Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Client 3.6.3 unable to get past IKE negotiations with IOS Router.

9 REPLIES
New Member

Re: VPN Client 3.6.3 unable to get past IKE negotiations with IO

I had the same problem with 3.6.2a 3000 Concentrator Code. After an upgrade to 3.6.5 on my Concentrator, the problem went away. They must be changing something fundamental in the client.

New Member

Re: VPN Client 3.6.3 unable to get past IKE negotiations with IO

Chariley,

Can you be a little more specific? What version IOS router, what type of router? What version of client? How do you know its not getting past isakmp? Do you have debug output you can share with us? How about your routers configuration as well.

Kurtis Durrett

New Member

Re: VPN Client 3.6.3 unable to get past IKE negotiations with IO

New Member

Re: VPN Client 3.6.3 unable to get past IKE negotiations with IO

Kurtis,

Sorry, my message got chopped.

I am running IOS 12.2.8T on a 2500, the client is a VPN 3.6.3 on a Win2K computer. I ran debug crypto isakmp and got the "does not match policy" messages...even though it offer a match towards the end on my policy and the default policy. The IOS supports DES only.

New Member

Re: VPN Client 3.6.3 unable to get past IKE negotiations with IO

Hmm, I dont see software with ipsec on the 2500 in 12.2.8T. Are you sure its a 2500? Post the config and debug you spoke of. That will help alot.

Kurtis Durrett

New Member

Re: VPN Client 3.6.3 unable to get past IKE negotiations with IO

Yes, this is definitely a 2500, see show version output here.

Results of debug crypto isakmp is included as well as config for the router. Basically, the problem is the VPN client and the router are NOT finding a common set of attributes.

TIA,

Charles

VPN#sh run ver

Cisco Internetwork Operating System Software

IOS (tm) 2500 Software (C2500-IK8OS-L), Version 12.2(8)T, RELEASE SOFTWARE (fc2)

TAC Support: http://www.cisco.com/tac

Copyright (c) 1986-2002 by cisco Systems, Inc.

Compiled Wed 13-Feb-02 23:44 by ccai

Image text-base: 0x0307C1D0, data-base: 0x00001000

ROM: System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE

BOOTLDR: 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a), RELEASE SOFTWARE (fc1)

VPN uptime is 1 day, 6 hours, 40 minutes

System returned to ROM by power-on

System image file is "flash:c2500-ik8os-l.122-8.T.bin"

cisco 2511 (68030) processor (revision L) with 14336K/2048K bytes of memory.

Processor board ID 02384100, with hardware revision 00000000

Bridging software.

X.25 software, Version 3.0.0.

1 Ethernet/IEEE 802.3 interface(s)

2 Serial network interface(s)

16 terminal line(s)

32K bytes of non-volatile configuration memory.

16384K bytes of processor board System flash (Read ONLY)

Configuration register is 0x2102

VPN#sh run

Building configuration...

Current configuration : 1603 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

service tcp-small-servers

!

hostname VPN

!

aaa new-model

!

!

aaa authentication login vpnuser local

aaa authorization network vpngroup local

aaa session-id common

enable password cisco

!

username c password 0 c

ip subnet-zero

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 99

hash md5

crypto isakmp key c address 0.0.0.0 0.0.0.0

!

crypto isakmp client configuration group vpnclient

key c

dns 10.11.23.252

wins 10.11.23.252

domain hypervine.net

pool vpnpool

!

!

crypto ipsec transform-set vpnclient esp-des esp-sha-hmac

!

crypto dynamic-map vpnclient 10

set transform-set vpnclient

!

!

crypto map vpnclient client authentication list vpnuser

crypto map vpnclient isakmp authorization list vpngroup

crypto map vpnclient client configuration address respond

crypto map vpnclient 10 ipsec-isakmp dynamic vpnclient

!

!

!

!

interface Ethernet0

ip address 10.11.20.107 255.255.255.0

no ip route-cache

no ip mroute-cache

crypto map vpnclient

!

interface Serial0

ip address 192.168.192.1 255.255.255.252

no ip route-cache

no ip mroute-cache

clockrate 800000

!

interface Serial1

no ip address

no ip route-cache

no ip mroute-cache

shutdown

!

ip local pool vpnpool 10.11.20.108

ip classless

ip route 0.0.0.0 0.0.0.0 10.11.20.1

ip route 192.168.192.4 255.255.255.252 192.168.192.2

no ip http server

ip pim bidir-enable

!

!

!

!

line con 0

line 1 16

transport input all

line aux 0

transport input all

line vty 0 4

password cisco

!

end

VPN#

1d06h: ISAKMP (0:0): received packet from 192.168.192.6 (N) NEW SA

1d06h: ISAKMP: local port 500, remote port 500

1d06h: ISAKMP (0:1): processing SA payload. message ID = 0

1d06h: ISAKMP (0:1): processing ID payload. message ID = 0

1d06h: ISAKMP (0:1): processing vendor id payload

1d06h: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major

1d06h: ISAKMP (0:1): vendor ID is XAUTH

1d06h: ISAKMP (0:1): processing vendor id payload

1d06h: ISAKMP (0:1): vendor ID is DPD

1d06h: ISAKMP (0:1): processing vendor id payload

1d06h: ISAKMP (0:1): vendor ID is Unity

1d06h: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy

1d06h: ISAKMP: encryption 3DES-CBC

1d06h: ISAKMP: hash SHA

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth XAUTHInitPreShared

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Encryption algorithm offered does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 3

1d06h: ISAKMP (0:1): Checking ISAKMP transform 2 against priority 1 policy

1d06h: ISAKMP: encryption 3DES-CBC

1d06h: ISAKMP: hash MD5

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth XAUTHInitPreShared

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Encryption algorithm offered does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 3

1d06h: ISAKMP (0:1): Checking ISAKMP transform 3 against priority 1 policy

1d06h: ISAKMP: encryption 3DES-CBC

1d06h: ISAKMP: hash SHA

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth pre-share

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Encryption algorithm offered does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 3

1d06h: ISAKMP (0:1): Checking ISAKMP transform 4 against priority 1 policy

1d06h: ISAKMP: encryption 3DES-CBC

1d06h: ISAKMP: hash MD5

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth pre-share

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Encryption algorithm offered does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 3

1d06h: ISAKMP (0:1): Checking ISAKMP transform 5 against priority 1 policy

1d06h: ISAKMP: encryption DES-CBC

1d06h: ISAKMP: hash SHA

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth XAUTHInitPreShared

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Hash algorithm offered does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 3

1d06h: ISAKMP (0:1): Checking ISAKMP transform 6 against priority 1 policy

1d06h: ISAKMP: encryption DES-CBC

1d06h: ISAKMP: hash MD5

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth XAUTHInitPreShared

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Xauth authentication by pre-shared key offered but does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 3

1d06h: ISAKMP (0:1): Checking ISAKMP transform 7 against priority 1 policy

1d06h: ISAKMP: encryption DES-CBC

1d06h: ISAKMP: hash SHA

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth pre-share

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Hash algorithm offered does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 3

1d06h: ISAKMP (0:1): Checking ISAKMP transform 8 against priority 1 policy

1d06h: ISAKMP: encryption DES-CBC

1d06h: ISAKMP: hash MD5

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth pre-share

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Preshared authentication offered but does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 0

1d06h: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 99 policy

1d06h: ISAKMP: encryption 3DES-CBC

1d06h: ISAKMP: hash SHA

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth XAUTHInitPreShared

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Encryption algorithm offered does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 3

1d06h: ISAKMP (0:1): Checking ISAKMP transform 2 against priority 99 policy

1d06h: ISAKMP: encryption 3DES-CBC

1d06h: ISAKMP: hash MD5

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth XAUTHInitPreShared

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Encryption algorithm offered does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 3

1d06h: ISAKMP (0:1): Checking ISAKMP transform 3 against priority 99 policy

1d06h: ISAKMP: encryption 3DES-CBC

1d06h: ISAKMP: hash SHA

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth pre-share

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Encryption algorithm offered does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 3

1d06h: ISAKMP (0:1): Checking ISAKMP transform 4 against priority 99 policy

1d06h: ISAKMP: encryption 3DES-CBC

1d06h: ISAKMP: hash MD5

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth pre-share

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Encryption algorithm offered does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 3

1d06h: ISAKMP (0:1): Checking ISAKMP transform 5 against priority 99 policy

1d06h: ISAKMP: encryption DES-CBC

1d06h: ISAKMP: hash SHA

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth XAUTHInitPreShared

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Hash algorithm offered does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 3

1d06h: ISAKMP (0:1): Checking ISAKMP transform 6 against priority 99 policy

1d06h: ISAKMP: encryption DES-CBC

1d06h: ISAKMP: hash MD5

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth XAUTHInitPreShared

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Authentication method offered does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 3

1d06h: ISAKMP (0:1): Checking ISAKMP transform 7 against priority 99 policy

1d06h: ISAKMP: encryption DES-CBC

1d06h: ISAKMP: hash SHA

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth pre-share

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Hash algorithm offered does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 3

1d06h: ISAKMP (0:1): Checking ISAKMP transform 8 against priority 99 policy

1d06h: ISAKMP: encryption DES-CBC

1d06h: ISAKMP: hash MD5

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth pre-share

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Authentication method offered does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 0

1d06h: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 65535 policy

1d06h: ISAKMP: encryption 3DES-CBC

1d06h: ISAKMP: hash SHA

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth XAUTHInitPreShared

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Encryption algorithm offered does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 3

1d06h: ISAKMP (0:1): Checking ISAKMP transform 2 against priority 65535 policy

1d06h: ISAKMP: encryption 3DES-CBC

1d06h: ISAKMP: hash MD5

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth XAUTHInitPreShared

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Encryption algorithm offered does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 3

1d06h: ISAKMP (0:1): Checking ISAKMP transform 3 against priority 65535 policy

1d06h: ISAKMP: encryption 3DES-CBC

1d06h: ISAKMP: hash SHA

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth pre-share

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Encryption algorithm offered does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 3

1d06h: ISAKMP (0:1): Checking ISAKMP transform 4 against priority 65535 policy

1d06h: ISAKMP: encryption 3DES-CBC

1d06h: ISAKMP: hash MD5

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth pre-share

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Encryption algorithm offered does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 3

1d06h: ISAKMP (0:1): Checking ISAKMP transform 5 against priority 65535 policy

1d06h: ISAKMP: encryption DES-CBC

1d06h: ISAKMP: hash SHA

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth XAUTHInitPreShared

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Authentication method offered does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 3

1d06h: ISAKMP (0:1): Checking ISAKMP transform 6 against priority 65535 policy

1d06h: ISAKMP: encryption DES-CBC

1d06h: ISAKMP: hash MD5

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth XAUTHInitPreShared

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Hash algorithm offered does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 3

1d06h: ISAKMP (0:1): Checking ISAKMP transform 7 against priority 65535 policy

1d06h: ISAKMP: encryption DES-CBC

1d06h: ISAKMP: hash SHA

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth pre-share

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Authentication method offered does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 3

1d06h: ISAKMP (0:1): Checking ISAKMP transform 8 against priority 65535 policy

1d06h: ISAKMP: encryption DES-CBC

1d06h: ISAKMP: hash MD5

1d06h: ISAKMP: default group 2

1d06h: ISAKMP: auth pre-share

1d06h: ISAKMP: life type in seconds

1d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

1d06h: ISAKMP (0:1): Hash algorithm offered does not match policy!

1d06h: ISAKMP (0:1): atts are not acceptable. Next payload is 0

1d06h: ISAKMP (0:1): no offers accepted!

1d06h: ISAKMP (0:1): phase 1 SA not acceptable!

1d06h: ISAKMP (0:1): incrementing error counter on sa: construct_fail_ag_init

1d06h: ISAKMP (0:1): Unknown Input: state = IKE_READY, major, minor = IKE_MESG_FROM_PEER, IKE_AM_EXCH

1d06h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.192.6

1d06h: ISAKMP (0:1): received packet from 192.168.192.6 (R) AG_NO_STATE

1d06h: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.

1d06h: ISAKMP (0:1): retransmitting due to retransmit phase 1

1d06h: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...

1d06h: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...

1d06h: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

1d06h: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE

1d06h: ISAKMP (0:1): sending packet to 192.168.192.6 (R) AG_NO_STATE

VPN#

New Member

Re: VPN Client 3.6.3 unable to get past IKE negotiations with IO

Try it without the aaa. Remove "aaa new-model" and "crypto map vpnclient client authentication list vpnuser". I still couldnt your IOS version, looks like its been pulled from CCO, so I doubt that tac will even support it. I seem to recall that 1600 and 2500's wasn't going to be support with the new 3.x clients.

Kurtis Durrett

New Member

Re: VPN Client 3.6.3 unable to get past IKE negotiations with IO

Kurtis,

Tried that, and got the same result. Is there a specific client that I need to be using with this version of IOS? If so, can you tell me what that is?

New Member

Re: VPN Client 3.6.3 unable to get past IKE negotiations with IO

You can use the Cisco Secure Client 1.1 to connect to this router. Its available in des and 3des versions. I'd suggest you open a case with TAC to verify that about the 2500 whether or not 3.x client is supported on it.

Kurtis Durrett

118
Views
3
Helpful
9
Replies