Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco VPN Client 4.x not matchin ANY crypto sets

After XP failed to connect to my PIX I decided to try the Cisco VPN client but this is doing even worst then XP did.

For some reason I can not get any crypto sets to match. I practically put them all in and it will not match any.

These are what I have.. If someone knows the set that the VPN 4.x wants to use please let me know....

crypto ipsec transform-set ah-3des-md5 ah-md5-hmac esp-3des esp-md5-hmac

crypto ipsec transform-set ah-3des-md5 mode transport

crypto ipsec transform-set ah-3des-sha ah-sha-hmac esp-3des esp-sha-hmac

crypto ipsec transform-set ah-3des-sha mode transport

crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac

crypto ipsec transform-set 3des-md5 mode transport

crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac

crypto ipsec transform-set 3des-sha mode transport

crypto ipsec transform-set ah-des-md5 ah-md5-hmac esp-des esp-md5-hmac

crypto ipsec transform-set ah-des-md5 mode transport

crypto ipsec transform-set ah-des-sha ah-sha-hmac esp-des esp-sha-hmac

crypto ipsec transform-set ah-des-sha mode transport

crypto ipsec transform-set des-md5 esp-des esp-md5-hmac

crypto ipsec transform-set des-md5 mode transport

crypto ipsec transform-set des-sha esp-des esp-sha-hmac

crypto ipsec transform-set des-sha mode transport

crypto ipsec transform-set ah-aes-md5 ah-md5-hmac esp-aes esp-md5-hmac

crypto ipsec transform-set ah-aes-md5 mode transport

crypto ipsec transform-set ah-aes-sha ah-sha-hmac esp-aes esp-sha-hmac

crypto ipsec transform-set ah-aes-sha mode transport

crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac

crypto ipsec transform-set aes-sha mode transport

crypto ipsec transform-set aes-md5 esp-aes esp-md5-hmac

crypto ipsec transform-set aes-md5 mode transport

crypto dynamic-map dyn-map 1 match address l2tp

crypto dynamic-map dyn-map 1 set transform-set ah-3des-md5 ah-3des-sha 3des-md5 3des-sha ah-des-md5 ah-des-sha des-md5 des-sa

crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map

crypto map vpn-map client configuration address initiate

crypto map vpn-map client configuration address respond

crypto map vpn-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp nat-traversal 10

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption des

isakmp policy 2 hash sha

isakmp policy 2 group 1

isakmp policy 2 lifetime 86400

isakmp policy 3 authentication pre-share

isakmp policy 3 encryption des

isakmp policy 3 hash md5

isakmp policy 3 group 2

isakmp policy 3 lifetime 86400

isakmp policy 4 authentication pre-share

isakmp policy 4 encryption des

isakmp policy 4 hash sha

isakmp policy 4 group 2

isakmp policy 4 lifetime 86400

isakmp policy 5 authentication pre-share

isakmp policy 5 encryption 3des

isakmp policy 5 hash md5

isakmp policy 5 group 1

isakmp policy 5 lifetime 86400

isakmp policy 6 authentication pre-share

isakmp policy 6 encryption 3des

isakmp policy 6 hash sha

isakmp policy 6 group 1

isakmp policy 6 lifetime 86400

isakmp policy 7 authentication pre-share

isakmp policy 7 encryption 3des

isakmp policy 7 hash md5

isakmp policy 7 group 2

isakmp policy 7 lifetime 86400

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption 3des

isakmp policy 8 hash sha

isakmp policy 8 group 2

isakmp policy 8 lifetime 86400

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption aes

isakmp policy 9 hash md5

isakmp policy 9 group 1

isakmp policy 9 lifetime 86400

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 11 authentication pre-share

isakmp policy 11 encryption aes

isakmp policy 11 hash md5

isakmp policy 11 group 2

isakmp policy 11 lifetime 86400

isakmp policy 12 authentication pre-share

isakmp policy 12 encryption aes

isakmp policy 12 hash sha

isakmp policy 12 group 2

isakmp policy 12 lifetime 86400

vpngroup default address-pool vpn-pool

vpngroup default dns-server 192.168.1.1

vpngroup default default-domain mynet.com

vpngroup default split-tunnel nonat

vpngroup default idle-time 1800

vpngroup default password ********

vpdn group 1 accept dialin l2tp

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 client configuration address local vpn-pool

vpdn group 1 client configuration dns 192.168.1.1

vpdn group 1 client authentication local

vpdn group 1 l2tp tunnel hello 60

vpdn username vpnclient password *********

vpdn enable outside

3 REPLIES
New Member

Re: Cisco VPN Client 4.x not matchin ANY crypto sets

This can sometimes be trickey, have you see this link - it should be helpful.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800948b8.shtml

New Member

Re: Cisco VPN Client 4.x not matchin ANY crypto sets

i tried to follow that link but it doesn't find a cipher set.

my new config

access-list NoNAT permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

ip address outside 6.21.12.12 255.255.255.0

ip address dmuz 192.168.0.254 255.255.255.0

ip address inside 192.168.1.254 255.255.255.0

ip address testlan 192.168.2.254 255.255.255.0

global (outside) 1 6.21.12.18

nat (inside) 0 access-list NoNAT

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

route outside 0.0.0.0 0.0.0.0 6.21.12.1 1

route inside 10.1.1.0 255.255.255.0 192.168.1.254 1

sysopt connection permit-ipsec

crypto ipsec transform-set MySet esp-3des esp-md5-hmac

crypto dynamic-map DynMap 30 set transform-set MySet

crypto map VpnMap 10 ipsec-isakmp dynamic DynMap

crypto map VpnMap interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup default address-pool VpnPool

vpngroup default dns-server 6.21.12.20

vpngroup default default-domain mysite.com

vpngroup default split-tunnel NoNAT

vpngroup default idle-time 1800

vpngroup default password ********

my debug

crypto_isakmp_process_block:src:26.10.14.12, dest:6.21.12.12 spt:500 dpt:500

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are not acceptable.

crypto_isakmp_process_block:src:26.10.14.12, dest:6.21.12.12 spt:4500 dpt:4500

crypto_isakmp_process_block:src:26.10.14.12, dest:6.21.12.12 spt:4500 dpt:4500

OAK_QM exchange

crypto_isakmp_process_block:src:26.10.14.12, dest:6.21.12.12 spt:4500 dpt:4500

crypto_isakmp_process_block:src:26.10.14.12, dest:6.21.12.12 spt:4500 dpt:4500

ISAKMP (0): processing DELETE payload. message ID = 2190181980, spi size = 4IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

New Member

Re: Cisco VPN Client 4.x not matchin ANY crypto sets

Well,

I guess I got it working.

I'm using this:

crypto ipsec transform-set 3DES esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set 3DES

I can get my Cisco VPN client authencated but I still see all the atts are not acceptable for the crypto sets, then it just authencates.

I'm guessing the VPN client has a fall back set of crypto settings?

Are those debug errors an issue?

185
Views
0
Helpful
3
Replies
CreatePlease to create content