Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Vpn client to 2611 ISO vpn connection need help troubleshooting

Hi, Have been trying to set up a Cisco VPN client 4.x to a IOS vpn connection(C2600-IK8O3S-M). I believe it can be don but I am having troubles find the problem.

I have turned on debugging. Here is a sample of the debug from the router. Any assistance would be great appreciated.

Here is what I am debugging

General OS:

TACACS access control debugging is on

AAA Authentication debugging is on

AAA Authorization debugging is on

Cryptographic Subsystem:

Crypto ISAKMP debugging is on

Crypto Engine debugging is on

Crypto IPSEC debugging is on

Start of debug (edited...)

####################################################

ISAKMP (0:0): received packet from 66.183.231.233 (N) NEW SA

ISAKMP: local port 500, remote port 500

ISAKMP: Created a peer node for 66.183.231.233

ISAKMP (0:1): Setting client config settings 82C7CAFC

ISAKMP (0:1): (Re)Setting client xauth list userauthen and state

ISAKMP: Locking CONFIG struct 0x82C7CAFC from crypto_ikmp_config_initi

alize_sa, count 1

ISAKMP (0:1): processing SA payload. message ID = 0

ISAKMP (0:1): processing ID payload. message ID = 0

ISAKMP (0:1): processing vendor id payload

ISAKMP (0:1): vendor ID seems Unity/DPD but bad major

ISAKMP (0:1): vendor ID is XAUTH

ISAKMP (0:1): processing vendor id payload

ISAKMP (0:1): vendor ID is DPD

ISAKMP (0:1): processing vendor id payload

ISAKMP (0:1): vendor ID seems Unity/DPD but bad major

ISAKMP (0:1): processing vendor id payload

ISAKMP (

edge-ro#0:1): vendor ID seems Unity/DPD but bad major

ISAKMP (0:1): processing vendor id payload

ISAKMP (0:1): vendor ID is Unity

ISAKMP (0:1): Checking ISAKMP transform 1 against priority 3 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth XAUTHInitPreShared

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

ISAKMP: attribute 14

ISAKMP (0:1): Encryption algorithm offered does not match policy!

ISAKMP (0:1): atts are not acceptable. Next payload is 3

ISAKMP (0:1): Checking ISAKMP transform 1 against priority 65535 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth XAUTHInitPreShared

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

ISAKMP: attribute 14

ISAKMP (0:1): Encryption algorithm offered does not match policy!

ISAKMP (0:1): atts are not acceptable. Next payload is 3

ISAKMP (0:1): Checking ISAKMP transform 2 against priority 65535 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

ISAKMP (0:1): Hash algorithm offered does not match policy!

ISAKMP (0:1): atts are not acceptable. Next payload is 0

ISAKMP (0:1): no offers accepted!

ISAKMP (0:1): phase 1 SA not acceptable!

ISAKMP (0:1): incrementing error counter on sa: construct_fail_ag_init

ISAKMP (0:1): Unknown Input: state = IKE_READY, major, minor = IKE_MES

G_FROM_PEER, IKE_AM_EXCH

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with

peer at 66.183.231.233

ISAKMP (0:1): received packet from 66.183.231.233 (R) AG_NO_STATE

ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.

ISAKMP (0:1): retransmitting due to retransmit phase 1

ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...

ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...

ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE

ISAKMP (0:1): sending packet to 66.183.231.233 (R) AG_NO_STATE

ISAKMP (0:1): received packet from 66.183.231.233 (R) AG_NO_STATE

ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.

ISAKMP (0:1): retransmitting due to retransmit phase 1

ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...

ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...

ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE

ISAKMP (0:1): received packet from 66.183.231.233 (R) AG_NO_STATE

ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.

ISAKMP (0:1): retransmitting due to retransmit phase 1

ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...

ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...

ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE

ISAKMP: quick mode timer expired.

ISAKMP (0:1): peer does not do paranoid keepalives.

ISAKMP (0:1): deleting SA reason "QM_TIMER expired" state (R) AG_NO_ST

ATE (peer 66.183.231.233) input queue 0

ISAKMP (0:1): deleting SA reason "QM_TIMER expired" state (R) AG_NO_ST

ATE (peer 66.183.231.233) input queue 0

ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

ISAKMP (0:1): Old State = IKE_READY New State = IKE_DEST_SA

ISAKMP (0:1): purging SA., sa=82C7B864, delme=82C7B864

ISAKMP: Unlocking CONFIG struct 0x82C7CAFC on return of attributes, co

unt 0

CryptoEngine0: delete connection 1

CryptoEngine0: delete connection 1

4 REPLIES
Cisco Employee

Re: Vpn client to 2611 ISO vpn connection need help troubleshoot

This is your problem:

ISAKMP (0:1): no offers accepted!

ISAKMP (0:1): phase 1 SA not acceptable!

You're not even getting past Phase 1, which means your ISAKMP policy in the router is not correct. Make sure you have "group 2" defined under it cause the VPN client uses DH Group 2.

There's a sample config here:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

New Member

Re: Vpn client to 2611 ISO vpn connection need help troubleshoot

Thanks for replying DFullage.

I am new to ipsec and Cisco routers but I believe I have the DH group 2 setting correctly in my config file. I have a problem when trying to configure the encr setting: crypto isakmp policy 3. I am only offered des under the encr section and not 3des. I believe this has something to do with the IOS version I am running, but I am not sure

If you could please look at my config I would appreacte it.

start of config

#################################

Current configuration : 4431 bytes

!

! Last configuration change at 13:26:38 Pacfic Sat Jan 17 2004

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname edge-ro

!

aaa new-model

!

!

aaa authentication login userauthen group tacacs+

aaa authorization network groupauthor local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default stop-only group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default stop-only group tacacs+

aaa session-id common

enable secret 5 ######################

enable password 7 ######################

!

username john password 7 ######################

clock timezone Pacfic -8

clock summer-time pst recurring

ip subnet-zero

no ip source-route

!

!

!

no ip bootp server

ip audit notify log

ip audit po max-events 100

ip ssh authentication-retries 4

!

crypto isakmp policy 3

authentication pre-share

group 2

!

crypto isakmp client configuration group vpngroup

key palmason

dns 192.168.1.2

domain mydomain.com

pool ippool

!

!

crypto ipsec transform-set myset esp-des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

voice call carrier capacity active

!

!

!

mta receive maximum-recipients 0

!

!

interface Ethernet0/0

ip address dhcp

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

no ip mroute-cache

full-duplex

no cdp enable

crypto map clientmap

!

interface Ethernet0/1

ip address 172.16.0.1 255.255.0.0

ip nat inside

full-duplex

no cdp enable

!

ip local pool ippool 172.16.0.20 172.16.0.30

ip nat inside source list 15 interface Ethernet0/0 overload

ip classless

no ip http server

!

!

logging 192.168.1.50

access-list 15 permit 172.16.0.0 0.0.255.255

access-list 76 permit any log

access-list 101 permit tcp host 209.139.248.100 66.183.239.0 0.0.0.255 eq 22 log

access-list 101 permit tcp host 66.183.231.233 66.183.239.0 0.0.0.255 eq 22 log

access-list 101 permit icmp host 209.139.248.100 66.183.239.0 0.0.0.255 log

access-list 101 permit icmp host 66.183.231.233 66.183.239.0 0.0.0.255 log

access-list 101 deny icmp any any log

access-list 101 deny udp any any eq snmp log

access-list 101 deny ip 127.0.0.0 0.255.255.255 any log

access-list 101 deny ip 255.0.0.0 0.255.255.255 any log

access-list 101 deny ip 224.0.0.0 7.255.255.255 any log

access-list 101 deny ip host 0.0.0.0 any log

access-list 101 permit ip any any log

no cdp run

!

tacacs-server host 192.168.1.2 single-connection

tacacs-server key ########

call rsvp-sync

!

!

mgcp profile default

!

dial-peer cor custom

!

!

!

!

banner exec ^CWelcome, you have connected to router $(hostname).$(domain).^C

!

line con 0

exec-timeout 20 0

password 7 ######################

logging synchronous

line aux 0

exec-timeout 20 0

password 7 ######################

logging synchronous

line vty 0 4

location Victoria

access-class 76 in

exec-timeout 20 0

password 7 ######################

logging synchronous

transport input telnet

!

ntp clock-period 17208459

ntp server 140.142.16.34

!

end

New Member

Re: Vpn client to 2611 ISO vpn connection need help troubleshoot

Hello john,

I had faced a similar problem.

You can try these :

Under your crypto policy add

hash md5

your transform set should be like this

crypto ipsec transform-set myset esp-des esp-md5-hmac

HOPE THIS SOLVES YOUR PROBLEM

M.Radhakrishnan mrk@thehindu.co.in

New Member

Re: Vpn client to 2611 ISO vpn connection need help troubleshoot

Thanks M, Radhakrishnan, I will try this later today and let you know if it helps.

Thank you for responding.

John P

217
Views
0
Helpful
4
Replies
CreatePlease to create content