Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
503
Views
0
Helpful
4
Replies

VPN config - ipsec client to ios router

mmorris11
Level 4
Level 4

‎06-14-2007 01:20 PM - edited ‎02-21-2020 03:06 PM

Can someone tell me what is wrong with this config:

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group testvpn

key ****

pool vpn-pool

!

!

crypto ipsec transform-set strongset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set strongset

!

!

crypto map vpn client configuration address respond

crypto map vpn 99 ipsec-isakmp dynamic dynmap

!

!

!

!

interface GigabitEthernet0/0

ip address x.x.x.x 255.255.255.248

duplex auto

speed auto

media-type rj45

!

interface GigabitEthernet0/1

ip address x.x.x.x 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

media-type rj45

!

interface Serial0/0/0:0

ip address x.x.x.x 255.255.255.252

ip nat outside

ip virtual-reassembly

encapsulation ppp

crypto map vpn

All I want is a simple client to router ipsec vpn. What am I missing?

The debug crypto isakmp says the phase 1 proposal is unnacceptable. See attached.

-mike

Labels:
Preview file
13 KB
0 Helpful
4 Replies 4

sundar.palaniappan
Level 10
Level 10

‎06-14-2007 01:31 PM

From the output below it shows the client is configured for AES encryption and SHA hashing whereas the router is configured for 3DES and MD5. The proposals need to match for ISAKMP SA to be established.

ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 5 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

HTH

Sundar

0 Helpful

mmorris11
Level 4
Level 4
In response to sundar.palaniappan

‎06-14-2007 01:37 PM

But doesn't the client propose something that DOES match? For example:

*Jun 14 22:15:34.874: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 12 against priority 5 policy

*Jun 14 22:15:34.874: ISAKMP: encryption 3DES-CBC

*Jun 14 22:15:34.874: ISAKMP: hash MD5

*Jun 14 22:15:34.874: ISAKMP: default group 2

*Jun 14 22:15:34.874: ISAKMP: auth pre-share

*Jun 14 22:15:34.874: ISAKMP: life type in seconds

*Jun 14 22:15:34.874: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Jun 14 22:15:34.874: ISAKMP:(0:0:N/A:0):Preshared authentication offered but does not match policy!

Everything in this part of the proposal matches my policy but it passes it up. That is what I don't get.

0 Helpful

sundar.palaniappan
Level 10
Level 10
In response to mmorris11

‎06-18-2007 04:50 PM

Can you make sure the configured preshared key is the same on the client and the router.

HTH

Sundar

0 Helpful

shomar
Level 1
Level 1
In response to mmorris11

‎06-18-2007 11:59 PM

Hi Mike,

This is exactly what puzzeled me here as well. try to remove the isakmp policy and reapply it once more, maybe as well disable and enable isakmp on the interface before trying again to connect with the client.

because from the debugs it is mentioning that the policy doesn't have pre-shared enabled, while the configuration clearly states that it is enabled.

Regards,

Shadi`

0 Helpful
Customers Also Viewed These Support Documents