Solved: Router ignores configured policies for VPN

jasonww04 · ‎07-16-2010

These are the policies configured for phase 1:

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 5

lifetime 28800

!

crypto isakmp policy 5

encr aes

authentication pre-share

group 2

!

crypto isakmp policy 7

encr aes

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 9

encr aes 256

authentication pre-share

group 2

lifetime 28800

However, this is what my debug tells me:

Jul 16 18:23:19: ISAKMP:(0):found peer pre-shared key matching 67.216.78.20

Jul 16 18:23:19: ISAKMP:(0): local preshared key found

Jul 16 18:23:19: ISAKMP : Scanning profiles for xauth ...

Jul 16 18:23:19: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

Jul 16 18:23:19: ISAKMP: encryption DES-CBC

Jul 16 18:23:19: ISAKMP: hash MD5

Jul 16 18:23:19: ISAKMP: default group 2

Jul 16 18:23:19: ISAKMP: auth pre-share

Jul 16 18:23:19: ISAKMP: life type in seconds

Jul 16 18:23:19: ISAKMP: life duration (VPI) of 0x0 0x0 0x1C 0x20

Jul 16 18:23:19: ISAKMP:(0):Encryption algorithm offered does not match policy!

Jul 16 18:23:19: ISAKMP:(0):atts are not acceptable. Next payload is 0

Jul 16 18:23:19: ISAKMP:(0):Checking ISAKMP transform 1 against priority 3 policy

Jul 16 18:23:19: ISAKMP: encryption DES-CBC

Jul 16 18:23:19: ISAKMP: hash MD5

Jul 16 18:23:19: ISAKMP: default group 2

Jul 16 18:23:19: ISAKMP: auth pre-share

Jul 16 18:23:19: ISAKMP: life type in seconds

Jul 16 18:23:19: ISAKMP: life duration (VPI) of 0x0 0x0 0x1C 0x20

Jul 16 18:23:19: ISAKMP:(0):Encryption algorithm offered does not match policy!

Jul 16 18:23:19: ISAKMP:(0):atts are not acceptable. Next payload is 0

Jul 16 18:23:19: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy

Jul 16 18:23:19: ISAKMP: encryption DES-CBC

Jul 16 18:23:19: ISAKMP: hash MD5

Jul 16 18:23:19: ISAKMP: default group 2

Jul 16 18:23:19: ISAKMP: auth pre-share

Jul 16 18:23:19: ISAKMP: life type in seconds

Jul 16 18:23:19: ISAKMP: life duration (VPI) of 0x0 0x0 0x1C 0x20

Jul 16 18:23:19: ISAKMP:(0):Encryption algorithm offered does not match policy!

Jul 16 18:23:19: ISAKMP:(0):atts are not acceptable. Next payload is 0

Jul 16 18:23:19: ISAKMP:(0):Checking ISAKMP transform 1 against priority 7 policy

Jul 16 18:23:19: ISAKMP: encryption DES-CBC

Jul 16 18:23:19: ISAKMP: hash MD5

Jul 16 18:23:19: ISAKMP: default group 2

Jul 16 18:23:19: ISAKMP: auth pre-share

Jul 16 18:23:19: ISAKMP: life type in seconds

Jul 16 18:23:19: ISAKMP: life duration (VPI) of 0x0 0x0 0x1C 0x20

Jul 16 18:23:19: ISAKMP:(0):Encryption algorithm offered does not match policy!

Jul 16 18:23:19: ISAKMP:(0):atts are not acceptable. Next payload is 0

Jul 16 18:23:19: ISAKMP:(0):Checking ISAKMP transform 1 against priority 9 policy

Jul 16 18:23:19: ISAKMP: encryption DES-CBC

Jul 16 18:23:19: ISAKMP: hash MD5

Jul 16 18:23:19: ISAKMP: default group 2

Jul 16 18:23:19: ISAKMP: auth pre-share

Jul 16 18:23:19: ISAKMP: life type in seconds

Jul 16 18:23:19: ISAKMP: life duration (VPI) of 0x0 0x0 0x1C 0x20

Jul 16 18:23:19: ISAKMP:(0):Encryption algorithm offered does not match policy!

Jul 16 18:23:19: ISAKMP:(0):atts are not acceptable. Next payload is 0

Jul 16 18:23:19: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65535 policy

Jul 16 18:23:19: ISAKMP: encryption DES-CBC

Jul 16 18:23:19: ISAKMP: hash MD5

Jul 16 18:23:19: ISAKMP: default group 2

Jul 16 18:23:19: ISAKMP: auth pre-share

Jul 16 18:23:19: ISAKMP: life type in seconds

Jul 16 18:23:19: ISAKMP: life duration (VPI) of 0x0 0x0 0x1C 0x20

Jul 16 18:23:19: ISAKMP:(0):Hash algorithm offered does not match policy!

Jul 16 18:23:19: ISAKMP:(0):atts are not acceptable. Next payload is 0

Jul 16 18:23:19: ISAKMP:(0):no offers accepted!

Jul 16 18:23:19: ISAKMP:(0): phase 1 SA policy not acceptable! (local 65.118.143.194

remote 67.216.78.20)

The router is completely ignoring all of the configured policies and trying with nothing but the default. Is this a bug?

Loren Kolnes · ‎07-16-2010

Hi Jason,

What you are seeing is the isakmp policy that the peer is proposing and it is being compared to the isakmp policies you have configured on your router.

Can you add another isakmp policy that matches this proposal to see if phase 1 completes.

crypto isakmp policy 2

encr des

authentication pre-share

hash md5

group 2

lifetime 7200

What is the peer device?

Regards,

Loren

View solution in original post

Loren Kolnes · ‎07-16-2010

Hi Jason,

What you are seeing is the isakmp policy that the peer is proposing and it is being compared to the isakmp policies you have configured on your router.

Can you add another isakmp policy that matches this proposal to see if phase 1 completes.

crypto isakmp policy 2

encr des

authentication pre-share

hash md5

group 2

lifetime 7200

What is the peer device?

Regards,

Loren

jasonww04 · ‎07-19-2010

The peer device is Microsoft TMG (aka ISA).

As a follow up, we took your advice and added that policy you suggested. The VPN came up but with a twist. Phase 1 was established using AES and SHA, which is what we wanted in the first place! Does anyone know why we had to add a policy for phase 1 in order to get the devices to establish phase 1 using a different policy?

Loren Kolnes · ‎07-19-2010

Can you send the output of the following commands:

show crypto isakmp sa

show crypto ipsec sa peer [remote-peer-ip-address]

jasonww04 · ‎07-21-2010

Here is the results of the show commands:

vib-oh_life#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
63.123.252.12   65.118.143.194 QM_IDLE           1797    0 ACTIVE
65.118.143.194 67.216.78.20    QM_IDLE           1801    0 ACTIVE
65.118.143.194 69.238.9.15     QM_IDLE           1800    0 ACTIVE

IPv6 Crypto ISAKMP SA

vib-oh_life#sh cry ipsec sa peer 67.216.78.20

interface: FastEthernet0/0
Crypto map tag: to_vpn, local addr 65.118.143.194

   protected vrf: (none)
   local ident (addr/mask/prot/port): (172.18.143.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.253.1.0/255.255.255.0/0/0)
   current_peer 67.216.78.20 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 65.118.143.194, remote crypto endpt.: 67.216.78.20
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

   protected vrf: (none)
   local ident (addr/mask/prot/port): (172.18.143.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.254.1.0/255.255.255.0/0/0)
   current_peer 67.216.78.20 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 65.118.143.194, remote crypto endpt.: 67.216.78.20
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

   protected vrf: (none)
   local ident (addr/mask/prot/port): (172.18.143.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.41.0.0/255.255.0.0/0/0)
   current_peer 67.216.78.20 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 3911788, #pkts encrypt: 3911788, #pkts digest: 3911788
    #pkts decaps: 2266910, #pkts decrypt: 2266910, #pkts verify: 2266910
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 527, #recv errors 100

     local crypto endpt.: 65.118.143.194, remote crypto endpt.: 67.216.78.20
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x5326E891(1395058833)

     inbound esp sas:
      spi: 0x22779B21(578263841)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3119, flow_id: NETGX:1119, crypto map: to_vpn
        sa timing: remaining key lifetime (k/sec): (4444393/2890)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0x5326E891(1395058833)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3120, flow_id: NETGX:1120, crypto map: to_vpn
        sa timing: remaining key lifetime (k/sec): (4405275/2890)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:

   protected vrf: (none)
   local ident (addr/mask/prot/port): (172.18.143.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.52.0.0/255.255.0.0/0/0)
   current_peer 67.216.78.20 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 65.118.143.194, remote crypto endpt.: 67.216.78.20
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Loren Kolnes · ‎07-21-2010

Hi,

The phase 2 SA is being built with 3DES and SHA.

I meant to ask for "show crypto isakmp detail" to verify the Phase 1 SA, can you check this to detemine what the Cisco device is using to secure Phase 1?

Thanks,

Loren

jasonww04 · ‎07-21-2010

Phase 1 is being created with AES and SHA, which is what we wanted from the start.

Loren Kolnes · ‎07-21-2010

Hi,

Baed on the previous debugging information the ISA server is not proposing AES/SHA so why it is connecting with that is odd.

Can you provide the debugging information for this connection setup?

Thanks,

Loren

jasonww04 · ‎07-28-2010

We have a few VPNs on this router so the debug will be hard to figure out. Currently the VPN we are working on is active and it is using AES/SHA for phase 1 and 3DES/SHA for phase 2.

Thanks for all your help.