Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client 3.6 to 1710 with 12.2(11)T

Not able to get phase 1 negotiations set up between VPN client 3.6 and 1710 VPN Server. Coming from a DSL connection that creates an NTS PPPoE Adapter with a public address.

Salient config:

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpngroup

key xxxxx

dns 192.168.1.4 x.x.x.x

domain xxx.com

pool vpnpool

!

!

crypto ipsec transform-set mdset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set mdset

!

!

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface Ethernet0

crypto map clientmap

!

ip local pool vpnpool 192.168.1.200 192.168.1.250

Debug output (partial):

22:48:12: ISAKMP (0:0): received packet from 65.65.x.x (N) NEW SA

22:48:12: ISAKMP: local port 500, remote port 500

22:48:12: ISAKMP: Locking CONFIG struct 0x8170FA30 from crypto_ikmp_config_initialize_sa, count 2

22:48:12: ISAKMP (0:2): processing SA payload. message ID = 0

22:48:12: ISAKMP (0:2): processing ID payload. message ID = 0

22:48:12: ISAKMP (0:2): processing vendor id payload

22:48:12: ISAKMP (0:2): vendor ID seems Unity/DPD but bad major

22:48:12: ISAKMP (0:2): vendor ID is XAUTH

22:48:12: ISAKMP (0:2): processing vendor id payload

22:48:12: ISAKMP (0:2): vendor ID is DPD

22:48:12: ISAKMP (0:2): processing vendor id payload

22:48:12: ISAKMP (0:2): vendor ID seems Unity/DPD but bad major

22:48:12: ISAKMP (0:2): processing vendor id payload

22:48:12: ISAKMP (0:2): vendor ID seems Unity/DPD but bad major

22:48:12: ISAKMP (0:2): processing vendor id payload

22:48:12: ISAKMP (0:2): vendor ID is Unity

22:48:12: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 3 policy

22:48:12: ISAKMP: encryption... What? 7?

22:48:12: ISAKMP: hash SHA

22:48:12: ISAKMP: default group 2

22:48:12: ISAKMP: auth XAUTHInitPreShared

22:48:12: ISAKMP: life type in seconds

22:48:12: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

22:48:12: ISAKMP: attribute 14

22:48:12: ISAKMP (0:2): Encryption algorithm offered does not match policy!

22:48:12: ISAKMP (0:2): atts are not acceptable. Next payload is 3

22:48:12: ISAKMP (0:2): Checking ISAKMP transform 2 against priority 3 policy

22:48:17: ISAKMP: encryption 3DES-CBC

22:48:17: ISAKMP: hash SHA

22:48:17: ISAKMP: default group 2

22:48:17: ISAKMP: auth pre-share

22:48:17: ISAKMP: life type in seconds

22:48:17: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

22:48:17: ISAKMP (0:3): Preshared authentication offered but does not match policy!

22:48:17: ISAKMP (0:3): atts are not acceptable. Next payload is 3

22:48:17: ISAKMP (0:3): Checking ISAKMP transform 16 against priority 3 policy

22:48:17: ISAKMP: encryption 3DES-CBC

22:48:17: ISAKMP: hash MD5

22:48:17: ISAKMP: default group 2

22:48:17: ISAKMP: auth pre-share

22:48:17: ISAKMP: life type in seconds

22:48:17: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

22:48:17: ISAKMP (0:3): Hash algorithm offered does not match policy!

22:48:17: ISAKMP (0:3): atts are not acceptable. Next payload is 3

22:48:17: ISAKMP (0:3): Checking ISAKMP transform 17 against priority 3 policy

22:48:17: ISAKMP (0:3): no offers accepted!

22:48:17: ISAKMP (0:3): phase 1 SA not acceptable!

22:48:17: ISAKMP (0:3): incrementing error counter on sa: construct_fail_ag_init

22:48:17: ISAKMP (0:3): Unknown Input: state = IKE_READY, major, minor = IKE_MESG_FROM_PEER, IKE_AM_EXCH

Thanks,

1 REPLY
New Member

Re: VPN Client 3.6 to 1710 with 12.2(11)T

Had to rebuild the config so the router to would take the commands. Pretty flaky???

Some suggestions from TAC:

Put the config in this order: aaa commands, ISAKMP policy, ISAKMP client group, Crypto ipsec transform-set, Crypto dynamic maps, crypto client map, ip local pool, add pool to group, bypass NAT commands

Remove the crypto map client command from the interface to make changes and reapply.

Specify a pool of private addresses that are different than your internal LAN segment to avoid routing issues.

81
Views
0
Helpful
1
Replies
CreatePlease login to create content