2800 router and Cisco VPN Client ver 5.0.01.0600 IKE fails

kmb · ‎02-12-2010

Hello,

I can't get past isakmp phase 1 negotiations.

here is the output of debug crypto isakmp error:

Feb 12 17:08:54.910: ISAKMP:(0): MM Fragmentation supported
Feb 12 17:08:54.910: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 12 17:08:54.910: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.910: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 12 17:08:54.910: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.910: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 12 17:08:54.910: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.910: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 12 17:08:54.910: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.910: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 12 17:08:54.910: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.910: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 12 17:08:54.910: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.910: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 12 17:08:54.910: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.910: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 12 17:08:54.910: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.910: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
Feb 12 17:08:54.910: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.910: ISAKMP:(0):Hash algorithm offered does not match policy!
Feb 12 17:08:54.910: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.914: ISAKMP:(0):Preshared authentication offered but does not match policy!
Feb 12 17:08:54.914: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.914: ISAKMP:(0):Hash algorithm offered does not match policy!
Feb 12 17:08:54.914: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.914: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 12 17:08:54.914: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.914: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 12 17:08:54.914: ISAKMP:(0):atts are not acceptable. Next payload is 0
Feb 12 17:08:54.914: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 12 17:08:54.914: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.914: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 12 17:08:54.914: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.914: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 12 17:08:54.914: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.914: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 12 17:08:54.914: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.914: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 12 17:08:54.914: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.914: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 12 17:08:54.914: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.914: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 12 17:08:54.914: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.914: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 12 17:08:54.914: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.914: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 12 17:08:54.914: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.914: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 12 17:08:54.914: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.914: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 12 17:08:54.914: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.914: ISAKMP:(0):Encryption algorithm offered does not match policy!
Feb 12 17:08:54.914: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.914: ISAKMP:(0):Hash algorithm offered does not match policy!
Feb 12 17:08:54.914: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 12 17:08:54.914: ISAKMP:(0):Hash algorithm offered does not match policy!
Feb 12 17:08:54.914: ISAKMP:(0):atts are not acceptable. Next payload is 0
Feb 12 17:08:54.914: ISAKMP:(0):no offers accepted!
Feb 12 17:08:54.914: ISAKMP:(0): phase 1 SA policy not acceptable! (local 108.110.211.253 remote 70.179.112.191)
Feb 12 17:08:54.918: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 70.179.112.191)
Feb 12 17:08:54.918: ISAKMP:(0): group size changed! Should be 0, is 128
Feb 12 17:08:54.918: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY
Feb 12 17:08:54.918: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 70.179.112.191
Feb 12 17:08:54.918: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 70.179.112.191)

Seems as though no policy is acceptible.

3des and md5 HMAC is pretty common.

What gives?

Here is my config:

Current configuration : 3116 bytes
!
! Last configuration change at 15:39:09 UTC Fri Feb 12 2010
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname "--Removed--"
!
boot-start-marker
boot-end-marker
!
enable secret 5 "--Removed--"
enable password 7 "--Removed--"
!
aaa new-model
!
!
aaa authentication login myAuthen local
aaa authorization network myAuthor none
!
!
aaa session-id common
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.100 192.168.1.254
!
ip dhcp pool Ethernet_0_pool
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.254
   dns-server 206.228.179.10 144.228.254.10 144.228.255.10
!
!
ip domain name dyndns.org
ip name-server 206.228.179.10
ip ddns update method dyndnsdotorg
HTTP
add http://username:password@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
!
!
multilink bundle-name authenticated
!
chat-script cdma "" "ATDT#777" TIMEOUT 60 "CONNECT"
password encryption aes
!
!
!
!
username "--Removed--"" password 7 "--Removed--"
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp fragmentation
!
crypto isakmp client configuration group vpn
key 6 "--Removed--"
pool VPNpool
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
match address 101
!
!
crypto map clientmap client authentication list myAuthen
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Cellular0/3/0
ip dhcp client update dns
ip ddns update hostname "--Removed--"
ip ddns update dyndnsdotorg
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string cdma
dialer-group 1
async mode interactive
ppp chap password 7 "--Removed--"
crypto map clientmap
!
interface Async0/1/0
no ip address
encapsulation slip
!
ip local pool VPNpool 192.168.2.100 192.168.2.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Cellular0/3/0
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Cellular0/3/0 overload
!
logging trap debugging
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark Nat Access-List
access-list 101 permit ip 192.168.0.0 0.0.255.255 192.168.2.0 0.0.0.255
access-list 101 remark vpn ecrypted traffic
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line 0/1/0
password 7 "--Removed--"
modem Dialin
transport input all
stopbits 1
speed 115200
flowcontrol hardware
line 0/3/0
script dialer cdma
no exec
rxspeed 3100000
txspeed 1800000
line vty 0 4
!
scheduler allocate 20000 1000
ntp clock-period 17180166
ntp source Cellular0/3/0
ntp peer 129.6.15.28
!
end

Federico Coto Fajardo · ‎02-12-2010

Hi,

Think you're missing this command:

crypto map clientmap isakmp authorization list MyAuthor

Also, for phase 1 you're using SHA and not MD5. You're using MD5 for phase 2.

Why do you have the command:

crypto isakmp fragmentation

The problem is with phase 1.

Try creating another policy:

crypto isakmp policy 20
encr 3des
authentication pre-share

hash md5
group 2

Let me know.

Federico.

kmb · ‎02-13-2010

I must admit I am completely confused here.

The first step is IKE ... phase one.

As I understand IPSEC the peers must agree on security attributes to exchange a shared secret.

I have a transform-set specifying:

3des

MD5

DH = group 2

xauth = preshared keys

yet my debug output shows this:

Feb 13 15:18:02.624: ISAKMP:(0):Checking ISAKMP transform 10 against priority 10 policy
Feb 13 15:18:02.624: ISAKMP:      encryption 3DES-CBC
Feb 13 15:18:02.624: ISAKMP:      hash MD5
Feb 13 15:18:02.624: ISAKMP:      default group 2
Feb 13 15:18:02.624: ISAKMP:      auth XAUTHInitPreShared
Feb 13 15:18:02.624: ISAKMP:      life type in seconds
Feb 13 15:18:02.624: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
Feb 13 15:18:02.624: ISAKMP:(0):Hash algorithm offered does not match policy!
Feb 13 15:18:02.624: ISAKMP:(0):atts are not acceptable. Next payload is 3

My config clearly shows "MD5" for policy 10.

Why is this being rejected on the hash when the hash is set to MD5 ???????????????????

My jaw has dropped to the ground.

Federico Coto Fajardo · ‎02-13-2010

Let's see...

This is your phase 1 configuration:

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2

You're using SHA as the has algorithm, because is the default on Cisco Routers, you can check with the command ''show crypto isakmp policy''

We're not going to be into phase 2 since we can't get past phase 1.

Now, even if you're using SHA or MD5, this should not be a problem for the VPN client, since the policies are pushed from the router to the client.

The last debugs are normal, since when the VPN client attempts to connect, it is going to check all possible combinations of phase 1 parameters against the only phase 1 policy (which is currently policy 10). So if the client is testing MD5 hash against policy 10, obvioulsy there's going to be a mismatch since policy 10 is using SHA.

Anyway, we still have to figure out why you're not getting past phase 1.

Have you tried creating another phase 1 policy just to check if the problem persists?

You can use 5 to check this policy before checking policy 10

crypto isakmp policy 5

encr 3des

hash md5
authentication pre-share
group 2

Let's see the resuts.

Federico.

kmb · ‎02-13-2010

Wow.

I went back and looked and your right.

I have changed that so many times I guess I didn't get it back in the config.

Here is the log with three policies that were rejected:

Feb 13 15:18:02.624: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10 policy
Feb 13 15:18:02.624: ISAKMP:      encryption 3DES-CBC
Feb 13 15:18:02.624: ISAKMP:      hash SHA
Feb 13 15:18:02.624: ISAKMP:      default group 2
Feb 13 15:18:02.624: ISAKMP:      auth XAUTHInitPreShared
Feb 13 15:18:02.624: ISAKMP:      life type in seconds
Feb 13 15:18:02.624: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
Feb 13 15:18:02.624: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
Feb 13 15:18:02.624: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 13 15:18:02.624: ISAKMP:(0):Checking ISAKMP transform 10 against priority 10 policy
Feb 13 15:18:02.624: ISAKMP:      encryption 3DES-CBC
Feb 13 15:18:02.624: ISAKMP:      hash MD5
Feb 13 15:18:02.624: ISAKMP:      default group 2
Feb 13 15:18:02.624: ISAKMP:      auth XAUTHInitPreShared
Feb 13 15:18:02.624: ISAKMP:      life type in seconds
Feb 13 15:18:02.624: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
Feb 13 15:18:02.624: ISAKMP:(0):Hash algorithm offered does not match policy!

^ we now know why

Feb 13 15:18:02.624: ISAKMP:(0):atts are not acceptable. Next payload is 3
Feb 13 15:18:02.624: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10 policy
Feb 13 15:18:02.624: ISAKMP:      encryption 3DES-CBC
Feb 13 15:18:02.624: ISAKMP:      hash SHA
Feb 13 15:18:02.624: ISAKMP:      default group 2
Feb 13 15:18:02.624: ISAKMP:      auth pre-share
Feb 13 15:18:02.624: ISAKMP:      life type in seconds
Feb 13 15:18:02.624: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
Feb 13 15:18:02.624: ISAKMP:(0):Preshared authentication offered but does not match policy!
Feb 13 15:18:02.624: ISAKMP:(0):atts are not acceptable. Next payload is 3

The problem seems to be that I don't have the proper IKE phase one authentication setup correctly.

I re-studied IKE phase one and Diffie-Hellman and it seems I did not understand it as well as I thought.

Diffie-Hellman allows exchange of private keys in a public network but it does not provide any means of authentication for the IKE phase one process.

This must be done outside of Diffie-Hellman.

Wikipedia states that authentication methods allowed for IKE phase one are pre-shared secrets, signatures, or PKI.

An extension to IKE allows for Xauth (which if I understand it correctly is an external IP host providing authentication ... such as a Radius or Kerberos server).

I have chosen pre-shared since I don't want to stand up any additional servers.

My questions are:

1> How should I correctly setup pre-shared keys on the router (with or without AAA new model ... whichever is simpler)?

2> Where do I set the pre-shared key in the Cisco VPN client (versions 4 or 5)?

also ...

3> what about the username and password in the Cisco VPN client?

4> what about the username and password in the router?

Are these used later in the process?

Thanks for all your help.

Federico Coto Fajardo · ‎02-13-2010

The error that you're getting is because there's a mismatch in the pre-shared key between the router and the client.

On the VPN client, you need to use the following parameters:

Group name: vpn
Group password (pre-shared-key): the one that you specified under the ''crypto isakmp client configuration group vpn'' command.

Then, when you're prompted for username and password authentication, you use the credentials specified with the command:

username "--Removed--"" password 7 "--Removed--"

Let me know.

Federico.

kmb · ‎02-14-2010

I did:

crypto isakmp client configuration group vpn

then:

no key 6 "the string copied from config"

then re-added the key:

key 0 "plain text key"

On the Cisco client, under "Group Authentication" I set username = vpn

and password as the key entered above.

They are now the same but ...

... I still get:

Feb 14 15:03:02.897: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10 policy
Feb 14 15:03:02.897: ISAKMP:      encryption 3DES-CBC
Feb 14 15:03:02.897: ISAKMP:      hash SHA
Feb 14 15:03:02.897: ISAKMP:      default group 2
Feb 14 15:03:02.897: ISAKMP:      auth pre-share
Feb 14 15:03:02.897: ISAKMP:      life type in seconds
Feb 14 15:03:02.897: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
Feb 14 15:03:02.897: ISAKMP:(0):Preshared authentication offered but does not match policy!

It's not saying the key mismatched it says the policy is not set for pre-shared keys ????

I must have missed something.

Federico Coto Fajardo · ‎02-14-2010

Your current IKE phase 1 policy it's using pre-shared keys for peer authentication (according to the configuration that you attached)....

You can adding a test group to check if the problem persists....

crypto isakmp client configuration group TEST

key somepassword

pool pool's name

Then, on the VPN cliient, you create a new connection with the following information:

Host: Public IP address of the router

Under Authentication Tab:

Name: TEST

Password: somepassword

Confirm Password: somepassword

Are you getting prompted for username and password after this?

Federico.

kmb · ‎02-15-2010

I performed exactly those steps and got the same issue.

Feb 15 20:56:40.241: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10 policy
Feb 15 20:56:40.241: ISAKMP:      encryption 3DES-CBC
Feb 15 20:56:40.241: ISAKMP:      hash SHA
Feb 15 20:56:40.241: ISAKMP:      default group 2
Feb 15 20:56:40.241: ISAKMP:      auth pre-share
Feb 15 20:56:40.241: ISAKMP:      life type in seconds
Feb 15 20:56:40.241: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
Feb 15 20:56:40.241: ISAKMP:(0):Preshared authentication offered but does not match policy!
Feb 15 20:56:40.241: ISAKMP:(0):atts are not acceptable. Next payload is 3

It seems that the router believe it is not conigured for Pre-Shared keys.

Federico Coto Fajardo · ‎02-15-2010

Checking the configuration, policy 10 is using pre-shared keys.

If you enter the command, ''show crypto isakmp policy'' it shows that policy 10 is configured for pre-shared key authentication indeed?

Could be a mismatch between the configuration that you attached and the current configuration.

Please check on this.

Federico.

kmb · ‎02-15-2010

Router#show crypto isakmp policy

Global IKE policy
Protection suite of priority 10
        encryption algorithm:   Three key triple DES
        hash algorithm:         Secure Hash Standard
        authentication method: Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method: Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit

Router#show run

!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp fragmentation
!
crypto isakmp client configuration group vpn
key 6 RHh^ONYL_WOKJSCGPRWEGbJLdbUHe[KdfAAB
pool VPNpool
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
match address 101
!
!
crypto map clientmap client authentication list myAuthen
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!

Federico Coto Fajardo · ‎02-16-2010

I have a router with the same phase 1 configuration:

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2

When I try to connect with the VPN client, I get this debug:

20:26:58: ISAKMP (8): Checking ISAKMP transform 1 against priority 10 policy
20:26:58: ISAKMP:      encryption 3DES-CBC
20:26:58: ISAKMP:      hash SHA
20:26:58: ISAKMP:      default group 2
20:26:58: ISAKMP:      auth pre-share
20:26:58: ISAKMP (8): atts are acceptable.

This is because both router and VPN client are configured for pre-shared key authentication.

For a test you can do the following:

no crypto isakmp policy 10
crypto isakmp policy 10
encr 3des
group 2

And try the VPN client connection again, just to make sure that you get the same error, because now policy 10 is using
RSA Digital certificate peer authentication.

Again, do:

no crypto isakmp policy 10
crypto isakmp policy 50
encr 3des
authentication pre-share
hash md5
group 2

And attach the results from the output one more time.

Two questions:

1. Can you attached the SH VER from the router?
2. Can you try another version of the VPN client and make sure that you're setting up the pre-shared key correctly?

Federico.

kmb · ‎02-21-2010

1. Show Ver:

Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(15)T8, RELEASE SOFTWARE (fc3)
ROM: System Bootstrap, Version 12.4(13r)T11, RELEASE SOFTWARE (fc1)

System image file is "flash:c2800nm-advsecurityk9-mz.124-15.T8.bin"

Cisco 2811 (revision 53.51) with 247808K/14336K bytes of memory.
Processor board ID FTX1324AH40
2 FastEthernet interfaces
1 Serial interface
2 terminal lines
1 Virtual Private Network (VPN) Module
1 Cellular interface
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

2. I used 4.7 something and then tried the latest Cisco VPN client 5.0 ... same results.

tried your suggestions but still got:

Feb 21 17:32:58.778: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10 policy
Feb 21 17:32:58.778: ISAKMP:      encryption 3DES-CBC
Feb 21 17:32:58.778: ISAKMP:      hash SHA
Feb 21 17:32:58.778: ISAKMP:      default group 2
Feb 21 17:32:58.778: ISAKMP:      auth pre-share
Feb 21 17:32:58.778: ISAKMP:      life type in seconds
Feb 21 17:32:58.778: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
Feb 21 17:32:58.778: ISAKMP:(0):Authentication method offered does not match policy!
Feb 21 17:32:58.778: ISAKMP:(0):atts are not acceptable. Next payload is 3

while ...

#show crypto isakmp policy

Global IKE policy
Protection suite of priority 10
        encryption algorithm:   Three key triple DES
        hash algorithm:         Secure Hash Standard
        authentication method: Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method: Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit

Federico Coto Fajardo · ‎02-21-2010

Look at your show crypto isakmp policy....

Policy 10 is using RSA for peer authentication... should use pre-shared keys..

Federico.

kmb · ‎02-22-2010

True ... I forgot and left it the way you asked.

Never got prompted for username and password.

Also the isakmp debug shows no policies are accepted.

Probably because I don't have the Cisco client setup for a Cert so It was never offered as a policy.

I still feel that the debug indicates not a mismatch between pre-shared keys but that the policy 10 does not have a properly configured pre-shared key even though the policy was set for pre-shared key before this last test.