EZVPN Error

Unanswered Question
Jun 14th, 2010
User Badges:

Hello,

I have no idea why my Cisco EZVPN is not working.  I have used a very similar config before and it worked just fine.  I am using a Cisco 1751V running c1700-adventerprisek9-mz.124-25c IOS.  I have tried just about every combo if crypto and hash types.  I am using Cisco VPN Client 5.0.07.0240.


When connecting I am getting these errors on the debug crypto isakmp errors



Encryption algorithm offered does not match policy!

001240: Jun 14 20:04:31.241 HAWAII: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

001241: Jun 14 20:04:31.241 HAWAII: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!

001242: Jun 14 20:04:31.245 HAWAII: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3


001298: Jun 14 20:04:31.277 HAWAII: ISAKMP:(0:0:N/A:0): group size changed! Should be 0, is 128

001299: Jun 14 20:04:31.277 HAWAII: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY

001300: Jun 14 20:04:31.281 HAWAII: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 172.25.1.100

001301: Jun 14 20:04:31.281 HAWAII: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 172.25.1.100)


Here is my config:


aaa authentication login VPN_AUTH local

aaa authorization network VPN_AUTH local


crypto isakmp policy 10
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN_GROUP
key XXXX
pool VPN_CLIENTS
netmask 255.255.255.0
!
!
crypto ipsec transform-set VPN_TRANSFORM esp-3des esp-sha-hmac
!
crypto dynamic-map VPN_MAP 10
set transform-set VPN_TRANSFORM
reverse-route
!
!
crypto map VPN_MAP isakmp authorization list VPN_AUTH
crypto map VPN_MAP client configuration address respond
crypto map VPN_MAP 10 ipsec-isakmp dynamic VPN_MAP
!
interface FastEthernet0/0
crypto map VPN_MAP
Here are the full debugs:
001546: Jun 14 20:08:20.305 HAWAII: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
001547: Jun 14 20:08:20.305 HAWAII: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
001548: Jun 14 20:08:20.305 HAWAII: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 10 against priority 65535 policy
001549: Jun 14 20:08:20.305 HAWAII: ISAKMP:      encryption 3DES-CBC
001550: Jun 14 20:08:20.305 HAWAII: ISAKMP:      hash MD5
001551: Jun 14 20:08:20.305 HAWAII: ISAKMP:      default group 2
001552: Jun 14 20:08:20.305 HAWAII: ISAKMP:      auth XAUTHInitPreShared
001553: Jun 14 20:08:20.305 HAWAII: ISAKMP:      life type in seconds
001554: Jun 14 20:08:20.305 HAWAII: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
001555: Jun 14 20:08:20.309 HAWAII: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
001556: Jun 14 20:08:20.309 HAWAII: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
001557: Jun 14 20:08:20.309 HAWAII: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 11 against priority 65535 policy
001558: Jun 14 20:08:20.309 HAWAII: ISAKMP:      encryption 3DES-CBC
001559: Jun 14 20:08:20.309 HAWAII: ISAKMP:      hash SHA
001560: Jun 14 20:08:20.309 HAWAII: ISAKMP:      default group 2
001561: Jun 14 20:08:20.309 HAWAII: ISAKMP:      auth pre-share
001562: Jun 14 20:08:20.309 HAWAII: ISAKMP:      life type in seconds
001563: Jun 14 20:08:20.309 HAWAII: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
001564: Jun 14 20:08:20.313 HAWAII: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
001565: Jun 14 20:08:20.313 HAWAII: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
001566: Jun 14 20:08:20.313 HAWAII: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 12 against priority 65535 policy
001567: Jun 14 20:08:20.313 HAWAII: ISAKMP:      encryption 3DES-CBC
001568: Jun 14 20:08:20.313 HAWAII: ISAKMP:      hash MD5
001569: Jun 14 20:08:20.313 HAWAII: ISAKMP:      default group 2
001570: Jun 14 20:08:20.313 HAWAII: ISAKMP:      auth pre-share
001571: Jun 14 20:08:20.313 HAWAII: ISAKMP:      life type in seconds
001572: Jun 14 20:08:20.313 HAWAII: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
001573: Jun 14 20:08:20.313 HAWAII: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
001574: Jun 14 20:08:20.317 HAWAII: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
001575: Jun 14 20:08:20.317 HAWAII: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 13 against priority 65535 policy
001576: Jun 14 20:08:20.317 HAWAII: ISAKMP:      encryption DES-CBC
001577: Jun 14 20:08:20.317 HAWAII: ISAKMP:      hash MD5
001578: Jun 14 20:08:20.317 HAWAII: ISAKMP:      default group 2
001579: Jun 14 20:08:20.317 HAWAII: ISAKMP:      auth XAUTHInitPreShared
001580: Jun 14 20:08:20.317 HAWAII: ISAKMP:      life type in seconds
001581: Jun 14 20:08:20.317 HAWAII: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
001582: Jun 14 20:08:20.317 HAWAII: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!
001583: Jun 14 20:08:20.317 HAWAII: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
001584: Jun 14 20:08:20.321 HAWAII: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 14 against priority 65535 policy
001585: Jun 14 20:08:20.321 HAWAII: ISAKMP:      encryption DES-CBC
001586: Jun 14 20:08:20.321 HAWAII: ISAKMP:      hash MD5
001587: Jun 14 20:08:20.321 HAWAII: ISAKMP:      default group 2
001588: Jun 14 20:08:20.321 HAWAII: ISAKMP:      auth pre-share
001589: Jun 14 20:08:20.321 HAWAII: ISAKMP:      life type in seconds
001590: Jun 14 20:08:20.321 HAWAII: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
001591: Jun 14 20:08:20.321 HAWAII: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!
001592: Jun 14 20:08:20.321 HAWAII: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
001593: Jun 14 20:08:20.321 HAWAII: ISAKMP:(0:0:N/A:0):no offers accepted!
001594: Jun 14 20:08:20.325 HAWAII: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local 76.93.222.255 remote 172.25.1.100)
001595: Jun 14 20:08:20.325 HAWAII: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
001596: Jun 14 20:08:20.325 HAWAII: ISAKMP:(0:0:N/A:0): sending packet to 172.25.1.100 my_port 500 peer_port 61888 (R) AG_NO_STATE
001597: Jun 14 20:08:20.325 HAWAII: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.
001598: Jun 14 20:08:20.329 HAWAII: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 172.25.1.100)
001599: Jun 14 20:08:20.329 HAWAII: ISAKMP:(0:0:N/A:0): processing KE payload. message ID = 0
001600: Jun 14 20:08:20.329 HAWAII: ISAKMP:(0:0:N/A:0): group size changed! Should be 0, is 128
001601: Jun 14 20:08:20.329 HAWAII: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
001602: Jun 14 20:08:20.329 HAWAII: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY
001603: Jun 14 20:08:20.329 HAWAII: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
001604: Jun 14 20:08:20.329 HAWAII: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_READY
001605: Jun 14 20:08:20.333 HAWAII: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 172.25.1.100
001606: Jun 14 20:08:20.337 HAWAII: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 172.25.1.100)
001607: Jun 14 20:08:20.337 HAWAII: ISAKMP: Unlocking IKE struct 0x84B2C428 for isadb_mark_sa_deleted(), count 0
001608: Jun 14 20:08:20.337 HAWAII: ISAKMP: Deleting peer node by peer_reap for 172.25.1.100: 84B2C428
001609: Jun 14 20:08:20.337 HAWAII: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
001610: Jun 14 20:08:20.341 HAWAII: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_DEST_SA
001611: Jun 14 20:08:25.209 HAWAII: ISAKMP (0:0): received packet from 172.25.1.100 dport 500 sport 61888 Global (R) MM_NO_STATE
Thanks for your help,
Anthony
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Vikrant Ambhore Tue, 06/15/2010 - 01:56
User Badges:

Type encr 3des under crypto isakmp policy10


e.g :

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2


Regards

Anthony Wurtele Tue, 06/15/2010 - 03:21
User Badges:

I have added that command.  It was always in there but in my troubleshooting I must have accidentally removed it.  Please look at the attached file as you will see the entire debug.


Thanks for your help.

Anthony

Attachment: 
Vikrant Ambhore Wed, 06/16/2010 - 07:16
User Badges:

Hi Anthony,



Can you post your run conf also plz let me know which router is ur Remote router & which is Main router, It will be a great if you will send me a configuration of both router.




Regards


Vikrant

Anthony Wurtele Wed, 06/16/2010 - 11:23
User Badges:

Vikrant,


There is only 1 router and my PC with the Cisco VPN client.  I can post the whole config but its pretty long and most of it is voice stuff that is really not important.  Here is a scrubbed version of my config:



version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname EANET-1751V

!

boot-start-marker

boot system flash:c1700-adventerprisek9-mz.124-25c.bin

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 4096 debugging

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login VPN_AUTH local

aaa authorization network VPN_AUTH local

!

aaa session-id common

clock timezone HAWAII -10

voice-card 2

!

no ip source-route

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 172.25.1.1 172.25.1.100

!

ip dhcp pool DATA

   network 172.25.1.0 255.255.255.0

   default-router 172.25.1.1

   dns-server 8.8.8.8

!

!

no ip bootp server

ip domain name wrnets.com

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

!


!

!

!

crypto pki trustpoint TP-self-signed-4229048994

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4229048994

revocation-check none

rsakeypair TP-self-signed-4229048994

!

!

crypto pki certificate chain TP-self-signed-4229048994

certificate self-signed 01

  3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 34323239 30343839 3934301E 170D3130 30353239 30343539

  33305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32323930

  34383939 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100AC25 CCB16D1A EAC092F9 824064BD F1BCD667 1D2EC6F7 E4300552 EE614D2D

  9F9643D2 EE94AFC4 0C0FE697 FA83E1AE F8738C2E D87BCD59 DCEB5379 B62EDCA0

  A589477A 8D50F702 15ED03CB FA8AA46D 689006DA 063863D8 92466193 E75546CA

  82A5AC72 3EF4E62B DD4B2CD2 1A07A334 A9D5634F 8F01728E 38D4B2C5 E835D479

  52530203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603

  551D1104 1A301882 1645414E 45542D31 37353156 2E77726E 6574732E 636F6D30

  1F060355 1D230418 30168014 E2FAF5BF 77500BAA D421FE78 3678E34C 67B47314

  301D0603 551D0E04 160414E2 FAF5BF77 500BAAD4 21FE7836 78E34C67 B4731430

  0D06092A 864886F7 0D010104 05000381 81007820 204CF71E BB788467 367DCAD0

  855BDD32 E3A777C0 2CFED20B BD17FE93 5C3491B3 293C8FCB 41F21BCF 8801D05C

  AA102220 6AD54AC6 458DDD22 5F2FC298 9B2B5DB0 B8032B57 635736CE 704A925A

  9B8F8570 9CD044DA FA6CE56B 5536727C F82C82B2 4C65EAF7 157FF0FD 5865DEF8

  055E2935 774DA364 9109DDF9 02AE4E49 492C

  quit


archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh version 2

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group VPN_GROUP

key XXXXX

pool VPN_CLIENTS

netmask 255.255.255.0

!

!

crypto ipsec transform-set VPN_TRANSFORM esp-3des esp-sha-hmac

!

crypto dynamic-map VPN_MAP 10

set transform-set VPN_TRANSFORM

reverse-route

!

!

crypto map VPN_MAP isakmp authorization list VPN_AUTH

crypto map VPN_MAP client configuration address respond

crypto map VPN_MAP 10 ipsec-isakmp dynamic VPN_MAP



interface Null0

no ip unreachables

!

interface FastEthernet0/0

description To Time Warner Cable

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

speed auto

no cdp enable

crypto map VPN_MAP



interface Vlan100

description DATA VLAN

ip address 172.25.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

ip local pool VPN_CLIENTS 172.25.10.100 172.25.10.120

ip forward-protocol nd

!

!

ip http server

ip http access-class 10

ip http authentication local

ip http secure-server

ip nat inside source list NAT interface FastEthernet0/0 overload


!

ip access-list extended NAT

permit ip 172.25.1.0 0.0.0.255 any

Vikrant Ambhore Fri, 06/18/2010 - 20:56
User Badges:

sorry was busy from last week, can you please tell me if you want to connect ur PC to Router via cisco VPn CLient by using Dial UP, am I right?

Actions

This Discussion

Related Content