Solved: VPN client to 1841 router will not establish tunnel

pdesch · ‎06-28-2006

We have an 1841 with IOS 12.4(3) that we have been unable to establish a tunnel to using version 4.8.01.0300. It will not exchange ISAKMP keys no matter what settings we use. The debug has a variety of errors including mis-matched encryption, authentication, etc. It won't even match the default isakmp policy!

Here is the relevant parts of the config

no aaa new-model

!

resource policy

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

!

crypto isakmp policy 100

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group Xclient

key test

pool vpnpool

acl 101

!

crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac

!

crypto dynamic-map dyn_map 15

set transform-set AES256-SHA

reverse-route

!

crypto map RA_map client configuration address initiate

crypto map RA_map client configuration address respond

crypto map RA_map 15 ipsec-isakmp dynamic dyn_map

interface FastEthernet0/0

description "outside"

ip address x.x.x.x 255.255.255.248

ip access-group 150 in

ip inspect default100 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map RA_map

And an example of the Isakmp debug:

*Jun 28 21:53:47.903: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 14 against priority 100 policy

*Jun 28 21:53:47.903: ISAKMP: encryption DES-CBC

*Jun 28 21:53:47.903: ISAKMP: hash MD5

*Jun 28 21:53:47.903: ISAKMP: default group 2

*Jun 28 21:53:47.903: ISAKMP: auth pre-share

*Jun 28 21:53:47.903: ISAKMP: life type in seconds

*Jun 28 21:53:47.903: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Jun 28 21:53:47.903: ISAKMP:(0:0:N/A:0):Preshared authentication offered but does not match policy!

*Jun 28 21:53:47.903: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0

*Jun 28 21:53:47.903: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 65535 policy

We cannot figure out why the router will not match the pre-shared authentication parameter, or any of the other parameters (encryption, hash etc.) that we change.

We've tried removing NAT and the ACLs to no avail...What am I missing?

thanks ahead of time

thomas.chen · ‎07-04-2006

Various debug command exists ?debug crypto engine?Displays information pertaining to the crypto engine, such as when Cisco IOS software is performing encryption or decryption operations. ?debug crypto ipsec.Refer the following URL for more info

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b04.html

View solution in original post

thomas.chen · ‎07-04-2006

Various debug command exists ?debug crypto engine?Displays information pertaining to the crypto engine, such as when Cisco IOS software is performing encryption or decryption operations. ?debug crypto ipsec.Refer the following URL for more info

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b04.html

pdesch · ‎07-14-2006

This turned out to be an aaa/crypto map problem. I was able to fix the problem by using the following commands:

aaa new-model

!

aaa authentication login userauth local

aaa authorization network sdm_vpn_group_ml_1 local

!

crypto map RA_map client authentication list userauth

crypto map RA_map isakmp authorization list sdm_vpn_group_ml_1

crypto map RA_map client configuration address respond

crypto map RA_map 15 ipsec-isakmp dynamic dyn_map