Courseiva
VPNCCNA 200-301

IPsec Pre-Shared Key Mismatch — Phase 1 Fails

Presenting Symptom

IPsec VPN tunnel fails to establish; Phase 1 (IKE) negotiation does not complete and the tunnel remains down.

Network Context

A small branch office (192.168.1.0/24) connects to a central HQ (10.0.0.0/24) via a site-to-site IPsec VPN over the internet. Both sites use Cisco ISR 4321 routers running IOS XE 16.9. The pre-shared key is configured manually at both ends.

Diagnostic Steps

1

Check IPsec tunnel status

show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.0.0.1        192.168.1.1     MM_NO_STATE    1001     ACTIVE

If state is MM_NO_STATE, Phase 1 has not completed. Normal state for an active tunnel is MM_ACTIVE.

2

Enable debug for IKE negotiations

debug crypto isakmp
ISAKMP (0:0): received packet from 192.168.1.1 dport 500 sport 500 Global (N) NEW SA
ISAKMP (0:0): processing SA payload. message ID = 0
ISAKMP (0:0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP (0:0): encryption DES-CBC
ISAKMP (0:0): hash SHA
ISAKMP (0:0): default group 2
ISAKMP (0:0): auth pre-share
ISAKMP (0:0): atts are not acceptable. Next transform is 0
ISAKMP (0:0): no offers accepted!

If you see 'atts are not acceptable' or 'no offers accepted', it indicates a mismatch in IKE parameters (encryption, hash, group, or auth method). If the pre-shared key is wrong, you may see 'Invalid payload' or 'authentication failed' messages.

3

Verify IKE policy configuration

show crypto isakmp policy
Protection suite of priority 10
        encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
        hash algorithm: Secure Hash Standard
        authentication method: Pre-Shared Key
        Diffie-Hellman group: #5 (1536 bit)
        lifetime: 86400

Compare the output at both ends. Ensure encryption, hash, authentication method, DH group, and lifetime match exactly. A mismatch in any of these will cause Phase 1 failure.

4

Check pre-shared key configuration

show running-config | include crypto isakmp key
crypto isakmp key cisco123 address 192.168.1.1

Verify that the pre-shared key is configured for the correct peer IP. The key must be identical on both sides. If the key is missing or different, Phase 1 will fail.

Root Cause

The pre-shared key configured on the branch router does not match the key configured on the HQ router. Both sides have identical IKE policies, but the key mismatch causes IKE authentication to fail during Phase 1.

Resolution

On the branch router, configure the correct pre-shared key matching the HQ router: configure terminal crypto isakmp key MySecretKey address 10.0.0.1 end write memory This sets the pre-shared key to 'MySecretKey' for the peer at 10.0.0.1. Ensure the HQ router has the same key for the branch peer (192.168.1.1).

Verification

Clear the existing IKE SAs and verify the tunnel establishes: clear crypto isakmp show crypto isakmp sa Expected output: IPv4 Crypto ISAKMP SA dst src state conn-id status 10.0.0.1 192.168.1.1 MM_ACTIVE 1001 ACTIVE The state should be MM_ACTIVE, indicating Phase 1 completed successfully.

Prevention

1. Use a centralized configuration management system to ensure pre-shared keys are consistent across all VPN peers. 2. Implement a naming convention or use AAA for IKE authentication to avoid manual key entry errors. 3. Always verify IKE policies and pre-shared keys after any configuration change using show commands.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario appears in troubleshooting questions where you must identify why an IPsec VPN fails to establish. The exam tests your ability to interpret 'show crypto isakmp sa' output and debug messages to pinpoint a pre-shared key mismatch. A key fact: Phase 1 fails if IKE parameters (including pre-shared key) do not match between peers.

Exam Tips

1.

Memorize the IKE Phase 1 states: MM_NO_STATE (no negotiation), MM_ACTIVE (successful).

2.

Remember that 'atts are not acceptable' in debug output indicates a mismatch in IKE proposals, not necessarily the pre-shared key.

3.

Know that 'show crypto isakmp sa' is the first command to check VPN tunnel status.

Commands Used in This Scenario

debug crypto isakmp

Enables debugging of ISAKMP (Internet Security Association and Key Management Protocol) packets to troubleshoot IKE phase 1 issues in IPsec VPNs.

show crypto isakmp sa

Displays the current state of Internet Key Exchange (IKE) Security Associations (SAs) used for IPsec VPN tunnels, allowing verification of Phase 1 tunnel establishment.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions