VPN Client Issue

Answered Question
Sep 29th, 2010
User Badges:

HI Guys


I hope if someone can help me with my issue:


Cisco IOS in use: advipservicesk9-mz.124-20.T

Router: Cisco 2851


I have a few site-to-site VPN running in addition to VPN client. All site-to-site VPN have their own individual pre-shared keys whereas VPN client uses certificates.

I made a change for site-to-site VPN which include the use of a generic pre-shared key (cry isakmp key XXX address 0.0.0.0 0.0.0.0 no-xauth) for all site-to-site tunnels instead of individual keys for each tunnel. After making the change, all site-to-site VPN works perfectly fine where as the VPN client has stopped working and following are the logs on router generated (debug cry isakmp error).




129143: Sep 29 10:16:16.487 BST: ISAKMP:(0):Xauth authentication by RSA offered but does not match policy!

129144: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3

129145: Sep 29 10:16:16.487 BST: ISAKMP:(0):Hash algorithm offered does not match policy!

129146: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3

129147: Sep 29 10:16:16.487 BST: ISAKMP:(0):Diffie-Hellman group offered does not match policy!

129148: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3

129149: Sep 29 10:16:16.487 BST: ISAKMP:(0):Hash algorithm offered does not match policy!

129150: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3

129151: Sep 29 10:16:16.487 BST: ISAKMP:(0):Xauth authentication by RSA offered but does not match policy!

129152: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3

129153: Sep 29 10:16:16.487 BST: ISAKMP:(0):Hash algorithm offered does not match policy!

129154: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3 Unknown Attr: 0x700C

129155: Sep 29 10:16:17.207 BST: ISAKMP:(1249):No IP address pool defined for ISAKMP!

129156: Sep 29 10:16:17.207 BST: ISAKMP:(1249):deleting SA reason "Fail to allocate ip address" state (R) CONF_ADDR     (peer X.X.X.X)

129157: Sep 29 10:16:17.207 BST: ISAKMP (0/1249): Unknown Attr: CONFIG_MODE_UNKNOWN (0x700C)

129158: Sep 29 10:16:17.207 BST: ISAKMP (0/1249): Unknown Attr: MODECFG_HOSTNAME (0x700A)

129159: Sep 29 10:16:17.215 BST: ISAKMP:(1249):deleting SA reason "Fail to allocate ip address" state (R) MM_NO_STATE (peer X.X.X.X)

ate ip address" state (R) CONF_ADDR     (peer 195.200.149.188)

129157: Sep 29 10:16:17.207 BST: ISAKMP (0/1249): Unknown Attr: CONFIG_MODE_UNKNOWN (0x700C)

129158: Sep 29 10:16:17.207 BST: ISAKMP (0/1249): Unknown Attr: MODECFG_HOSTNAME (0x700A)

129159: Sep 29 10:16:17.215 BST: ISAKMP:(1249):deleting SA reason "Fail to allocate ip address" state (R) MM_NO_STATE (peer x.x.x.x)

129162: Sep 29 10:16:32.295 BST: ISAKMP(0:1250): Unable to get our DN from cert, using my FQDN as identity

129163: Sep 29 10:16:32.475 BST: ISAKMP(0:1251): Unable to get our DN from cert, using my FQDN as identity

129164: Sep 29 10:16:48.451 BST: ISAKMP(0:1252): Unable to get our DN from cert, using my FQDN as identity

129169: Sep 29 10:16:58.283 BST: ISAKMP(0:1253): Unable to get our DN from cert, using my FQDN as identity

129170: Sep 29 10:17:01.047 BST: ISAKMP(0:1254): Unable to get our DN from cert, using my FQDN as identity

129174: Sep 29 10:17:05.843 BST: ISAKMP(0:1255): Unable to get our DN from cert, using my FQDN as identity


Removing the generic pre-shared key makes VPN client work again. Any help in this matter will be very helpful. Many thanks in advance.

Correct Answer by Jennifer Halim about 6 years 8 months ago

Yes, when you use "cry isakmp key XXX address 0.0.0.0 0.0.0.0 no-xauth" with the no-xauth keyword, that breaks the remote access vpn client. While you need that for lan-to-lan vpn tunnel, you can't have that for vpn client.


There are 2 options:

1) Configure "cry isa key" individually for the lan-to-lan vpn tunnel

2) Or alternatively, you can configure isakmp profile for lan-to-lan and a separate profile for vpn client. Here is a sample configuration for your reference:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Wed, 09/29/2010 - 04:39
User Badges:
  • Cisco Employee,

Yes, when you use "cry isakmp key XXX address 0.0.0.0 0.0.0.0 no-xauth" with the no-xauth keyword, that breaks the remote access vpn client. While you need that for lan-to-lan vpn tunnel, you can't have that for vpn client.


There are 2 options:

1) Configure "cry isa key" individually for the lan-to-lan vpn tunnel

2) Or alternatively, you can configure isakmp profile for lan-to-lan and a separate profile for vpn client. Here is a sample configuration for your reference:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml


Hope that helps.

Actions

This Discussion