Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
219
Views
0
Helpful
1
Replies

easy remote VPN client and router 837

pgasol
Level 1
Level 1

‎10-09-2003 01:32 AM - edited ‎02-21-2020 12:49 PM

Hi, I have a router 837 and I want that a PC with Easy remote VPN client can connect to it.

The client is 3.6.4(A) and the router has the version 12.2(4)YA3 flash:c820-k9osy6-mz.122-4.YA3.bin

I have put debug crypto isakmp and see things like this:

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 3 against priority 12 policy

04:21:33: ISAKMP: encryption... What? 7?

04:21:33: ISAKMP: hash SHA

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth pre-share

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP: attribute 14

04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!

04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 4 against priority 12 policy

04:21:33: ISAKMP: encryption... What? 7?

04:21:33: ISAKMP: hash MD5

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth pre-share

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP: attribute 14

04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!

04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 5 against priority 12 policy

04:21:33: ISAKMP: encryption... What? 7?

04:21:33: ISAKMP: hash SHA

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth XAUTHInitPreShared

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP: attribute 14

04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!

04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 6 against priority 12 policy

04:21:33: ISAKMP: encryption... What? 7?

04:21:33: ISAKMP: hash MD5

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth XAUTHInitPreShared

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP: attribute 14

04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!

04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 7 against priority 12 policy

04:21:33: ISAKMP: encryption... What? 7?

04:21:33: ISAKMP: hash SHA

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth pre-share

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP: attribute 14

04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!

04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 8 against priority 12 policy

04:21:33: ISAKMP: encryption... What? 7?

04:21:33: ISAKMP: hash MD5

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth pre-share

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP: attribute 14

04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!

04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 9 against priority 12 policy

04:21:33: ISAKMP: encryption 3DES-CBC

04:21:33: ISAKMP: hash SHA

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth XAUTHInitPreShared

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!

04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 10 against priority 12 policy

04:21:33: ISAKMP: encryption 3DES-CBC

04:21:33: ISAKMP: hash MD5

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth XAUTHInitPreShared

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!

04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 11 against priority 12 policy

04:21:33: ISAKMP: encryption 3DES-CBC

04:21:33: ISAKMP: hash SHA

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth pre-share

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!

04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 12 against priority 12 policy

04:21:33: ISAKMP: encryption 3DES-CBC

04:21:33: ISAKMP: hash MD5

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth pre-share

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!

04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 13 against priority 12 policy

04:21:33: ISAKMP: encryption DES-CBC

04:21:33: ISAKMP: hash MD5

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth XAUTHInitPreShared

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP (0:3): Xauth authentication by pre-shared key offered but does

not match policy!

04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3

04:21:33: ISAKMP (0:3): Checking ISAKMP transform 14 against priority 12 policy

04:21:33: ISAKMP: encryption DES-CBC

04:21:33: ISAKMP: hash MD5

04:21:33: ISAKMP: default group 2

04:21:33: ISAKMP: auth pre-share

04:21:33: ISAKMP: life type in seconds

04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:21:33: ISAKMP (0:3): Preshared authentication offered but does not match poli

cy!

The client tell me this:

Initializing the connection...

Contacting the gateway at 12.81.27.2...

Remote peer is no longer responding.

And the Ipsec log tell me this:

19 23:18:32.530 10/08/03 Sev=Warning/2 IKE/0xE300007C

Exceeded 3 IKE SA negotiation retransmits... peer is not responding

20 23:18:32.580 10/08/03 Sev=Warning/3 DIALER/0xE3300008

GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h).

I don't know why it doesn't work, can anybody help me please?

Many thanks in advance

This is the configuration of the router

Router_Adsl#sh run

Building configuration...

Current configuration : 3102 bytes

!

version 12.2

no service pad

hostname Router_Adsl

logging queue-limit 100

username cisco password 0 cisco

aaa new-model

aaa authorization network administradores local

aaa session-id common

ip subnet-zero

ip domain name racing.es

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

crypto isakmp policy 12

encr des

authentication pre-share

hash md5

group 2

crypto isakmp policy 14

encr des

authentication pre-share

hash sha

group 5

!

!

crypto isakmp client configuration group administradores

key 0 racing

dns 192.168.200.2

domain racing.es

pool mipool

crypto ipsec transform-set mitrans esp-3des esp-sha-hmac

!

crypto dynamic-map mapadinamico 20

set transform-set mitrans

reverse-route

!

!

crypto map mapaestatico isakmp authorization list administradores

crypto map mapaestatico client configuration address respond

crypto map mapaestatico 10 ipsec-isakmp dynamic mapadinamico

interface Loopback0

ip address 12.81.27.2 255.255.255.255

!

interface Ethernet0

ip address 192.168.200.251 255.255.255.0

ip nat inside

no ip route-cache

no ip mroute-cache

crypto map mapaestatico

hold-queue 100 out

!

interface ATM0

no ip address

no ip route-cache

no ip mroute-cache

no atm ilmi-keepalive

bundle-enable

dsl operating-mode auto

hold-queue 224 in

!

interface ATM0.1 point-to-point

ip address 10.0.80.9 255.255.255.252

ip access-group 100 in

ip nat outside

no ip route-cache

no ip mroute-cache

pvc 1/32

protocol ip 10.0.80.10 broadcast

vbr-nrt 384 384 32

encapsulation aal5mux ip

ip local pool mipool 192.168.200.218 192.168.200.220

ip nat inside source list 1 interface Loopback0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.80.10

access-list 1 permit 192.168.200.0 0.0.0.255

radius-server authorization permit missing Service-Type

!

scheduler max-task-time 5000

end

Labels:
0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎10-10-2003 08:03 PM

If you don't want to do user authentication, then rather than leave the xauth lines out, add the following:

aaa authentication login userauthen none

crypto map clientmap client authentication list userauthen

If you do want to do user authentication, change the first line above to:

aaa authentication login userauthen local

and then you can use cisco/cisco that you have defined in the local user database (you can define other names here also obviously).

The sample config for what you're trying to do is here (note this is for a 3002 HW client connecting to a router, but the router config is the same for a SW client):

http://www.cisco.com/warp/public/471/vpn-3k2-ios-nem-lea.html

0 Helpful
Customers Also Viewed These Support Documents