10-09-2003 01:32 AM - edited 02-21-2020 12:49 PM
Hi, I have a router 837 and I want that a PC with Easy remote VPN client can connect to it.
The client is 3.6.4(A) and the router has the version 12.2(4)YA3 flash:c820-k9osy6-mz.122-4.YA3.bin
I have put debug crypto isakmp and see things like this:
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 3 against priority 12 policy
04:21:33: ISAKMP: encryption... What? 7?
04:21:33: ISAKMP: hash SHA
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth pre-share
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP: attribute 14
04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!
04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 4 against priority 12 policy
04:21:33: ISAKMP: encryption... What? 7?
04:21:33: ISAKMP: hash MD5
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth pre-share
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP: attribute 14
04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!
04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 5 against priority 12 policy
04:21:33: ISAKMP: encryption... What? 7?
04:21:33: ISAKMP: hash SHA
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth XAUTHInitPreShared
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP: attribute 14
04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!
04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 6 against priority 12 policy
04:21:33: ISAKMP: encryption... What? 7?
04:21:33: ISAKMP: hash MD5
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth XAUTHInitPreShared
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP: attribute 14
04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!
04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 7 against priority 12 policy
04:21:33: ISAKMP: encryption... What? 7?
04:21:33: ISAKMP: hash SHA
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth pre-share
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP: attribute 14
04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!
04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 8 against priority 12 policy
04:21:33: ISAKMP: encryption... What? 7?
04:21:33: ISAKMP: hash MD5
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth pre-share
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP: attribute 14
04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!
04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 9 against priority 12 policy
04:21:33: ISAKMP: encryption 3DES-CBC
04:21:33: ISAKMP: hash SHA
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth XAUTHInitPreShared
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!
04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 10 against priority 12 policy
04:21:33: ISAKMP: encryption 3DES-CBC
04:21:33: ISAKMP: hash MD5
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth XAUTHInitPreShared
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!
04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 11 against priority 12 policy
04:21:33: ISAKMP: encryption 3DES-CBC
04:21:33: ISAKMP: hash SHA
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth pre-share
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!
04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 12 against priority 12 policy
04:21:33: ISAKMP: encryption 3DES-CBC
04:21:33: ISAKMP: hash MD5
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth pre-share
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP (0:3): Encryption algorithm offered does not match policy!
04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 13 against priority 12 policy
04:21:33: ISAKMP: encryption DES-CBC
04:21:33: ISAKMP: hash MD5
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth XAUTHInitPreShared
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP (0:3): Xauth authentication by pre-shared key offered but does
not match policy!
04:21:33: ISAKMP (0:3): atts are not acceptable. Next payload is 3
04:21:33: ISAKMP (0:3): Checking ISAKMP transform 14 against priority 12 policy
04:21:33: ISAKMP: encryption DES-CBC
04:21:33: ISAKMP: hash MD5
04:21:33: ISAKMP: default group 2
04:21:33: ISAKMP: auth pre-share
04:21:33: ISAKMP: life type in seconds
04:21:33: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:21:33: ISAKMP (0:3): Preshared authentication offered but does not match poli
cy!
The client tell me this:
Initializing the connection...
Contacting the gateway at 12.81.27.2...
Remote peer is no longer responding.
And the Ipsec log tell me this:
19 23:18:32.530 10/08/03 Sev=Warning/2 IKE/0xE300007C
Exceeded 3 IKE SA negotiation retransmits... peer is not responding
20 23:18:32.580 10/08/03 Sev=Warning/3 DIALER/0xE3300008
GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h).
I don't know why it doesn't work, can anybody help me please?
Many thanks in advance
This is the configuration of the router
Router_Adsl#sh run
Building configuration...
Current configuration : 3102 bytes
!
version 12.2
no service pad
hostname Router_Adsl
logging queue-limit 100
username cisco password 0 cisco
aaa new-model
aaa authorization network administradores local
aaa session-id common
ip subnet-zero
ip domain name racing.es
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
crypto isakmp policy 12
encr des
authentication pre-share
hash md5
group 2
crypto isakmp policy 14
encr des
authentication pre-share
hash sha
group 5
!
!
crypto isakmp client configuration group administradores
key 0 racing
dns 192.168.200.2
domain racing.es
pool mipool
crypto ipsec transform-set mitrans esp-3des esp-sha-hmac
!
crypto dynamic-map mapadinamico 20
set transform-set mitrans
reverse-route
!
!
crypto map mapaestatico isakmp authorization list administradores
crypto map mapaestatico client configuration address respond
crypto map mapaestatico 10 ipsec-isakmp dynamic mapadinamico
interface Loopback0
ip address 12.81.27.2 255.255.255.255
!
interface Ethernet0
ip address 192.168.200.251 255.255.255.0
ip nat inside
no ip route-cache
no ip mroute-cache
crypto map mapaestatico
hold-queue 100 out
!
interface ATM0
no ip address
no ip route-cache
no ip mroute-cache
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.1 point-to-point
ip address 10.0.80.9 255.255.255.252
ip access-group 100 in
ip nat outside
no ip route-cache
no ip mroute-cache
pvc 1/32
protocol ip 10.0.80.10 broadcast
vbr-nrt 384 384 32
encapsulation aal5mux ip
ip local pool mipool 192.168.200.218 192.168.200.220
ip nat inside source list 1 interface Loopback0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.80.10
access-list 1 permit 192.168.200.0 0.0.0.255
radius-server authorization permit missing Service-Type
!
scheduler max-task-time 5000
end
10-10-2003 08:03 PM
If you don't want to do user authentication, then rather than leave the xauth lines out, add the following:
aaa authentication login userauthen none
crypto map clientmap client authentication list userauthen
If you do want to do user authentication, change the first line above to:
aaa authentication login userauthen local
and then you can use cisco/cisco that you have defined in the local user database (you can define other names here also obviously).
The sample config for what you're trying to do is here (note this is for a 3002 HW client connecting to a router, but the router config is the same for a SW client):
http://www.cisco.com/warp/public/471/vpn-3k2-ios-nem-lea.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide