VPN config - ipsec client to ios router

Unanswered Question
Jun 14th, 2007
User Badges:
  • Silver, 250 points or more

Can someone tell me what is wrong with this config:


crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group testvpn

key ****

pool vpn-pool

!

!

crypto ipsec transform-set strongset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set strongset

!

!

crypto map vpn client configuration address respond

crypto map vpn 99 ipsec-isakmp dynamic dynmap

!

!

!

!

interface GigabitEthernet0/0

ip address x.x.x.x 255.255.255.248

duplex auto

speed auto

media-type rj45

!

interface GigabitEthernet0/1

ip address x.x.x.x 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

media-type rj45

!

interface Serial0/0/0:0

ip address x.x.x.x 255.255.255.252

ip nat outside

ip virtual-reassembly

encapsulation ppp

crypto map vpn



All I want is a simple client to router ipsec vpn. What am I missing?


The debug crypto isakmp says the phase 1 proposal is unnacceptable. See attached.


-mike





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sundar.palaniappan Thu, 06/14/2007 - 13:31
User Badges:
  • Green, 3000 points or more

From the output below it shows the client is configured for AES encryption and SHA hashing whereas the router is configured for 3DES and MD5. The proposals need to match for ISAKMP SA to be established.


ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 5 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA



HTH


Sundar

mmorris11 Thu, 06/14/2007 - 13:37
User Badges:
  • Silver, 250 points or more

But doesn't the client propose something that DOES match? For example:


*Jun 14 22:15:34.874: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 12 against priority 5 policy

*Jun 14 22:15:34.874: ISAKMP: encryption 3DES-CBC

*Jun 14 22:15:34.874: ISAKMP: hash MD5

*Jun 14 22:15:34.874: ISAKMP: default group 2

*Jun 14 22:15:34.874: ISAKMP: auth pre-share

*Jun 14 22:15:34.874: ISAKMP: life type in seconds

*Jun 14 22:15:34.874: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Jun 14 22:15:34.874: ISAKMP:(0:0:N/A:0):Preshared authentication offered but does not match policy!


Everything in this part of the proposal matches my policy but it passes it up. That is what I don't get.

sundar.palaniappan Mon, 06/18/2007 - 16:50
User Badges:
  • Green, 3000 points or more

Can you make sure the configured preshared key is the same on the client and the router.


HTH


Sundar

shomar Mon, 06/18/2007 - 23:59
User Badges:

Hi Mike,


This is exactly what puzzeled me here as well. try to remove the isakmp policy and reapply it once more, maybe as well disable and enable isakmp on the interface before trying again to connect with the client.


because from the debugs it is mentioning that the policy doesn't have pre-shared enabled, while the configuration clearly states that it is enabled.


Regards,

Shadi`

Actions

This Discussion