Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
285
Views
0
Helpful
1
Replies

VPN client doesn't work

pgasol
Level 1
Level 1

‎10-09-2003 05:39 AM - edited ‎02-21-2020 12:49 PM

Hi, I have a router 837 and I want that a PC with Easy remote VPN client can connect to it.

The client is 3.6.4(A) and the router has the version 12.2(4)YA3 flash:c820-k9osy6-mz.122-4.YA3.bin

I have put debug crypto isakmp and see things like this:

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 3 against priority 12 policy

04:21:33: ISAKMP: encryption... What? 7?

04:21:33: ISAKMP: hash SHA

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth pre-share

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP: attribute 14

04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!

04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 4 against priority 12 policy

04:21:33: ISAKMP: encryption... What? 7?

04:21:33: ISAKMP: hash MD5

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth pre-share

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP: attribute 14

04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!

04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 5 against priority 12 policy

04:21:33: ISAKMP: encryption... What? 7?

04:21:33: ISAKMP: hash SHA

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth XAUTHInitPreShared

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP: attribute 14

04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!

04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 6 against priority 12 policy

04:21:33: ISAKMP: encryption... What? 7?

04:21:33: ISAKMP: hash MD5

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth XAUTHInitPreShared

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP: attribute 14

04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!

04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 7 against priority 12 policy

04:21:33: ISAKMP: encryption... What? 7?

04:21:33: ISAKMP: hash SHA

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth pre-share

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP: attribute 14

04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!

04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 8 against priority 12 policy

04:21:33: ISAKMP: encryption... What? 7?

04:21:33: ISAKMP: hash MD5

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth pre-share

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP: attribute 14

04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!

04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 9 against priority 12 policy

04:21:33: ISAKMP: encryption 3DES-CBC

04:21:33: ISAKMP: hash SHA

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth XAUTHInitPreShared

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!

04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 10 against priority 12 policy

04:21:33: ISAKMP: encryption 3DES-CBC

04:21:33: ISAKMP: hash MD5

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth XAUTHInitPreShared

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!

04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 11 against priority 12 policy

04:21:33: ISAKMP: encryption 3DES-CBC

04:21:33: ISAKMP: hash SHA

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth pre-share

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!

04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 12 against priority 12 policy

04:21:33: ISAKMP: encryption 3DES-CBC

04:21:33: ISAKMP: hash MD5

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth pre-share

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!

04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 13 against priority 12 policy

04:21:33: ISAKMP: encryption DES-CBC

04:21:33: ISAKMP: hash MD5

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth XAUTHInitPreShared

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP (0:3): Xauth authentication by pre-shared key offered but does

not match policy!

04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 14 against priority 12 policy

04:21:33: ISAKMP: encryption DES-CBC

04:21:33: ISAKMP: hash MD5

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth pre-share

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP (0:3): Preshared authentication offered but does not match poli

cy!

The client tell me this:

Initializing the connection...

Contacting the gateway at 12.81.27.2...

Remote peer is no longer responding.

And the Ipsec log tell me this:

19 23:18:32.530 10/08/03 Sev=Warning/2 IKE/0xE300007C

Exceeded 3 IKE SA negotiation retransmits... peer is not responding

20 23:18:32.580 10/08/03 Sev=Warning/3 DIALER/0xE3300008

GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h).

I don't know why it doesn't work, can anybody help me please?

Many thanks in advance

This is the configuration of the router

Router_Adsl#sh run

Building configuration...

Current configuration : 3102 bytes

!

version 12.2

no service pad

hostname Router_Adsl

logging queue-limit 100

username cisco password 0 cisco

aaa new-model

aaa authorization network administradores local

aaa session-id common

ip subnet-zero

ip domain name racing.es

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

crypto isakmp policy 12

encr des

authentication pre-share

hash md5

group 2

crypto isakmp policy 14

encr des

authentication pre-share

hash sha

group 5

!

!

crypto isakmp client configuration group administradores

key 0 racing

dns 192.168.200.2

domain racing.es

pool mipool

crypto ipsec transform-set mitrans esp-3des esp-sha-hmac

!

crypto dynamic-map mapadinamico 20

set transform-set mitrans

reverse-route

!

!

crypto map mapaestatico isakmp authorization list administradores

crypto map mapaestatico client configuration address respond

crypto map mapaestatico 10 ipsec-isakmp dynamic mapadinamico

interface Loopback0

ip address 12.81.27.2 255.255.255.255

!

interface Ethernet0

ip address 192.168.200.251 255.255.255.0

ip nat inside

no ip route-cache

no ip mroute-cache

crypto map mapaestatico

hold-queue 100 out

!

interface ATM0

no ip address

no ip route-cache

no ip mroute-cache

no atm ilmi-keepalive

bundle-enable

dsl operating-mode auto

hold-queue 224 in

!

interface ATM0.1 point-to-point

ip address 10.0.80.9 255.255.255.252

ip access-group 100 in

ip nat outside

no ip route-cache

no ip mroute-cache

pvc 1/32

protocol ip 10.0.80.10 broadcast

vbr-nrt 384 384 32

encapsulation aal5mux ip

ip local pool mipool 192.168.200.218 192.168.200.220

ip nat inside source list 1 interface Loopback0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.80.10

access-list 1 permit 192.168.200.0 0.0.0.255

radius-server authorization permit missing Service-Type

!

scheduler max-task-time 5000

end

Labels:
0 Helpful
1 Reply 1

d-garnett
Level 3
Level 3

‎10-09-2003 11:09 AM

if you are trying to do Xauth try,

crypto map mapaestatico client authentication local

without that, thats why this happens:

04:21:33: ISAKMP (0:3): Preshared authentication offered but does not match policy!

the Cisco Client wants Xauth but its not configed on the router

also

try falling back to an earlier version of the VPN Client software. Either that or upgrade the IOS code to the latest version. I had the same problem with Client version 4 and 3.6.3 when connecting to an IOS router until fell back Client version 3.5.1

The newer clients may have support for protocols that the IOS box doesnt understand (ie AES).

Also turn on debugging in your client software

p.s. here's a good link

http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns27/networking_solutions_white_paper09186a0080186fcf.shtml

good luck

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents