06-14-2007 01:20 PM - edited 02-21-2020 03:06 PM
Can someone tell me what is wrong with this config:
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group testvpn
key ****
pool vpn-pool
!
!
crypto ipsec transform-set strongset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set strongset
!
!
crypto map vpn client configuration address respond
crypto map vpn 99 ipsec-isakmp dynamic dynmap
!
!
!
!
interface GigabitEthernet0/0
ip address x.x.x.x 255.255.255.248
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address x.x.x.x 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
!
interface Serial0/0/0:0
ip address x.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly
encapsulation ppp
crypto map vpn
All I want is a simple client to router ipsec vpn. What am I missing?
The debug crypto isakmp says the phase 1 proposal is unnacceptable. See attached.
-mike
06-14-2007 01:31 PM
From the output below it shows the client is configured for AES encryption and SHA hashing whereas the router is configured for 3DES and MD5. The proposals need to match for ISAKMP SA to be established.
ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 5 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
HTH
Sundar
06-14-2007 01:37 PM
But doesn't the client propose something that DOES match? For example:
*Jun 14 22:15:34.874: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 12 against priority 5 policy
*Jun 14 22:15:34.874: ISAKMP: encryption 3DES-CBC
*Jun 14 22:15:34.874: ISAKMP: hash MD5
*Jun 14 22:15:34.874: ISAKMP: default group 2
*Jun 14 22:15:34.874: ISAKMP: auth pre-share
*Jun 14 22:15:34.874: ISAKMP: life type in seconds
*Jun 14 22:15:34.874: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 14 22:15:34.874: ISAKMP:(0:0:N/A:0):Preshared authentication offered but does not match policy!
Everything in this part of the proposal matches my policy but it passes it up. That is what I don't get.
06-18-2007 04:50 PM
Can you make sure the configured preshared key is the same on the client and the router.
HTH
Sundar
06-18-2007 11:59 PM
Hi Mike,
This is exactly what puzzeled me here as well. try to remove the isakmp policy and reapply it once more, maybe as well disable and enable isakmp on the interface before trying again to connect with the client.
because from the debugs it is mentioning that the policy doesn't have pre-shared enabled, while the configuration clearly states that it is enabled.
Regards,
Shadi`
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide