06-28-2006 02:04 PM - edited 02-21-2020 02:30 PM
We have an 1841 with IOS 12.4(3) that we have been unable to establish a tunnel to using version 4.8.01.0300. It will not exchange ISAKMP keys no matter what settings we use. The debug has a variety of errors including mis-matched encryption, authentication, etc. It won't even match the default isakmp policy!
Here is the relevant parts of the config
no aaa new-model
!
resource policy
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 100
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group Xclient
key test
pool vpnpool
acl 101
!
crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac
!
crypto dynamic-map dyn_map 15
set transform-set AES256-SHA
reverse-route
!
!
crypto map RA_map client configuration address initiate
crypto map RA_map client configuration address respond
crypto map RA_map 15 ipsec-isakmp dynamic dyn_map
interface FastEthernet0/0
description "outside"
ip address x.x.x.x 255.255.255.248
ip access-group 150 in
ip inspect default100 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map RA_map
And an example of the Isakmp debug:
*Jun 28 21:53:47.903: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 14 against priority 100 policy
*Jun 28 21:53:47.903: ISAKMP: encryption DES-CBC
*Jun 28 21:53:47.903: ISAKMP: hash MD5
*Jun 28 21:53:47.903: ISAKMP: default group 2
*Jun 28 21:53:47.903: ISAKMP: auth pre-share
*Jun 28 21:53:47.903: ISAKMP: life type in seconds
*Jun 28 21:53:47.903: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jun 28 21:53:47.903: ISAKMP:(0:0:N/A:0):Preshared authentication offered but does not match policy!
*Jun 28 21:53:47.903: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
*Jun 28 21:53:47.903: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 65535 policy
We cannot figure out why the router will not match the pre-shared authentication parameter, or any of the other parameters (encryption, hash etc.) that we change.
We've tried removing NAT and the ACLs to no avail...What am I missing?
thanks ahead of time
Solved! Go to Solution.
07-04-2006 08:29 AM
Various debug command exists ?debug crypto engine?Displays information pertaining to the crypto engine, such as when Cisco IOS software is performing encryption or decryption operations. ?debug crypto ipsec.Refer the following URL for more info
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b04.html
07-04-2006 08:29 AM
Various debug command exists ?debug crypto engine?Displays information pertaining to the crypto engine, such as when Cisco IOS software is performing encryption or decryption operations. ?debug crypto ipsec.Refer the following URL for more info
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b04.html
07-14-2006 11:56 AM
This turned out to be an aaa/crypto map problem. I was able to fix the problem by using the following commands:
aaa new-model
!
!
aaa authentication login userauth local
aaa authorization network sdm_vpn_group_ml_1 local
!
crypto map RA_map client authentication list userauth
crypto map RA_map isakmp authorization list sdm_vpn_group_ml_1
crypto map RA_map client configuration address respond
crypto map RA_map 15 ipsec-isakmp dynamic dyn_map
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: