Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cannot negoticate tunnel using new cisco VPN client(4.0) to cisco 2611?

As my title describe, if i'm using the new Cisco vpn client 3.64 or higher, i cannot negoticate a tunnel with my 2611(12.2.15T). If i switch to use any older client, like 3.5.3 or 3.5.4, it works fine.

The following is the debug message, even i try to match the SA on the router side, i'm still getting these:

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 8 against priority 3 policy

04:51:04: ISAKMP: encryption... What? 7?

04:51:04: ISAKMP: hash MD5

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth pre-share

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP: attribute 14

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 9 against priority 3 policy

04:51:04: ISAKMP: encryption 3DES-CBC

04:51:04: ISAKMP: hash SHA

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth XAUTHInitPreShared

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

Any suggestion would be appreciate!

2 REPLIES
New Member

Re: Cannot negoticate tunnel using new cisco VPN client(4.0) to

Have you checked for any bugs or any compatibility issues for the IOS and VPN clinet software?

New Member

Re: Cannot negoticate tunnel using new cisco VPN client(4.0) to

Hi,

When VPN Client initiates AGMODE using USER_FQDN as its idenitity the PEER router ignores the pre-shared key based policies proposed, hence IKE fails to come up. In other words, IKE fails to come up if we use user-fqdn as the IKE idenitity for

AG MODE initiation.

Workaround : Use address or hostname as the idenitity.

Thanks,

Aarthi.

108
Views
0
Helpful
2
Replies
CreatePlease to create content