Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
917
Views
0
Helpful
2
Replies

Cannot get past IKE phase 1 with VPN client

ccs
Level 1
Level 1

‎01-28-2004 01:30 AM - edited ‎02-21-2020 01:01 PM

Hi,

Is there anyone who can help me? I have a problem connecting with a vpn client 4.0.3 to a 3005 concentrator. Every time I try to connect the client stops with the: Remote peer no longer responding message. When I look in the event log of the concentrator I get the followong messages:

28095 01/28/2004 10:10:24.640 SEV=8 IKEDBG/0 RPT=34221

Proposal # 1, Transform # 10, Type ISAKMP, Id IKE

Parsing received transform:

Phase 1 failure against global IKE proposal # 1:

Rcv'd Key Length attr class, but class is not cfg'd

28099 01/28/2004 10:10:24.640 SEV=8 IKEDBG/0 RPT=34222

Phase 1 failure against global IKE proposal # 2:

Rcv'd Key Length attr class, but class is not cfg'd

28101 01/28/2004 10:10:24.640 SEV=8 IKEDBG/0 RPT=34223

Phase 1 failure against global IKE proposal # 3:

Rcv'd Key Length attr class, but class is not cfg'd

28103 01/28/2004 10:10:24.640 SEV=8 IKEDBG/0 RPT=34224

Phase 1 failure against global IKE proposal # 4:

Rcv'd Key Length attr class, but class is not cfg'd

28105 01/28/2004 10:10:24.640 SEV=8 IKEDBG/0 RPT=34225

Phase 1 failure against global IKE proposal # 5:

Rcv'd Key Length attr class, but class is not cfg'd

28107 01/28/2004 10:10:24.640 SEV=8 IKEDBG/0 RPT=34226

Phase 1 failure against global IKE proposal # 6:

Mismatched attr types for class Hash Alg:

Rcv'd: MD5

Cfg'd: SHA

28109 01/28/2004 10:10:24.640 SEV=8 IKEDBG/0 RPT=34227

Phase 1 failure against global IKE proposal # 7:

Rcv'd Key Length attr class, but class is not cfg'd

28111 01/28/2004 10:10:24.640 SEV=8 IKEDBG/0 RPT=34228

Phase 1 failure against global IKE proposal # 8:

Rcv'd Key Length attr class, but class is not cfg'd

28113 01/28/2004 10:10:24.650 SEV=8 IKEDBG/0 RPT=34229

Phase 1 failure against global IKE proposal # 9:

Rcv'd Key Length attr class, but class is not cfg'd

28115 01/28/2004 10:10:24.650 SEV=8 IKEDBG/0 RPT=34230

Phase 1 failure against global IKE proposal # 10:

Rcv'd Key Length attr class, but class is not cfg'd

28117 01/28/2004 10:10:24.650 SEV=12 IKEDECODE/0 RPT=17136

IKE Decode of received SA attributes follows:

0000: 80010007 80020002 80040002 80030001 ................

0010: 800B0001 000C0004 0020C49B 800E0080 ......... ......

The pre shared keys on the client and the concentrator are identical. All the necessary IKE proposals are active and I have tested it with 3.6.3 client and 4.0.3 client.

The strange thing is when I set the authentication to "None" on the concentrator, a tunnel is established, but when I select "RADIUS"or "Internal" tunnel setup fails, and I get the above shown messages.

Is there anyone who is familiar with this problem or anyone who can point me in the right direction where to look?

Labels:
0 Helpful
2 Replies 2

patrick.cannon
Level 1
Level 1

‎01-28-2004 05:33 PM

You are configured for SHA but the other end is using MD5?

--------

Mismatched attr types for class Hash Alg:

Rcv'd: MD5

Cfg'd: SHA

0 Helpful

ccs
Level 1
Level 1
In response to patrick.cannon

‎01-29-2004 01:33 AM

The concentrator is configured to use MD5. De client should have no problem accepting this. The error you pasted in your message occurs several times when trying to connect. Every time there are other values. See below the result of 1 connection attempt:

Mismatched attr types for class Hash Alg:

Rcv'd: SHA

Cfg'd: MD5

Mismatched attr types for class Hash Alg:

Rcv'd: MD5

Cfg'd: SHA

Mismatched attr types for class Key Length:

Rcv'd: 256 Bits

Cfg'd: 128 Bits

0 Helpful
Customers Also Viewed These Support Documents