12-20-2005 09:46 PM - edited 02-21-2020 02:09 PM
Hi all,
I'm having some problems connecting VPN Client over the internet to our Cisco IOS router. Some help would be very much appreciated!!
On the VPN client log I receive the following error messages:
---------------------------
...
573 16:32:13.164 12/21/05 Sev=Warning/2 IKE/0xE3000099
Invalid SPI size (PayloadNotify:116)
574 16:32:13.164 12/21/05 Sev=Info/4 IKE/0xE30000A4
Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)
575 16:32:13.164 12/21/05 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)
---------------------------
A debug on the router I am trying to connect to yields:
---------------------------
router#debug crypto isakmp
...
Dec 21 16:32:16.089 AEDT: ISAKMP (0:0): received packet from 203.153.196.1 dport 500 sport 500 Global (N) NEW SA
Dec 21 16:32:16.089 AEDT: ISAKMP: Created a peer struct for 203.153.196.1, peer port 500
Dec 21 16:32:16.089 AEDT: ISAKMP: New peer created peer = 0x678939E0 peer_handle = 0x80000031
Dec 21 16:32:16.089 AEDT: ISAKMP: Locking peer struct 0x678939E0, IKE refcount 1 for crypto_isakmp_process_block
Dec 21 16:32:16.089 AEDT: ISAKMP: local port 500, remote port 500
Dec 21 16:32:16.089 AEDT: insert sa successfully sa = 67B0AB34
Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): processing ID payload. message ID = 0
Dec 21 16:32:16.089 AEDT: ISAKMP (0:0): ID payload
next-payload : 13
type : 11
group id : eggs
protocol : 17
port : 500
length : 12
Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0):: peer matches *none* of the profiles
Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 215 mismatch
Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): vendor ID is XAUTH
Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): vendor ID is DPD
Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch
Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): vendor ID is Unity
Dec 21 16:32:16.089 AEDT: ISAKMP : Scanning profiles for xauth ...
.....
Dec 21 16:32:16.093 AEDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
Dec 21 16:32:16.093 AEDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 12 against priority 3 policy
Dec 21 16:32:16.093 AEDT: ISAKMP: encryption 3DES-CBC
Dec 21 16:32:16.093 AEDT: ISAKMP: hash MD5
Dec 21 16:32:16.093 AEDT: ISAKMP: default group 2
Dec 21 16:32:16.093 AEDT: ISAKMP: auth pre-share
Dec 21 16:32:16.093 AEDT: ISAKMP: life type in seconds
Dec 21 16:32:16.093 AEDT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Dec 21 16:32:16.093 AEDT: ISAKMP:(0:0:N/A:0):Preshared authentication offered but does not match policy!
Dec 21 16:32:16.093 AEDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
---------------------------
Solved! Go to Solution.
12-22-2005 03:14 AM
Can you apply the crypto map on the WAN interface and check ?
12-20-2005 09:47 PM
Relevant router config is as follows:
---------------------------
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group eggs
key poached
pool vpn1pool
!
crypto ipsec transform-set vpn1tset esp-3des esp-md5-hmac
!
crypto dynamic-map vpn1dmap 10
set transform-set vpn1tset
!
!
crypto map vpn1cmap local-address Loopback100
crypto map vpn1cmap client authentication list userauthen
crypto map vpn1cmap isakmp authorization list groupauthor
crypto map vpn1cmap client configuration address respond
crypto map vpn1cmap 10 ipsec-isakmp dynamic vpn1dmap
!
interface Loopback100
ip address x.x.x.x 255.255.255.255
crypto map vpn1cmap
!
ip local pool vpn1pool 10.64.65.1 10.64.65.254
!
---------------------------
And, finally, I'm running VPN client version 4.8.00.0440.
What on earth does "Preshared authentication offered but does not match policy!" mean?
Any advice would be fantastic, thanks, Jerome.
12-21-2005 12:13 AM
If already not applied, apply the crypto map also on the WAN interface through which the connections are made and not on the loopback.
12-21-2005 02:59 PM
Is this command present in your router ?
crypto map vpn1cmap 1 ipsec-isakmp dynamic vpn1dmap
Regards,
Naman
12-21-2005 09:22 PM
Hi Naman, yep, as posted above:
crypto map vpn1cmap 10 ipsec-isakmp dynamic vpn1dmap
Thanks for the response! Jerome
12-21-2005 06:47 AM
Please post your router config
12-21-2005 02:54 PM
jerome,
please post the bit with acl, no nat etc.
12-21-2005 09:17 PM
12-21-2005 09:24 PM
...
12-22-2005 03:14 AM
Can you apply the crypto map on the WAN interface and check ?
12-22-2005 02:39 PM
Hi Gautam, I moved the command "crypto map vpn1cmap" to a wan interface of the router and modified my VPN client to point to the WAN interface ip address (203.x.x.x).
Unfortunately I'm still recieving the same errors, "Preshared authentication offered but does not match policy!" in the router debug (debug crypto isakmp) and, from vpn client log:
-----------
93 09:35:25.900 12/23/05 Sev=Warning/2 IKE/0xE3000099
Invalid SPI size (PayloadNotify:116)
94 09:35:25.900 12/23/05 Sev=Info/4 IKE/0xE30000A4
Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)
95 09:35:25.900 12/23/05 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)
----------------
12-22-2005 03:19 PM
Actually Gautam, my mistake, your absolutely right! Fantastic!!
So, the solution is:
You CAN point vpn client at a loopback address, BUT, the interface which the vpn traffic passes through to get to the loopback must have the crypto map applied. So, I've applied the crypto map to all internet facing interfaces, and now it works!! I think that calls for a celebration :)
Why would it behave like this? I'd love to understand it?
Thanks for your help !
12-22-2005 09:19 PM
Yes it is correct behaviour i should say. IPSec will encrypt traffic goin out of a interface matching the ACL. As no traffic flows through the Loopback , your traffic never gets encrypted. Loopback is used as source / destination for higher availability encryption is done on the interface
12-22-2005 03:30 PM
Have you verified the group password in your VPN client config (.pcf file)? The preshared authentication refers to that. Use what is in the 'key' portion of your 'crypto isakmp client configuration group
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide