Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

837 Easyvpn to 3015 query

I have an 837 that I'm trying to setup with Easyvpn back to a 3015. It is failing with the following:

*Mar 2 02:13:41.817: ISAKMP (0:464): Encryption algorithm offered does not match policy!

*Mar 2 02:13:41.817: ISAKMP (0:464): atts are not acceptable. Next payload is 0

*Mar 2 02:13:41.817: ISAKMP (0:464): Checking ISAKMP transform 1 against priority 65534 policy

*Mar 2 02:13:41.817: ISAKMP: encryption 3DES-CBC

*Mar 2 02:13:41.817: ISAKMP: hash MD5

*Mar 2 02:13:41.821: ISAKMP: default group 1

*Mar 2 02:13:41.821: ISAKMP: auth pre-share

*Mar 2 02:13:41.821: ISAKMP: life type in seconds

*Mar 2 02:13:41.821: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Mar 2 02:13:41.821: ISAKMP (0:464): Encryption algorithm offered does not match policy!

*Mar 2 02:13:41.821: ISAKMP (0:464): atts are not acceptable. Next payload is 0

*Mar 2 02:13:41.821: ISAKMP (0:464): Checking ISAKMP transform 1 against priority

On our 3015 I configured the group up the same as I did for a 1706 easyvpn router - using ESP-3DES-MD5 and pre-shared keys.

Does the 837 IOS need to be a certain version to function correctly? Its never been upgraded so currently sits at factory default of Version 12.3(2)XC2.

Regards,

10 REPLIES

Re: 837 Easyvpn to 3015 query

hi

The error points out that theres some mismatch in the encryption algorithm.

Can you post out the config of your 837 router here ??

regds

New Member

Re: 837 Easyvpn to 3015 query

I agree. Here's the config:

Using 1735 out of 131072 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname 837Test

!

enable secret **************

!

username ******** privilege 15 password 0 *********

clock timezone GMT 0

no aaa new-model

ip subnet-zero

!

!

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

crypto ipsec client ezvpn phntvpn

connect auto

group ******* key 0 *******

mode network-extension

peer *.*.*.*

username *********** password 0 **********

!

!

!

!

interface Ethernet0

ip address 10.177.8.30 255.255.255.240

crypto ipsec client ezvpn phntvpn inside

hold-queue 100 out

!

interface ATM0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet1

no ip address

duplex auto

speed auto

!

interface FastEthernet2

no ip address

duplex auto

speed auto

!

interface FastEthernet3

no ip address

duplex auto

speed auto

!

interface FastEthernet4

no ip address

duplex auto

speed auto

!

interface Dialer1

ip address *.*.*.* 255.255.255.252

encapsulation ppp

dialer pool 1

ppp authentication chap callin

ppp chap hostname **********

ppp chap password 0 **********

crypto ipsec client ezvpn phntvpn

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 10.177.8.16 255.255.255.240 Ethernet0

no ip http server

no ip http secure-server

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

exec-timeout 120 0

password ********

login

length 0

!

scheduler max-task-time 5000

!

end

New Member

Re: 837 Easyvpn to 3015 query

I'm still struggling with this one. For anyone that has successfully configured an 837 to connect back to a 3015, please could you outline your configuration?

As mentioned above, it seems the encryption algorithm isn't matching, but how can I change that for easyvpn on the 837? My other site which uses a 1700 has a very simple config and makes use of ESP-3DES-MD5.

Are the older 837s not compatible with the 3015s?

Silver

Re: 837 Easyvpn to 3015 query

Hi Jason,

on the 837, what do you get with the following commands:

"sh crypto ipsec transform-set"

"sh crypto ipsec profile"

New Member

Re: 837 Easyvpn to 3015 query

Hi,

I get nothing for the second command but this for the first one:

sh crypto ipsec transform-set

Transform set pht: { esp-3des esp-md5-hmac }

will negotiate = { Tunnel, },

New Member

Re: 837 Easyvpn to 3015 query

Sorry my mistake - I had been testing another configuration. With the basic configuration shown above neither of those two commands show any output.

(I had manually set a transform-set in my previous post!).

Silver

Re: 837 Easyvpn to 3015 query

Hi Jason,

How did you configure the transform set? I think easy vpn should auto-generate the transform sets. Try recreating a new connection and check what transform-sets are created

New Member

Re: 837 Easyvpn to 3015 query

I've got these outputs from those commands now:

Transform set ezvpn-profile-autoconfig-transform-0: { esp-aes esp-sha-hmac }

will negotiate = { Tunnel, },

Transform set ezvpn-profile-autoconfig-transform-1: { esp-aes esp-md5-hmac }

will negotiate = { Tunnel, },

Transform set ezvpn-profile-autoconfig-transform-2: { esp-aes esp-sha-hmac }

will negotiate = { Tunnel, },

{ comp-lzs }

will negotiate = { Tunnel, },

Transform set ezvpn-profile-autoconfig-transform-3: { esp-aes esp-md5-hmac }

will negotiate = { Tunnel, },

{ comp-lzs }

will negotiate = { Tunnel, },

Transform set ezvpn-profile-autoconfig-transform-4: { esp-3des esp-sha-hmac }

will negotiate = { Tunnel, },

Transform set ezvpn-profile-autoconfig-transform-5: { esp-3des esp-md5-hmac }

will negotiate = { Tunnel, },

Transform set ezvpn-profile-autoconfig-transform-6: { esp-3des esp-sha-hmac }

will negotiate = { Tunnel, },

{ comp-lzs }

will negotiate = { Tunnel, },

Transform set ezvpn-profile-autoconfig-transform-7: { esp-3des esp-md5-hmac }

will negotiate = { Tunnel, },

{ comp-lzs }

will negotiate = { Tunnel, },

Transform set ezvpn-profile-autoconfig-transform-8: { esp-des esp-sha-hmac }

will negotiate = { Tunnel, },

Transform set ezvpn-profile-autoconfig-transform-9: { esp-des esp-md5-hmac }

will negotiate = { Tunnel, },

Transform set ezvpn-profile-autoconfig-transform-10: { esp-des esp-sha-hmac }

will negotiate = { Tunnel, },

{ comp-lzs }

will negotiate = { Tunnel, },

Transform set ezvpn-profile-autoconfig-transform-11: { esp-des esp-md5-hmac }

will negotiate = { Tunnel, },

{ comp-lzs }

will negotiate = { Tunnel, },

IPSEC profile ezvpn-profile

Security association lifetime: 4608000 kilobytes/2147483 seconds

PFS (Y/N): N

Transform sets={

ezvpn-profile-autoconfig-transform-0,

ezvpn-profile-autoconfig-transform-1,

ezvpn-profile-autoconfig-transform-2,

ezvpn-profile-autoconfig-transform-3,

ezvpn-profile-autoconfig-transform-4,

ezvpn-profile-autoconfig-transform-5,

ezvpn-profile-autoconfig-transform-6,

ezvpn-profile-autoconfig-transform-7,

ezvpn-profile-autoconfig-transform-8,

ezvpn-profile-autoconfig-transform-9,

ezvpn-profile-autoconfig-transform-10,

ezvpn-profile-autoconfig-transform-11,

}

Silver

Re: 837 Easyvpn to 3015 query

I think it should work now. Any luck?

New Member

Re: 837 Easyvpn to 3015 query

Nope unfortunately not :( I'm going to try upgrading the firmware on the router and if that doesn't work we'll ditch the 837 and move to 1800s instead. The 1701 I used first time worked without any hitches.

155
Views
0
Helpful
10
Replies
CreatePlease login to create content