Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3139
Views
0
Helpful
2
Replies

VPN Client Issue

Go to solution
synbureau
Level 1
Level 1

‎09-29-2010 03:58 AM

HI Guys

I hope if someone can help me with my issue:

Cisco IOS in use: advipservicesk9-mz.124-20.T

Router: Cisco 2851

I have a few site-to-site VPN running in addition to VPN client. All site-to-site VPN have their own individual pre-shared keys whereas VPN client uses certificates.

I made a change for site-to-site VPN which include the use of a generic pre-shared key (cry isakmp key XXX address 0.0.0.0 0.0.0.0 no-xauth) for all site-to-site tunnels instead of individual keys for each tunnel. After making the change, all site-to-site VPN works perfectly fine where as the VPN client has stopped working and following are the logs on router generated (debug cry isakmp error).

129143: Sep 29 10:16:16.487 BST: ISAKMP:(0):Xauth authentication by RSA offered but does not match policy!

129144: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3

129145: Sep 29 10:16:16.487 BST: ISAKMP:(0):Hash algorithm offered does not match policy!

129146: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3

129147: Sep 29 10:16:16.487 BST: ISAKMP:(0):Diffie-Hellman group offered does not match policy!

129148: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3

129149: Sep 29 10:16:16.487 BST: ISAKMP:(0):Hash algorithm offered does not match policy!

129150: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3

129151: Sep 29 10:16:16.487 BST: ISAKMP:(0):Xauth authentication by RSA offered but does not match policy!

129152: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3

129153: Sep 29 10:16:16.487 BST: ISAKMP:(0):Hash algorithm offered does not match policy!

129154: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3 Unknown Attr: 0x700C

129155: Sep 29 10:16:17.207 BST: ISAKMP:(1249):No IP address pool defined for ISAKMP!

129156: Sep 29 10:16:17.207 BST: ISAKMP:(1249):deleting SA reason "Fail to allocate ip address" state (R) CONF_ADDR     (peer X.X.X.X)

129157: Sep 29 10:16:17.207 BST: ISAKMP (0/1249): Unknown Attr: CONFIG_MODE_UNKNOWN (0x700C)

129158: Sep 29 10:16:17.207 BST: ISAKMP (0/1249): Unknown Attr: MODECFG_HOSTNAME (0x700A)

129159: Sep 29 10:16:17.215 BST: ISAKMP:(1249):deleting SA reason "Fail to allocate ip address" state (R) MM_NO_STATE (peer X.X.X.X)

ate ip address" state (R) CONF_ADDR     (peer 195.200.149.188)

129157: Sep 29 10:16:17.207 BST: ISAKMP (0/1249): Unknown Attr: CONFIG_MODE_UNKNOWN (0x700C)

129158: Sep 29 10:16:17.207 BST: ISAKMP (0/1249): Unknown Attr: MODECFG_HOSTNAME (0x700A)

129159: Sep 29 10:16:17.215 BST: ISAKMP:(1249):deleting SA reason "Fail to allocate ip address" state (R) MM_NO_STATE (peer x.x.x.x)

129162: Sep 29 10:16:32.295 BST: ISAKMP(0:1250): Unable to get our DN from cert, using my FQDN as identity

129163: Sep 29 10:16:32.475 BST: ISAKMP(0:1251): Unable to get our DN from cert, using my FQDN as identity

129164: Sep 29 10:16:48.451 BST: ISAKMP(0:1252): Unable to get our DN from cert, using my FQDN as identity

129169: Sep 29 10:16:58.283 BST: ISAKMP(0:1253): Unable to get our DN from cert, using my FQDN as identity

129170: Sep 29 10:17:01.047 BST: ISAKMP(0:1254): Unable to get our DN from cert, using my FQDN as identity

129174: Sep 29 10:17:05.843 BST: ISAKMP(0:1255): Unable to get our DN from cert, using my FQDN as identity

Removing the generic pre-shared key makes VPN client work again. Any help in this matter will be very helpful. Many thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎09-29-2010 04:39 AM

Yes, when you use "cry isakmp key XXX address 0.0.0.0 0.0.0.0 no-xauth" with the no-xauth keyword, that breaks the remote access vpn client. While you need that for lan-to-lan vpn tunnel, you can't have that for vpn client.

There are 2 options:

1) Configure "cry isa key" individually for the lan-to-lan vpn tunnel

2) Or alternatively, you can configure isakmp profile for lan-to-lan and a separate profile for vpn client. Here is a sample configuration for your reference:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

Hope that helps.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎09-29-2010 04:39 AM

Yes, when you use "cry isakmp key XXX address 0.0.0.0 0.0.0.0 no-xauth" with the no-xauth keyword, that breaks the remote access vpn client. While you need that for lan-to-lan vpn tunnel, you can't have that for vpn client.

There are 2 options:

1) Configure "cry isa key" individually for the lan-to-lan vpn tunnel

2) Or alternatively, you can configure isakmp profile for lan-to-lan and a separate profile for vpn client. Here is a sample configuration for your reference:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

Hope that helps.

0 Helpful

Go to solution
synbureau
Level 1
Level 1
In response to Jennifer Halim

‎10-03-2010 02:06 PM

Thanks Jennifer. That solved the problem.

0 Helpful
Customers Also Viewed These Support Documents