08-21-2003 04:22 PM - edited 02-21-2020 12:44 PM
Hi,
I am trying to setup a Client VPN for our office. I currently have two 1720 configured as a VPN and want to add Client VPN to one of them for remote services.
Below is the debug and config. Any help would be greatly appreciated. Thanks....
DEBUG
ISAKMP (0:0): received packet from 12.252.*.* dport 500 sport 500 Global (N) NEW SA
ISAKMP: Created a peer struct for 12.252.*.*, peer port 500
ISAKMP: Locking peer struct 0x81F1D288, IKE refcount 1 for crypto_ikmp_config_initialize_sa
ISAKMP (0:0): Setting client config settings 819BB8C4
ISAKMP (0:0): (Re)Setting client xauth list and state
ISAKMP: local port 500, remote port 500
ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 821A06B8
ISAKMP (0:8): processing SA payload. message ID = 0
ISAKMP (0:8): processing ID payload. message ID = 0
ISAKMP (0:8): peer matches *none* of the profiles
ISAKMP (0:8): processing vendor id payload
ISAKMP (0:8): vendor ID seems Unity/DPD but major 215 mismatch
ISAKMP (0:8): vendor ID is XAUTH
ISAKMP (0:8): processing vendor id payload
ISAKMP (0:8): vendor ID is DPD
ISAKMP (0:8): processing vendor id payload
ISAKMP (0:8): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP (0:8): vendor ID is NAT-T v2
ISAKMP (0:8): processing vendor id payload
ISAKMP (0:8): vendor ID seems Unity/DPD but major 194 mismatch
ISAKMP (0:8): processing vendor id payload
ISAKMP (0:8): vendor ID is Unity
ISAKMP (0:8) Authentication by xauth preshared
ISAKMP (0:8): Checking ISAKMP transform 1 against priority 3 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth XAUTHInitPreShared
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP: keylength of 256
ISAKMP (0:8): Encryption algorithm offered does not match policy!
ISAKMP (0:8): atts are not acceptable. Next payload is 3
ISAKMP (0:8): Checking ISAKMP transform 2 against priority 3 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth XAUTHInitPreShared
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP: keylength of 256
ISAKMP (0:8): Encryption algorithm offered does not match policy!
ISAKMP (0:8): atts are not acceptable. Next payload is 3
ISAKMP (0:8): Checking ISAKMP transform 3 against priority 3 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP: keylength of 256
ISAKMP (0:8): Encryption algorithm offered does not match policy!
ISAKMP (0:8): atts are not acceptable. Next payload is 3
ISAKMP (0:8): Checking ISAKMP transform 4 against priority 3 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP: keylength of 256
ISAKMP (0:8): Encryption algorithm offered does not match policy!
ISAKMP (0:8): atts are not acceptable. Next payload is 3
ISAKMP (0:8): Checking ISAKMP transform 5 against priority 3 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth XAUTHInitPreShared
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP: keylength of 128
ISAKMP (0:8): Encryption algorithm offered does not match policy!
ISAKMP (0:8): atts are not acceptable. Next payload is 3
ISAKMP (0:8): Checking ISAKMP transform 6 against priority 3 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth XAUTHInitPreShared
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP: keylength of 128
ISAKMP (0:8): Encryption algorithm offered does not match policy!
ISAKMP (0:8): atts are not acceptable. Next payload is 3
ISAKMP (0:8): Checking ISAKMP transform 7 against priority 3 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP: keylength of 128
ISAKMP (0:8): Encryption algorithm offered does not match policy!
ISAKMP (0:8): atts are not acceptable. Next payload is 3
ISAKMP (0:8): Checking ISAKMP transform 8 against priority 3 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP (0:8): Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT
ISAKMP: got callback 1
ISAKMP (0:8): incrementing error counter on sa: construct_fail_ag_init
CONFIG:
Building configuration...
Current configuration : 4177 bytes
!
! Last configuration change at 14:21:11 MST Thu Aug 21 2003 by zehren
! NVRAM config last updated at 14:21:43 MST Thu Aug 21 2003 by zehren
!
version 12.3
no parser cache
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname Blahrouter
!
logging buffered 10000 debugging
no logging console
enable password xxxxx
!
username ******* password 7 ******************
memory-size iomem 15
clock timezone MST -7
aaa new-model
!
!
aaa authentication login userlist local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
ip name-server 192.168.1.3
!
ip audit notify log
ip audit po max-events 100
ip audit smtp spam 30
ip audit signature 1107 disable
ip audit signature 2000 disable
ip audit signature 2004 disable
ip audit signature 4050 disable
ip audit name zehren-audit info action alarm
ip audit name zehren-audit attack action alarm drop reset
ip ssh break-string
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key ******* address 66.13.*.* no-xauth
crypto isakmp xauth timeout 60
!
crypto isakmp client configuration group groupauthor
key *************
dns 192.168.1.3
wins 192.168.1.2
domain *****.com
pool ippool
!
!
crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac
!
!
crypto dynamic-map clientmap 2
set transform-set 3desmd5
!
!
crypto map clientmap client authentication list userlist
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp
set peer 66.13.*.*
set transform-set 3desmd5
match address 100
crypto map clientmap 2 ipsec-isakmp dynamic clientmap
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
ip broadcast-address 1.1.1.255
!
interface Ethernet0
description connected to Internet
ip address 65.38.*.* 255.255.255.252
ip broadcast-address 65.38.*.*
ip access-group 101 in
ip nat outside
ip audit zehren-audit in
no ip route-cache
no ip mroute-cache
half-duplex
crypto map clientmap
!
interface FastEthernet0
description connected to Avon Office
ip address 192.168.1.1 255.255.255.0
ip broadcast-address 192.168.1.255
ip nat inside
ip policy route-map nonat2
speed auto
!
ip local pool ippool 192.168.1.100 192.168.1.150
ip nat pool VailRouter-natpool-1 65.38.*.* 65.38.*.* netmask 255.255.255.252
ip nat inside source route-map nonat pool VailRouter-natpool-1 overload
ip nat inside source static tcp 192.168.1.2 21 65.38.*.* 21 extendable
ip nat inside source static tcp 192.168.1.2 25 65.38.*.* 25 extendable
ip nat inside source static tcp 192.168.1.2 110 65.38.*.* 110 extendable
ip nat inside source static tcp 192.168.1.26 5631 65.38.*.* 5631 extendable
ip nat inside source static udp 192.168.1.26 5632 65.38.*.* 5632 extendable
ip nat inside source static tcp 192.168.1.26 8080 65.38.*.* 8080 extendable
ip nat inside source static tcp 192.168.1.2 80 65.38.*.* 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 65.38.*.*
ip route 192.168.2.0 255.255.255.0 Ethernet0 permanent
no ip http server
no ip http secure-server
!
!
logging history debugging
logging trap debugging
logging 192.168.1.26
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 permit ip host 192.168.1.2 192.168.2.0 0.0.0.255
snmp-server community public RO
snmp-server location Avon Colorado
snmp-server enable traps tty
!
route-map nonat2 permit 10
match ip address 120
set ip next-hop 1.1.1.2
!
route-map nonat permit 10
match ip address 110
!
!
line con 0
exec-timeout 0 0
password xxxx
speed 115200
line aux 0
line vty 0 4
password xxxx
line vty 5 15
!
no scheduler allocate
ntp clock-period 17179994
ntp server 192.168.1.3
!
end
08-23-2003 02:03 PM
Hi,
Looks like the client is wanting AES as the encryption algorithm and your affering 3des only on the router. Your running 12.3 on the router so you should (I maybe wrong) be able to change from 3des to aes.
Give that a shot..hope that helps.
08-23-2003 11:52 PM
Thank You for the reply. I will give that a try.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: