07-23-2008 10:38 AM - edited 03-10-2019 03:59 PM
New to the group and I do have a situation that I hope someone can help me with. I am trying to set up a lab for one of my courses and I am using XP with Cisco VPN Client 5.0.0.3, a Cisco 2621XM router and Cisco Secure ACS version 4.2 configured for RADIUS.
My problem is this, when I open the VPN client and click connect I get the following message back.
*Mar 1 01:21:49.935: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 11.11.11.14 was not encrypted and it should've been. The packet is not getting past the router so I cannot even see if the ACS is working.
I have searched high and low and have not been able to find an answer to the problem. Can someone here give me a hand?
07-23-2008 01:54 PM
Please post your config.
07-23-2008 02:15 PM
I used the configuration from an example from the Cisco website. I will post it here. I also followed the setup outlined in the example for the ACS but it doesn't seem to get that far. Thanks for the help.
!--- Enable AAA for user authentication and group authorization.
aaa new-model
!
!--- In order to enable extended authentication (Xauth) for user authentication,
!--- enable the aaa authentication commands.
!--- "Group radius" specifies RADIUS user authentication.
aaa authentication login userauthen group radius
!--- In order to enable group authorization,
!--- enable the aaa authorization commands.
aaa authorization network groupauthor group radius
!
!
ip subnet-zero
ip audit po max-events 100
!
!--- Create an Internet Security Association and
!--- Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!
!--- Create the Phase 2 policy for actual data encryption.
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
!--- Create a dynamic map and
!--- apply the transform set that was created.
crypto dynamic-map dynmap 10
set transform-set myset
!
!--- Create the actual crypto map,
!--- and apply the AAA lists that were created earlier.
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
fax interface-type fax-mail
mta receive maximum-recipients 0
!
!
!
!--- Apply the crypto map on the outside interface.
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
half-duplex
crypto map clientmap
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet0/1
ip address 172.18.124.159 255.255.255.0
no keepalive
half-duplex
!
!--- Create a pool of addresses to be assigned
to the VPN Clients.
ip local pool ippool 10.16.20.1 10.16.20.200
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.2
ip http server
ip pim bidir-enable
!
!--- Specify the IP address of the RADIUS server,
!--- along with the RADIUS shared secret key.
radius-server host 172.18.124.96 auth-port 1645 acct-port 1646 key cisco123
radius-server retransmit 3
call rsvp-sync
07-23-2008 03:58 PM
Perhaps you should establish a working configuration with local authentication and authorization, and then migrate to RADIUS.
If you agree, you might try this first:
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local ippool
crypto isakmp client configuration group psk-grp
key cisco123
pool ippool
acl 101
crypto isakmp profile psk-prof
match identity group psk-grp
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile psk-prof
reverse-route
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Ethernet0/0
crypto map clientmap
ip local pool ippool 10.16.20.1 10.16.20.200
access-list 101 remark --- Split tunneling for VPN client.
access-list 101 permit ip 172.18.124.0 0.0.0.255 10.16.20.0 0.0.0.255
07-23-2008 04:42 PM
Thanks for the reply. I did have it working with AAA local and wanted to move on to the ACS. Do you think I should continue on with RADIUS or go over to TACACS+?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide