snow leopard built in vpn client not working

ahmad82pkn · ‎09-13-2010

Hi,

on my MAC, snow leopard built in vpn client no connecting with Cisco router acting as VPN server,

here is error log i get, can any one help? though i have these policies confgured on my router, but still it fails:S

Sep 13 16:04:03.211: ISAKMP (0:191): Checking ISAKMP transform 1 against priority 99 policy
Sep 13 16:04:03.211: ISAKMP:      life type in seconds
Sep 13 16:04:03.211: ISAKMP:      life duration (basic) of 3600
Sep 13 16:04:03.211: ISAKMP:      encryption AES-CBC
Sep 13 16:04:03.211: ISAKMP:      keylength of 256
Sep 13 16:04:03.211: ISAKMP:      auth XAUTHInitPreShared
Sep 13 16:04:03.211: ISAKMP:      hash SHA
Sep 13 16:04:03.211: ISAKMP:      default group 2
Sep 13 16:04:03.211: ISAKMP (0:191): Hash algorithm offered does not match policy!
Sep 13 16:04:03.211: ISAKMP (0:191): atts are not acceptable. Next payload is 3
Sep 13 16:04:03.211: ISAKMP (0:191): Checking ISAKMP transform 2 against priority 99 policy
Sep 13 16:04:03.211: ISAKMP:      life type in seconds
Sep 13 16:04:03.211: ISAKMP:      life duration (basic) of 3600
Sep 13 16:04:03.211: ISAKMP:      encryption AES-CBC
Sep 13 16:04:03.211: ISAKMP:      keylength of 128
Sep 13 16:04:03.211: ISAKMP:      auth XAUTHInitPreShared
Sep 13 16:04:03.211: ISAKMP:      hash SHA
Sep 13 16:04:03.211: ISAKMP:      default group 2
Sep 13 16:04:03.215: ISAKMP (0:191): Hash algorithm offered does not match policy!
Sep 13 16:04:03.215: ISAKMP (0:191): atts are not acceptable. Next payload is 3
Sep 13 16:04:03.215: ISAKMP (0:191): Checking ISAKMP transform 3 against priority 99 policy
Sep 13 16:04:03.215: ISAKMP:      life type in seconds
Sep 13 16:04:03.215: ISAKMP:      life duration (basic) of 3600
Sep 13 16:04:03.215: ISAKMP:      encryption AES-CBC
Sep 13 16:04:03.215: ISAKMP:      keylength of 256
Sep 13 16:04:03.215: ISAKMP:      auth XAUTHInitPreShared
Sep 13 16:04:03.215: ISAKMP:      hash MD5
Sep 13 16:04:03.215: ISAKMP:      default group 2
Sep 13 16:04:03.215: ISAKMP (0:191): Xauth authentication by pre-shared key offered but does not match policy!
Sep 13 16:04:03.215: ISAKMP (0:191): atts are not acceptable. Next payload is 3
Sep 13 16:04:03.215: ISAKMP (0:191): Checking ISAKMP transform 4 against priority 99 policy
Sep 13 16:04:03.215: ISAKMP:      life type in seconds
Sep 13 16:04:03.215: ISAKMP:      life duration (basic) of 3600
Sep 13 16:04:03.215: ISAKMP:      encryption AES-CBC
Sep 13 16:04:03.215: ISAKMP:      keylength of 128
Sep 13 16:04:03.215: ISAKMP:      auth XAUTHInitPreShared
Sep 13 16:04:03.215: ISAKMP:      hash MD5
Sep 13 16:04:03.215: ISAKMP:      default group 2
Sep 13 16:04:03.215: ISAKMP (0:191): Proposed key length does not match policy
Sep 13 16:04:03.215: ISAKMP (0:191): atts are not acceptable. Next payload is 3
Sep 13 16:04:03.215: ISAKMP (0:191): Checking ISAKMP transform 5 against priority 99 policy
Sep 13 16:04:03.215: ISAKMP:      life type in seconds
Sep 13 16:04:03.215: ISAKMP:      life duration (basic) of 3600
Sep 13 16:04:03.215: ISAKMP:      encryption 3DES-CBC
Sep 13 16:04:03.215: ISAKMP:      auth XAUTHInitPreShared
Sep 13 16:04:03.215: ISAKMP:      hash SHA
Sep 13 16:04:03.215: ISAKMP:      default group 2
Sep 13 16:04:03.215: ISAKMP (0:191): Encryption algorithm offered does not match policy!
Sep 13 16:04:03.215: ISAKMP (0:191): atts are not acceptable. Next payload is 3
Sep 13 16:04:03.215: ISAKMP (0:191): Checking ISAKMP transform 6 against priority 99 policy
Sep 13 16:04:03.215: ISAKMP:      life type in seconds
Sep 13 16:04:03.215: ISAKMP:      life duration (basic) of 3600
Sep 13 16:04:03.215: ISAKMP:      encryption 3DES-CBC
Sep 13 16:04:03.215: ISAKMP:      auth XAUTHInitPreShared
Sep 13 16:04:03.215: ISAKMP:      hash MD5
Sep 13 16:04:03.215: ISAKMP:      default group 2
Sep 13 16:04:03.215: ISAKMP (0:191): Encryption algorithm offered does not match policy!
Sep 13 16:04:03.215: ISAKMP (0:191): atts are not acceptable. Next payload is 3
Sep 13 16:04:03.215: ISAKMP (0:191): Checking ISAKMP transform 7 against priority 99 policy
Sep 13 16:04:03.215: ISAKMP:      life type in seconds
Sep 13 16:04:03.215: ISAKMP:      life duration (basic) of 3600
Sep 13 16:04:03.215: ISAKMP:      encryption DES-CBC
Sep 13 16:04:03.215: ISAKMP:      auth XAUTHInitPreShared
Sep 13 16:04:03.215: ISAKMP:      hash SHA
Sep 13 16:04:03.215: ISAKMP:      default group 2
Sep 13 16:04:03.215: ISAKMP (0:191): Encryption algorithm offered does not match policy!
Sep 13 16:04:03.215: ISAKMP (0:191): atts are not acceptable. Next payload is 3
Sep 13 16:04:03.215: ISAKMP (0:191): Checking ISAKMP transform 8 against priority 99 policy
Sep 13 16:04:03.215: ISAKMP:      life type in seconds
Sep 13 16:04:03.215: ISAKMP:      life duration (basic) of 3600
Sep 13 16:04:03.215: ISAKMP:      encryption DES-CBC
Sep 13 16:04:03.215: ISAKMP:      auth XAUTHInitPreShared
Sep 13 16:04:03.215: ISAKMP:      hash MD5
Sep 13 16:04:03.215: ISAKMP:      default group 2
Sep 13 16:04:03.215: ISAKMP (0:191): Encryption algorithm offered does not match policy!
Sep 13 16:04:03.215: ISAKMP (0:191): atts are not acceptable. Next payload is 0

ROUTER

crypto isakmp policy 99
encr aes 256
hash md5
authentication pre-share
group 2

Yudong Wu · ‎09-13-2010

The issue is related to "Xauth authentication by pre-shared key offered but does not match policy!"

Can you paste your configuration?

b.julin · ‎09-13-2010

It is likely that your Cisco is configured for L2TP/IPSec, not IPSec-ra with xauth, so you need to configure the OSX client that way too.

(Or is that log from the client? In which case, vice-versa.)