the router is encrypted.



There are no specific prerequisites for this document.

Components Used

The information in this document is based on the software and hardware versions below.

  • Cisco IOS® Software Release 12.2.8.T1

  • Cisco Secure VPN Client version 1.0 or 1.1—End-of-Life

  • Cisco router with DES or 3DES image

The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.


For more information on document conventions, refer to Cisco Technical Tips Conventions.


In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only) .

Network Diagram

This document uses the network setup shown in the diagram below.



This document uses the configurations shown below.

Router Configuration
Current configuration:
version 12.2

service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname RTCisco
enable password hjwwkj
ip subnet-zero
ip domain-name
ip name-server
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key mysecretkey address
crypto ipsec transform-set mypolicy esp-des esp-md5-hmac
crypto dynamic-map dyna 10
set transform-set mypolicy
crypto map test 10 ipsec-isakmp dynamic dyna
interface Serial0
ip address
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
crypto map test
interface Ethernet0
ip address
ip classless
ip route
line con 0
transport input none
line aux 0
transport input all
line vty 0 4
password cscscs

VPN Client Configuration
Network Security policy:

1- Myconn
    My Identity
         Connection security: Secure
         Remote Party Identity and addressing
         ID Type: IP subnet
         Port all Protocol all

    Connect using secure tunnel
         ID Type: IP address

    Authentication (Phase 1)
    Proposal 1

        Authentication method: Preshared key
        Encryp Alg: DES
        Hash Alg: MD5
        SA life:  Unspecified
        Key Group: DH 1

    Key exchange (Phase 2)
    Proposal 1
        Encapsulation ESP
        Encrypt Alg: DES
        Hash Alg: MD5
        Encap: tunnel
        SA life: Unspecified
        no AH

2- Other Connections
       Connection security: Non-secure
       Local Network Interface
         Name: Any
         IP Addr: Any
         Port: All


This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the Output Interpreter Tool (registered customers only) , which allows you to view an analysis of show command output.

  • show crypto isakmp sa —Shows Phase 1 security associations.

  • show crypto ipsec sa —Shows Phase 1 security associations and proxy, encapsulation, encryption, decapsulation, and decryption information.

  • show crypto engine connections active —Shows current connections and information regarding encrypted and decrypted packets.


This section provides information you can use to troubleshoot your configuration.

Troubleshooting Commands

Certain show commands are supported by the Output Interpreter Tool (registered customers only) , which allows you to view an analysis of show command output.

Note: Before issuing debug commands, refer to Important Information on Debug Commands.

Note: You must clear security associations on both peers. Perform the router commands in non-enable mode.

Note: You must run these debugs on both IPSec peers.

  • debug crypto isakmp —Displays errors during Phase 1.

  • debug crypto ipsec —Displays errors during Phase 2.

  • debug crypto engine —Displays information from the crypto engine.

  • clear crypto isakmp —Clears the Phase 1 security associations.

  • clear crypto sa —Clears the Phase 2 security associations.

Related Information

Updated: Jan 19, 2006
Document ID: 14148