×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN client doesn't work

Unanswered Question
Oct 9th, 2003
User Badges:

Hi, I have a router 837 and I want that a PC with Easy remote VPN client can connect to it.


The client is 3.6.4(A) and the router has the version 12.2(4)YA3 flash:c820-k9osy6-mz.122-4.YA3.bin



I have put debug crypto isakmp and see things like this:


04:21:33: ISAKMP (0:3): Checking ISAKMP transform 3 against priority 12 policy


04:21:33: ISAKMP: encryption... What? 7?


04:21:33: ISAKMP: hash SHA


04:21:33: ISAKMP: default group 2


04:21:33: ISAKMP: auth pre-share


04:21:33: ISAKMP: life type in seconds


04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B


04:21:33: ISAKMP: attribute 14


04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!


04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3


04:21:33: ISAKMP (0:3): Checking ISAKMP transform 4 against priority 12 policy


04:21:33: ISAKMP: encryption... What? 7?


04:21:33: ISAKMP: hash MD5


04:21:33: ISAKMP: default group 2


04:21:33: ISAKMP: auth pre-share


04:21:33: ISAKMP: life type in seconds


04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B


04:21:33: ISAKMP: attribute 14


04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!


04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3


04:21:33: ISAKMP (0:3): Checking ISAKMP transform 5 against priority 12 policy


04:21:33: ISAKMP: encryption... What? 7?


04:21:33: ISAKMP: hash SHA


04:21:33: ISAKMP: default group 2


04:21:33: ISAKMP: auth XAUTHInitPreShared


04:21:33: ISAKMP: life type in seconds


04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B


04:21:33: ISAKMP: attribute 14


04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!


04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3


04:21:33: ISAKMP (0:3): Checking ISAKMP transform 6 against priority 12 policy


04:21:33: ISAKMP: encryption... What? 7?


04:21:33: ISAKMP: hash MD5


04:21:33: ISAKMP: default group 2


04:21:33: ISAKMP: auth XAUTHInitPreShared


04:21:33: ISAKMP: life type in seconds


04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B


04:21:33: ISAKMP: attribute 14


04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!


04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3


04:21:33: ISAKMP (0:3): Checking ISAKMP transform 7 against priority 12 policy


04:21:33: ISAKMP: encryption... What? 7?


04:21:33: ISAKMP: hash SHA


04:21:33: ISAKMP: default group 2


04:21:33: ISAKMP: auth pre-share


04:21:33: ISAKMP: life type in seconds


04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B


04:21:33: ISAKMP: attribute 14


04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!


04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3


04:21:33: ISAKMP (0:3): Checking ISAKMP transform 8 against priority 12 policy


04:21:33: ISAKMP: encryption... What? 7?


04:21:33: ISAKMP: hash MD5


04:21:33: ISAKMP: default group 2


04:21:33: ISAKMP: auth pre-share


04:21:33: ISAKMP: life type in seconds


04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B


04:21:33: ISAKMP: attribute 14


04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!


04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3


04:21:33: ISAKMP (0:3): Checking ISAKMP transform 9 against priority 12 policy


04:21:33: ISAKMP: encryption 3DES-CBC


04:21:33: ISAKMP: hash SHA


04:21:33: ISAKMP: default group 2


04:21:33: ISAKMP: auth XAUTHInitPreShared


04:21:33: ISAKMP: life type in seconds


04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B


04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!


04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3


04:21:33: ISAKMP (0:3): Checking ISAKMP transform 10 against priority 12 policy


04:21:33: ISAKMP: encryption 3DES-CBC


04:21:33: ISAKMP: hash MD5


04:21:33: ISAKMP: default group 2


04:21:33: ISAKMP: auth XAUTHInitPreShared


04:21:33: ISAKMP: life type in seconds


04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B


04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!


04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3


04:21:33: ISAKMP (0:3): Checking ISAKMP transform 11 against priority 12 policy


04:21:33: ISAKMP: encryption 3DES-CBC


04:21:33: ISAKMP: hash SHA


04:21:33: ISAKMP: default group 2


04:21:33: ISAKMP: auth pre-share


04:21:33: ISAKMP: life type in seconds


04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B


04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!


04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3


04:21:33: ISAKMP (0:3): Checking ISAKMP transform 12 against priority 12 policy


04:21:33: ISAKMP: encryption 3DES-CBC


04:21:33: ISAKMP: hash MD5


04:21:33: ISAKMP: default group 2


04:21:33: ISAKMP: auth pre-share


04:21:33: ISAKMP: life type in seconds


04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B


04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!


04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3


04:21:33: ISAKMP (0:3): Checking ISAKMP transform 13 against priority 12 policy


04:21:33: ISAKMP: encryption DES-CBC


04:21:33: ISAKMP: hash MD5


04:21:33: ISAKMP: default group 2


04:21:33: ISAKMP: auth XAUTHInitPreShared


04:21:33: ISAKMP: life type in seconds


04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B


04:21:33: ISAKMP (0:3): Xauth authentication by pre-shared key offered but does


not match policy!


04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3


04:21:33: ISAKMP (0:3): Checking ISAKMP transform 14 against priority 12 policy


04:21:33: ISAKMP: encryption DES-CBC


04:21:33: ISAKMP: hash MD5


04:21:33: ISAKMP: default group 2


04:21:33: ISAKMP: auth pre-share


04:21:33: ISAKMP: life type in seconds


04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B


04:21:33: ISAKMP (0:3): Preshared authentication offered but does not match poli


cy!




The client tell me this:


Initializing the connection...


Contacting the gateway at 12.81.27.2...


Remote peer is no longer responding.




And the Ipsec log tell me this:




19 23:18:32.530 10/08/03 Sev=Warning/2 IKE/0xE300007C


Exceeded 3 IKE SA negotiation retransmits... peer is not responding




20 23:18:32.580 10/08/03 Sev=Warning/3 DIALER/0xE3300008


GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h).






I don't know why it doesn't work, can anybody help me please?


Many thanks in advance


This is the configuration of the router




Router_Adsl#sh run


Building configuration...




Current configuration : 3102 bytes


!


version 12.2


no service pad


hostname Router_Adsl

logging queue-limit 100


username cisco password 0 cisco

aaa new-model


aaa authorization network administradores local


aaa session-id common


ip subnet-zero


ip domain name racing.es


ip audit notify log


ip audit po max-events 100


no ftp-server write-enable


!


crypto isakmp policy 12


encr des


authentication pre-share


hash md5


group 2




crypto isakmp policy 14


encr des


authentication pre-share


hash sha


group 5


!


!


crypto isakmp client configuration group administradores


key 0 racing


dns 192.168.200.2


domain racing.es


pool mipool


crypto ipsec transform-set mitrans esp-3des esp-sha-hmac


!


crypto dynamic-map mapadinamico 20


set transform-set mitrans


reverse-route


!


!


crypto map mapaestatico isakmp authorization list administradores


crypto map mapaestatico client configuration address respond


crypto map mapaestatico 10 ipsec-isakmp dynamic mapadinamico


interface Loopback0


ip address 12.81.27.2 255.255.255.255


!


interface Ethernet0


ip address 192.168.200.251 255.255.255.0


ip nat inside


no ip route-cache


no ip mroute-cache


crypto map mapaestatico


hold-queue 100 out


!


interface ATM0


no ip address


no ip route-cache


no ip mroute-cache


no atm ilmi-keepalive


bundle-enable


dsl operating-mode auto


hold-queue 224 in


!


interface ATM0.1 point-to-point


ip address 10.0.80.9 255.255.255.252


ip access-group 100 in


ip nat outside


no ip route-cache


no ip mroute-cache


pvc 1/32


protocol ip 10.0.80.10 broadcast


vbr-nrt 384 384 32


encapsulation aal5mux ip


ip local pool mipool 192.168.200.218 192.168.200.220


ip nat inside source list 1 interface Loopback0 overload




ip classless


ip route 0.0.0.0 0.0.0.0 10.0.80.10


access-list 1 permit 192.168.200.0 0.0.0.255


radius-server authorization permit missing Service-Type


!

scheduler max-task-time 5000


end


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
d-garnett Thu, 10/09/2003 - 11:09
User Badges:

if you are trying to do Xauth try,


crypto map mapaestatico client authentication local


without that, thats why this happens:


04:21:33: ISAKMP (0:3): Preshared authentication offered but does not match policy!


the Cisco Client wants Xauth but its not configed on the router




also

try falling back to an earlier version of the VPN Client software. Either that or upgrade the IOS code to the latest version. I had the same problem with Client version 4 and 3.6.3 when connecting to an IOS router until fell back Client version 3.5.1


The newer clients may have support for protocols that the IOS box doesnt understand (ie AES).


Also turn on debugging in your client software



p.s. here's a good link

http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns27/networking_solutions_white_paper09186a0080186fcf.shtml

good luck

Actions

This Discussion