×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Phase 1 VPN Client 4.0 to a 1720 Router troubles....

Unanswered Question
Aug 21st, 2003
User Badges:

Hi,


I am trying to setup a Client VPN for our office. I currently have two 1720 configured as a VPN and want to add Client VPN to one of them for remote services.

Below is the debug and config. Any help would be greatly appreciated. Thanks....


DEBUG


ISAKMP (0:0): received packet from 12.252.*.* dport 500 sport 500 Global (N) NEW SA

ISAKMP: Created a peer struct for 12.252.*.*, peer port 500

ISAKMP: Locking peer struct 0x81F1D288, IKE refcount 1 for crypto_ikmp_config_initialize_sa

ISAKMP (0:0): Setting client config settings 819BB8C4

ISAKMP (0:0): (Re)Setting client xauth list and state

ISAKMP: local port 500, remote port 500

ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 821A06B8

ISAKMP (0:8): processing SA payload. message ID = 0

ISAKMP (0:8): processing ID payload. message ID = 0

ISAKMP (0:8): peer matches *none* of the profiles

ISAKMP (0:8): processing vendor id payload

ISAKMP (0:8): vendor ID seems Unity/DPD but major 215 mismatch

ISAKMP (0:8): vendor ID is XAUTH

ISAKMP (0:8): processing vendor id payload

ISAKMP (0:8): vendor ID is DPD

ISAKMP (0:8): processing vendor id payload

ISAKMP (0:8): vendor ID seems Unity/DPD but major 123 mismatch

ISAKMP (0:8): vendor ID is NAT-T v2

ISAKMP (0:8): processing vendor id payload

ISAKMP (0:8): vendor ID seems Unity/DPD but major 194 mismatch

ISAKMP (0:8): processing vendor id payload

ISAKMP (0:8): vendor ID is Unity

ISAKMP (0:8) Authentication by xauth preshared

ISAKMP (0:8): Checking ISAKMP transform 1 against priority 3 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth XAUTHInitPreShared

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

ISAKMP: keylength of 256

ISAKMP (0:8): Encryption algorithm offered does not match policy!

ISAKMP (0:8): atts are not acceptable. Next payload is 3

ISAKMP (0:8): Checking ISAKMP transform 2 against priority 3 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth XAUTHInitPreShared

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

ISAKMP: keylength of 256

ISAKMP (0:8): Encryption algorithm offered does not match policy!

ISAKMP (0:8): atts are not acceptable. Next payload is 3

ISAKMP (0:8): Checking ISAKMP transform 3 against priority 3 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

ISAKMP: keylength of 256

ISAKMP (0:8): Encryption algorithm offered does not match policy!

ISAKMP (0:8): atts are not acceptable. Next payload is 3

ISAKMP (0:8): Checking ISAKMP transform 4 against priority 3 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

ISAKMP: keylength of 256

ISAKMP (0:8): Encryption algorithm offered does not match policy!

ISAKMP (0:8): atts are not acceptable. Next payload is 3

ISAKMP (0:8): Checking ISAKMP transform 5 against priority 3 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth XAUTHInitPreShared

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

ISAKMP: keylength of 128

ISAKMP (0:8): Encryption algorithm offered does not match policy!

ISAKMP (0:8): atts are not acceptable. Next payload is 3

ISAKMP (0:8): Checking ISAKMP transform 6 against priority 3 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth XAUTHInitPreShared

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

ISAKMP: keylength of 128

ISAKMP (0:8): Encryption algorithm offered does not match policy!

ISAKMP (0:8): atts are not acceptable. Next payload is 3

ISAKMP (0:8): Checking ISAKMP transform 7 against priority 3 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

ISAKMP: keylength of 128

ISAKMP (0:8): Encryption algorithm offered does not match policy!

ISAKMP (0:8): atts are not acceptable. Next payload is 3

ISAKMP (0:8): Checking ISAKMP transform 8 against priority 3 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

ISAKMP (0:8): Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT

ISAKMP: got callback 1

ISAKMP (0:8): incrementing error counter on sa: construct_fail_ag_init



CONFIG:

Building configuration...


Current configuration : 4177 bytes

!

! Last configuration change at 14:21:11 MST Thu Aug 21 2003 by zehren

! NVRAM config last updated at 14:21:43 MST Thu Aug 21 2003 by zehren

!

version 12.3

no parser cache

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname Blahrouter

!

logging buffered 10000 debugging

no logging console

enable password xxxxx

!

username ******* password 7 ******************

memory-size iomem 15

clock timezone MST -7

aaa new-model

!

!

aaa authentication login userlist local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

!

!

ip name-server 192.168.1.3

!

ip audit notify log

ip audit po max-events 100

ip audit smtp spam 30

ip audit signature 1107 disable

ip audit signature 2000 disable

ip audit signature 2004 disable

ip audit signature 4050 disable

ip audit name zehren-audit info action alarm

ip audit name zehren-audit attack action alarm drop reset

ip ssh break-string

no ftp-server write-enable

!

!

!

!

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key ******* address 66.13.*.* no-xauth

crypto isakmp xauth timeout 60


!

crypto isakmp client configuration group groupauthor

key *************

dns 192.168.1.3

wins 192.168.1.2

domain *****.com

pool ippool

!

!

crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac

!

!

crypto dynamic-map clientmap 2

set transform-set 3desmd5

!

!

crypto map clientmap client authentication list userlist

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 1 ipsec-isakmp

set peer 66.13.*.*

set transform-set 3desmd5

match address 100

crypto map clientmap 2 ipsec-isakmp dynamic clientmap

!

!

!

!

!

interface Loopback0

ip address 1.1.1.1 255.255.255.0

ip broadcast-address 1.1.1.255

!

interface Ethernet0

description connected to Internet

ip address 65.38.*.* 255.255.255.252

ip broadcast-address 65.38.*.*

ip access-group 101 in

ip nat outside

ip audit zehren-audit in

no ip route-cache

no ip mroute-cache

half-duplex

crypto map clientmap

!

interface FastEthernet0

description connected to Avon Office

ip address 192.168.1.1 255.255.255.0

ip broadcast-address 192.168.1.255

ip nat inside

ip policy route-map nonat2

speed auto

!

ip local pool ippool 192.168.1.100 192.168.1.150

ip nat pool VailRouter-natpool-1 65.38.*.* 65.38.*.* netmask 255.255.255.252

ip nat inside source route-map nonat pool VailRouter-natpool-1 overload

ip nat inside source static tcp 192.168.1.2 21 65.38.*.* 21 extendable

ip nat inside source static tcp 192.168.1.2 25 65.38.*.* 25 extendable

ip nat inside source static tcp 192.168.1.2 110 65.38.*.* 110 extendable

ip nat inside source static tcp 192.168.1.26 5631 65.38.*.* 5631 extendable

ip nat inside source static udp 192.168.1.26 5632 65.38.*.* 5632 extendable

ip nat inside source static tcp 192.168.1.26 8080 65.38.*.* 8080 extendable

ip nat inside source static tcp 192.168.1.2 80 65.38.*.* 80 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 65.38.*.*

ip route 192.168.2.0 255.255.255.0 Ethernet0 permanent

no ip http server

no ip http secure-server

!

!

logging history debugging

logging trap debugging

logging 192.168.1.26

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

access-list 120 permit ip host 192.168.1.2 192.168.2.0 0.0.0.255

snmp-server community public RO

snmp-server location Avon Colorado

snmp-server enable traps tty

!

route-map nonat2 permit 10

match ip address 120

set ip next-hop 1.1.1.2

!

route-map nonat permit 10

match ip address 110

!

!

line con 0

exec-timeout 0 0

password xxxx

speed 115200

line aux 0

line vty 0 4

password xxxx

line vty 5 15

!

no scheduler allocate

ntp clock-period 17179994

ntp server 192.168.1.3

!

end


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mike-greene Sat, 08/23/2003 - 14:03
User Badges:
  • Bronze, 100 points or more

Hi,

Looks like the client is wanting AES as the encryption algorithm and your affering 3des only on the router. Your running 12.3 on the router so you should (I maybe wrong) be able to change from 3des to aes.


Give that a shot..hope that helps.

tonydag Sat, 08/23/2003 - 23:52
User Badges:

Thank You for the reply. I will give that a try.

Actions

This Discussion