Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

12.3(1) to 4.0.1 without xauth -phase 1 chokes

testing new IOS and client

host (with client 4.0.1) > 2621router > host

using following config

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname Router

memory-size iomem 10

ip subnet-zero

!

ip audit notify log

ip audit po max-events 100

no ip domain lookup

mpls ldp logging neighbor-changes

no ftp-server write-enable

!

xsm

xsm vdm

xsm edm

xsm history vdm

xsm history edm

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp client configuration address-pool local myPOOL

!

crypto isakmp client configuration group myGROUP

key xxx

pool myPOOL

!

!

crypto ipsec transform-set mySET esp-des esp-md5-hmac

crypto mib topn interval 60

!

crypto dynamic-map myDYNMAP 10

set transform-set mySET

!

!

crypto map myMAP client configuration address respond

crypto map myMAP 10 ipsec-isakmp dynamic myDYNMAP

!

!

interface FastEthernet0/0

ip address 2.2.2.3 255.0.0.0

duplex auto

speed auto

!

interface Serial0/0

no ip address

shutdown

!

interface FastEthernet0/1

ip address 1.1.1.3 255.0.0.0

duplex auto

speed auto

crypto map myMAP

!

interface Serial0/1

no ip address

shutdown

!

ip local pool myPOOL 2.2.2.10 2.2.2.15

!

ip classless

ip http server

ip http secure-server

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

login

-----------------------------

client configured with same group name and password (myGROUP xxx)

client can't connect and debug shows this

*Mar 1 03:43:26.075: ISAKMP (0:1): Checking ISAKMP transform 14 against priority 10 policy

*Mar 1 03:43:26.075: ISAKMP: encryption DES-CBC

*Mar 1 03:43:26.075: ISAKMP: hash MD5

*Mar 1 03:43:26.075: ISAKMP: default group 2

*Mar 1 03:43:26.079: ISAKMP: auth pre-share

*Mar 1 03:43:26.079: ISAKMP: life type in seconds

*Mar 1 03:43:26.079: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Mar 1 03:43:26.079: ISAKMP (0:1): Preshared authentication offered but does not match policy!

*Mar 1 03:43:26.079: ISAKMP (0:1): atts are not acceptable. Next payload is 0

have entered same Group name and password ,

any ideas why debug says preshare auth doesn't match policy?

1 REPLY
Cisco Employee

Re: 12.3(1) to 4.0.1 without xauth -phase 1 chokes

Even though you're not doing XAuth, the router still needs to authenticate the group and key, so you still need the aaa config stuff. Add the following:

> aaa new-model

> aaa authentication login userauthen none

> aaa authorization network groupauthor local

> crypto map myMAP client authentication list userauthen

> crypto map myMAP isakmp authorization list groupauthor

This'll tell the router to do no user authentication (XAuth), but to authenticate the group locally on the router, which is where you've configured the group name and key.

80
Views
0
Helpful
1
Replies
CreatePlease to create content