10-09-2003 05:39 AM - edited 02-21-2020 12:49 PM
Hi, I have a router 837 and I want that a PC with Easy remote VPN client can connect to it.
The client is 3.6.4(A) and the router has the version 12.2(4)YA3 flash:c820-k9osy6-mz.122-4.YA3.bin
I have put debug crypto isakmp and see things like this:
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 3 against priority 12 policy
04:21:33: ISAKMP: encryption... What? 7?
04:21:33: ISAKMP: hash SHA
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth pre-share
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP: attribute 14
04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!
04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 4 against priority 12 policy
04:21:33: ISAKMP: encryption... What? 7?
04:21:33: ISAKMP: hash MD5
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth pre-share
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP: attribute 14
04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!
04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 5 against priority 12 policy
04:21:33: ISAKMP: encryption... What? 7?
04:21:33: ISAKMP: hash SHA
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth XAUTHInitPreShared
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP: attribute 14
04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!
04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 6 against priority 12 policy
04:21:33: ISAKMP: encryption... What? 7?
04:21:33: ISAKMP: hash MD5
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth XAUTHInitPreShared
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP: attribute 14
04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!
04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 7 against priority 12 policy
04:21:33: ISAKMP: encryption... What? 7?
04:21:33: ISAKMP: hash SHA
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth pre-share
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP: attribute 14
04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!
04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 8 against priority 12 policy
04:21:33: ISAKMP: encryption... What? 7?
04:21:33: ISAKMP: hash MD5
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth pre-share
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP: attribute 14
04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!
04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 9 against priority 12 policy
04:21:33: ISAKMP: encryption 3DES-CBC
04:21:33: ISAKMP: hash SHA
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth XAUTHInitPreShared
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!
04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 10 against priority 12 policy
04:21:33: ISAKMP: encryption 3DES-CBC
04:21:33: ISAKMP: hash MD5
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth XAUTHInitPreShared
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!
04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 11 against priority 12 policy
04:21:33: ISAKMP: encryption 3DES-CBC
04:21:33: ISAKMP: hash SHA
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth pre-share
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!
04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 12 against priority 12 policy
04:21:33: ISAKMP: encryption 3DES-CBC
04:21:33: ISAKMP: hash MD5
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth pre-share
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!
04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 13 against priority 12 policy
04:21:33: ISAKMP: encryption DES-CBC
04:21:33: ISAKMP: hash MD5
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth XAUTHInitPreShared
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP (0:3): Xauth authentication by pre-shared key offered but does
not match policy!
04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 14 against priority 12 policy
04:21:33: ISAKMP: encryption DES-CBC
04:21:33: ISAKMP: hash MD5
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth pre-share
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP (0:3): Preshared authentication offered but does not match poli
cy!
The client tell me this:
Initializing the connection...
Contacting the gateway at 12.81.27.2...
Remote peer is no longer responding.
And the Ipsec log tell me this:
19 23:18:32.530 10/08/03 Sev=Warning/2 IKE/0xE300007C
Exceeded 3 IKE SA negotiation retransmits... peer is not responding
20 23:18:32.580 10/08/03 Sev=Warning/3 DIALER/0xE3300008
GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h).
I don't know why it doesn't work, can anybody help me please?
Many thanks in advance
This is the configuration of the router
Router_Adsl#sh run
Building configuration...
Current configuration : 3102 bytes
!
version 12.2
no service pad
hostname Router_Adsl
logging queue-limit 100
username cisco password 0 cisco
aaa new-model
aaa authorization network administradores local
aaa session-id common
ip subnet-zero
ip domain name racing.es
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
crypto isakmp policy 12
encr des
authentication pre-share
hash md5
group 2
crypto isakmp policy 14
encr des
authentication pre-share
hash sha
group 5
!
!
crypto isakmp client configuration group administradores
key 0 racing
dns 192.168.200.2
domain racing.es
pool mipool
crypto ipsec transform-set mitrans esp-3des esp-sha-hmac
!
crypto dynamic-map mapadinamico 20
set transform-set mitrans
reverse-route
!
!
crypto map mapaestatico isakmp authorization list administradores
crypto map mapaestatico client configuration address respond
crypto map mapaestatico 10 ipsec-isakmp dynamic mapadinamico
interface Loopback0
ip address 12.81.27.2 255.255.255.255
!
interface Ethernet0
ip address 192.168.200.251 255.255.255.0
ip nat inside
no ip route-cache
no ip mroute-cache
crypto map mapaestatico
hold-queue 100 out
!
interface ATM0
no ip address
no ip route-cache
no ip mroute-cache
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.1 point-to-point
ip address 10.0.80.9 255.255.255.252
ip access-group 100 in
ip nat outside
no ip route-cache
no ip mroute-cache
pvc 1/32
protocol ip 10.0.80.10 broadcast
vbr-nrt 384 384 32
encapsulation aal5mux ip
ip local pool mipool 192.168.200.218 192.168.200.220
ip nat inside source list 1 interface Loopback0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.80.10
access-list 1 permit 192.168.200.0 0.0.0.255
radius-server authorization permit missing Service-Type
!
scheduler max-task-time 5000
end
10-09-2003 11:09 AM
if you are trying to do Xauth try,
crypto map mapaestatico client authentication local
without that, thats why this happens:
04:21:33: ISAKMP (0:3): Preshared authentication offered but does not match policy!
the Cisco Client wants Xauth but its not configed on the router
also
try falling back to an earlier version of the VPN Client software. Either that or upgrade the IOS code to the latest version. I had the same problem with Client version 4 and 3.6.3 when connecting to an IOS router until fell back Client version 3.5.1
The newer clients may have support for protocols that the IOS box doesnt understand (ie AES).
Also turn on debugging in your client software
p.s. here's a good link
good luck
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: