Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Router to Cisco VPN client VPN connection Version problem?

Hi,

I have a Cisco VPN client connection to a cisco 2600, if i'm using the client version 3.5.2, it's working, once i upgrade to 3.6.4, i can't even finish the negotication. does it has something to do with the AES issue?

how can i get around this?

Simon

3 REPLIES
Bronze

Re: Router to Cisco VPN client VPN connection Version problem?

Simon,

The VPN client should send AES in the ike proposal along with 3des and des. The router should accept either a 3des or a des proposal eventually. Can you send debug cry isa and debug cry ip from the router?

Jazib

New Member

Re: Router to Cisco VPN client VPN connection Version problem?

Hi

Thanks for your reply, here is the debug message which i got from the router.

any suggestion or hints would be appreciates

04:51:04: ISAKMP (0:0): received packet from 67.194.152.99 (N) NEW SA

04:51:04: ISAKMP: local port 500, remote port 500

04:51:04: ISAKMP (0:2): (Re)Setting client xauth list user-test and state

04:51:04: ISAKMP: Locking CONFIG struct 0x82CC85C8 from crypto_ikmp_config_initi

alize_sa, count 2

04:51:04: ISAKMP (0:2): processing SA payload. message ID = 0

04:51:04: ISAKMP (0:2): processing ID payload. message ID = 0

04:51:04: ISAKMP (0:2): processing vendor id payload

04:51:04: ISAKMP (0:2): vendor ID seems Unity/DPD but bad major

04:51:04: ISAKMP (0:2): vendor ID is XAUTH

04:51:04: ISAKMP (0:2): processing vendor id payload

04:51:04: ISAKMP (0:2): vendor ID is DPD

04:51:04: ISAKMP (0:2): processing vendor id payload

04:51:04: ISAKMP (0:2): vendor ID seems Unity/DPD but bad major

04:51:04: ISAKMP (0:2): processing vendor id payload

04:51:04: ISAKMP (0:2): vendor ID seems Unity/DPD but bad major

04:51:04: ISAKMP (0:2): processing vendor id payload

04:51:04: ISAKMP (0:2): vendor ID is Unity

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 3 policy

04:51:04: ISAKMP: encryption... What? 7?

04:51:04: ISAKMP: hash SHA

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth XAUTHInitPreShared

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP: attribute 14

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 2 against priority 3 policy

04:51:04: ISAKMP: encryption... What? 7?

04:51:04: ISAKMP: hash MD5

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth XAUTHInitPreShared

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP: attribute 14

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 3 against priority 3 policy

04:51:04: ISAKMP: encryption... What? 7?

04:51:04: ISAKMP: hash SHA

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth pre-share

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP: attribute 14

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 4 against priority 3 policy

04:51:04: ISAKMP: encryption... What? 7?

04:51:04: ISAKMP: hash MD5

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth pre-share

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP: attribute 14

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 5 against priority 3 policy

04:51:04: ISAKMP: encryption... What? 7?

04:51:04: ISAKMP: hash SHA

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth XAUTHInitPreShared

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP: attribute 14

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 6 against priority 3 policy

04:51:04: ISAKMP: encryption... What? 7?

04:51:04: ISAKMP: hash MD5

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth XAUTHInitPreShared

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP: attribute 14

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 7 against priority 3 policy

04:51:04: ISAKMP: encryption... What? 7?

04:51:04: ISAKMP: hash SHA

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth pre-share

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP: attribute 14

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 8 against priority 3 policy

04:51:04: ISAKMP: encryption... What? 7?

04:51:04: ISAKMP: hash MD5

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth pre-share

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP: attribute 14

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 9 against priority 3 policy

04:51:04: ISAKMP: encryption 3DES-CBC

04:51:04: ISAKMP: hash SHA

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth XAUTHInitPreShared

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 10 against priority 3 policy

04:51:04: ISAKMP: encryption 3DES-CBC

04:51:04: ISAKMP: hash SHA

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth pre-share

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 12 against priority 65535 poli

cy

04:51:04: ISAKMP: encryption 3DES-CBC

04:51:04: ISAKMP: hash MD5

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth pre-share

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 13 against priority 65535 poli

cy

04:51:04: ISAKMP: encryption DES-CBC

04:51:04: ISAKMP: hash MD5

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth XAUTHInitPreShared

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP (0:2): Hash algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 14 against priority 65535 poli

cy

04:51:04: ISAKMP: encryption DES-CBC

04:51:04: ISAKMP: hash MD5

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth pre-share

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP (0:2): Hash algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 0

04:51:04: ISAKMP (0:2): no offers accepted!

04:51:04: ISAKMP (0:2): phase 1 SA not acceptable!

04:51:04: ISAKMP (0:2): incrementing error counter on sa: construct_fail_ag_init

04:51:04: ISAKMP (0:2): Unknown Input: state = IKE_READY, major, minor = IKE_MES

G_FROM_PEER, IKE_AM_EXCH

04:51:09: ISAKMP (0:2): received packet from 67.194.152.99 (R) AG_NO_STATE

04:51:09: ISAKMP (0:2): phase 1 packet is a duplicate of a previous packet.

04:51:09: ISAKMP (0:2): retransmitting due to retransmit phase 1

04:51:09: ISAKMP (0:2): retransmitting phase 1 AG_NO_STATE...

04:51:10: ISAKMP (0:2): retransmitting phase 1 AG_NO_STATE...

04:51:10: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1

04:51:10: ISAKMP (0:2): retransmitting phase 1 AG_NO_STATE

04:51:10: ISAKMP (0:2): sending packet to 67.194.152.99 (R) AG_NO_STATE

Bronze

Re: Router to Cisco VPN client VPN connection Version problem?

Hi there,

it does look like your router is not negotiating the isakmp policy. I don't know what's the configured isakmp policy is on your router. But try to configure a policy similar to the one listed below and see what happens

encr 3des

hash md5

group 2

auth pres

Jazib

198
Views
0
Helpful
3
Replies
CreatePlease to create content