Solved: VPN Client to IOS router wont connect - Cisco Community

2064

Views

0

Helpful

13

Replies

Hi all,

I'm having some problems connecting VPN Client over the internet to our Cisco IOS router. Some help would be very much appreciated!!

On the VPN client log I receive the following error messages:

---------------------------

...

573 16:32:13.164 12/21/05 Sev=Warning/2 IKE/0xE3000099

Invalid SPI size (PayloadNotify:116)

574 16:32:13.164 12/21/05 Sev=Info/4 IKE/0xE30000A4

Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)

575 16:32:13.164 12/21/05 Sev=Warning/3 IKE/0xA3000058

Received malformed message or negotiation no longer active (message id: 0x00000000)

---------------------------

A debug on the router I am trying to connect to yields:

---------------------------

router#debug crypto isakmp

...

Dec 21 16:32:16.089 AEDT: ISAKMP (0:0): received packet from 203.153.196.1 dport 500 sport 500 Global (N) NEW SA

Dec 21 16:32:16.089 AEDT: ISAKMP: Created a peer struct for 203.153.196.1, peer port 500

Dec 21 16:32:16.089 AEDT: ISAKMP: New peer created peer = 0x678939E0 peer_handle = 0x80000031

Dec 21 16:32:16.089 AEDT: ISAKMP: Locking peer struct 0x678939E0, IKE refcount 1 for crypto_isakmp_process_block

Dec 21 16:32:16.089 AEDT: ISAKMP: local port 500, remote port 500

Dec 21 16:32:16.089 AEDT: insert sa successfully sa = 67B0AB34

Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0

Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): processing ID payload. message ID = 0

Dec 21 16:32:16.089 AEDT: ISAKMP (0:0): ID payload

next-payload : 13

type : 11

group id : eggs

protocol : 17

port : 500

length : 12

Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0):: peer matches *none* of the profiles

Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): processing vendor id payload

Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 215 mismatch

Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): vendor ID is XAUTH

Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): processing vendor id payload

Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): vendor ID is DPD

Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): processing vendor id payload

Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch

Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): processing vendor id payload

Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch

Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2

Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): processing vendor id payload

Dec 21 16:32:16.089 AEDT: ISAKMP:(0:0:N/A:0): vendor ID is Unity

Dec 21 16:32:16.089 AEDT: ISAKMP : Scanning profiles for xauth ...

.....

Dec 21 16:32:16.093 AEDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

Dec 21 16:32:16.093 AEDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 12 against priority 3 policy

Dec 21 16:32:16.093 AEDT: ISAKMP: encryption 3DES-CBC

Dec 21 16:32:16.093 AEDT: ISAKMP: hash MD5

Dec 21 16:32:16.093 AEDT: ISAKMP: default group 2

Dec 21 16:32:16.093 AEDT: ISAKMP: auth pre-share

Dec 21 16:32:16.093 AEDT: ISAKMP: life type in seconds

Dec 21 16:32:16.093 AEDT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

Dec 21 16:32:16.093 AEDT: ISAKMP:(0:0:N/A:0):Preshared authentication offered but does not match policy!

Dec 21 16:32:16.093 AEDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

---------------------------

1 Accepted Solution

Accepted Solutions

Can you apply the crypto map on the WAN interface and check ?

View solution in original post

13 Replies 13

Relevant router config is as follows:

---------------------------

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group eggs

key poached

pool vpn1pool

!

crypto ipsec transform-set vpn1tset esp-3des esp-md5-hmac

!

crypto dynamic-map vpn1dmap 10

set transform-set vpn1tset

!

!

crypto map vpn1cmap local-address Loopback100

crypto map vpn1cmap client authentication list userauthen

crypto map vpn1cmap isakmp authorization list groupauthor

crypto map vpn1cmap client configuration address respond

crypto map vpn1cmap 10 ipsec-isakmp dynamic vpn1dmap

!

interface Loopback100

ip address x.x.x.x 255.255.255.255

crypto map vpn1cmap

!

ip local pool vpn1pool 10.64.65.1 10.64.65.254

!

---------------------------

And, finally, I'm running VPN client version 4.8.00.0440.

What on earth does "Preshared authentication offered but does not match policy!" mean?

Any advice would be fantastic, thanks, Jerome.

If already not applied, apply the crypto map also on the WAN interface through which the connections are made and not on the loopback.

Is this command present in your router ?

crypto map vpn1cmap 1 ipsec-isakmp dynamic vpn1dmap

Regards,

Naman

Hi Naman, yep, as posted above:

crypto map vpn1cmap 10 ipsec-isakmp dynamic vpn1dmap

Thanks for the response! Jerome

Please post your router config

jerome,

please post the bit with acl, no nat etc.

Chaps, I've had to butcher this config pretty thoroughly, so it may actually be useless to you.

Jacko, there is no "no nat" as the router is connected to the internet, with real world addresses on most interfaces, including the Lo100 (203.x.x.x).

9 KB

...

Can you apply the crypto map on the WAN interface and check ?

Hi Gautam, I moved the command "crypto map vpn1cmap" to a wan interface of the router and modified my VPN client to point to the WAN interface ip address (203.x.x.x).

Unfortunately I'm still recieving the same errors, "Preshared authentication offered but does not match policy!" in the router debug (debug crypto isakmp) and, from vpn client log:

-----------

93 09:35:25.900 12/23/05 Sev=Warning/2 IKE/0xE3000099

Invalid SPI size (PayloadNotify:116)

94 09:35:25.900 12/23/05 Sev=Info/4 IKE/0xE30000A4

Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)

95 09:35:25.900 12/23/05 Sev=Warning/3 IKE/0xA3000058

Received malformed message or negotiation no longer active (message id: 0x00000000)

----------------

Actually Gautam, my mistake, your absolutely right! Fantastic!!

So, the solution is:

You CAN point vpn client at a loopback address, BUT, the interface which the vpn traffic passes through to get to the loopback must have the crypto map applied. So, I've applied the crypto map to all internet facing interfaces, and now it works!! I think that calls for a celebration :)

Why would it behave like this? I'd love to understand it?

Thanks for your help !

Yes it is correct behaviour i should say. IPSec will encrypt traffic goin out of a interface matching the ACL. As no traffic flows through the Loopback , your traffic never gets encrypted. Loopback is used as source / destination for higher availability encryption is done on the interface

Have you verified the group password in your VPN client config (.pcf file)? The preshared authentication refers to that. Use what is in the 'key' portion of your 'crypto isakmp client configuration group ' config. Or, just leave it blank in your VPN client config and enter it in when it prompts you, if you prefer to test it that way.

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community