01-14-2003 11:28 AM - edited 02-21-2020 12:16 PM
Hello, I have a 1720 router with a VPN module and a point to point VPN currently configured and working. I would like to config the router for a dynamic vpn connection using a pre-shared key. I have tried several things but nothing works. Debug commands after a config change indicate that "atts are not acceptable" and "encryption algorithm offered does not match policy". Also the "sh crypto engine connections active" cmd indicates that some attempt to connect occured but the "state" field has "alloc" listed and the "algorithm" field has "none" listed. If my running config is required to figure this out I will gladly post it.
Thanks
RJ
01-14-2003 06:56 PM
Yep, can you please post your config and a "sho ver" output. Make sure to change (or "x" out) your public IP address though.
01-15-2003 02:08 PM
Thanks for the quick response. Here are the config and ver of my 1720:
---------------------------------------------------------------------------------------------------------
Cisco1720>sh ver
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-K9O3SY7-M), Version 12.2(8)T1, RELEASE SOFTWARE (fc2)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Sat 30-Mar-02 14:18 by ccai
Image text-base: 0x80008108, data-base: 0x80D2C08C
ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)
Cisco1720 uptime is 1 day, 2 hours, 50 minutes
System returned to ROM by reload
System image file is "flash:c1700-k9o3sy7-mz.122-8.T1.bin"
cisco 1720 (MPC860T) processor (revision 0x601) with 27853K/4915K bytes of memory.
Processor board ID JAD061301QE (2828269743), with hardware revision 0000
MPC860T processor: part number 0, mask 32
Bridging software.
X.25 software, Version 3.0.0.
1 Ethernet/IEEE 802.3 interface(s)
1 FastEthernet/IEEE 802.3 interface(s)
1 Virtual Private Network (VPN) Module(s)
memory.
8192K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
-------------------------------------------------------------------------------------------------------
Cisco1720#sh run
Building configuration...
Current configuration : 4314 bytes
!
version 12.2
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname Cisco1720
!
boot system flash c1700-k9o3sy7-mz.122-8.T1.bin
boot system flash
logging buffered 16384 notifications
no logging console
no logging monitor
aaa new-model
!
!
aaa authentication login userauthen local
aaa session-id common
enable secret 5
enable password
!
username
memory-size iomem 20
clock timezone EST -5
clock summer-time EDT recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
ip name-server xxxxxxxxxxxxx
ip dhcp excluded-address xxxxxxxxxxxxx xxxxxxxxxxxxxx
ip dhcp excluded-address xxxxxxxxxxxxxx xxxxxxxxxxx
!
ip dhcp pool 1
network 192xxxxxxxxxxxxxxxxx
domain-name xxxxxxxx.net
default-router 192.168.100.1
dns-server
!
ip inspect audit-trail
ip inspect max-incomplete low 300
ip inspect max-incomplete high 1000
ip inspect one-minute high 600
ip inspect udp idle-time 7200
ip inspect dns-timeout 7
ip inspect tcp idle-time 7200
ip inspect tcp finwait-time 10
ip inspect tcp synwait-time 35
ip inspect tcp max-incomplete host 50 block-time 1
ip inspect name ed rcmd timeout 15
ip inspect name ed cuseeme timeout 20
ip inspect name ed smtp timeout 120
ip inspect name ed tftp timeout 60
ip inspect name ed realaudio timeout 120
ip inspect name ed streamworks timeout 120
ip inspect name ed tcp timeout 7200
ip inspect name ed udp timeout 7200
ip audit notify log
ip audit po max-events 100
vpdn-group pppoe
!
!
crypto isakmp policy 1
authentication pre-share
lifetime 300
crypto isakmp key mickey address 209.xxxxxxxxxx (for point to point vpn - working fine)
crypto isakmp key mouse address 0.0.0.0 0.0.0.0 (for vpn client - not working so well)
!
crypto isakmp client configuration group vpngroup
!
!
crypto ipsec transform-set cm-transformset-1 esp-des esp-sha-hmac
!
crypto dynamic-map cm-cryptomap 10
set transform-set cm-transformset-1
!
!
crypto map cm-cryptomap 1 ipsec-isakmp
set peer 209.xxxxxxxxx
set transform-set cm-transformset-1
match address 115
!
!
!
!
interface Ethernet0
description connected to Internet
ip address 209.xxxxxxxxxxxxxxx
ip access-group 125 in
ip mtu 1492
ip nat outside
ip inspect destina out
no ip route-cache
no ip mroute-cache
no keepalive
half-duplex
crypto map cm-cryptomap
!
interface FastEthernet0
description connected to EthernetLAN
ip address 192.xxxxxxxxxxxxxxxxxx
ip nat inside
ip tcp adjust-mss 1452
speed auto
!
router rip
version 2
network 192.168.100.0
no auto-summary
!
ip local pool ippool 172.16.1.1 172.16.1.100
ip nat inside source route-map nonat interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 209.xxxxxxxxx
ip route 151.xxxxxxx 255.255.255.0 209.xxxxxxx
ip route 151.xxxxxxx 255.255.255.252 209.xxxxxxxxxx
no ip http server
ip pim bidir-enable
!
!
logging 192.xxxxxxxxxxxx
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 101 deny ip 192.xxxxxx 0.0.0.255 10.xxxxxxxxxxxxxx
access-list 101 deny ip 192.xxxxxxxx 0.0.0.255 10.xxxxxxxx
access-list 101 permit ip 192.xxxxxx 0.0.0.255 host 209.xxxxxx
access-list 101 permit ip 192.xxxxx 0.0.0.255 host 209.xxxxxx
access-list 101 deny ip 192.xxxxx 0.0.0.255 209.xxxxxx
access-list 101 deny ip 192.xxxxx 0.0.0.255 209.xxxxx
access-list 101 permit ip 192.xxxxx 0.0.0.255 any
access-list 115 permit ip 192.xxxxx 0.0.0.255 10.xxxxx
access-list 115 permit ip 192.xxxxx 0.0.0.255 10.xxxxx
access-list 115 deny ip 192.xxxx 0.0.0.255 host 209.xxxx
access-list 115 deny ip 192.xxxx 0.0.0.255 host 209.xxxx
access-list 115 permit ip 192.xxxx 0.0.0.255 209.xxxx
access-list 115 permit ip 192.xxxx 0.0.0.255 209.xxxxx
access-list 115 deny ip 192.xxxx 0.0.0.255 any
!
route-map nonat permit 10
match ip address 101
!
snmp-server community public RO
!
line con 0
exec-timeout 0 0
password
line aux 0
line vty 0 4
exec-timeout 30 0
password
!
end
---------------------------------------------------------------------------------------------------
It seems to me that this should be easier than it has been in my various attempts but as I am new to configuring VPNs on routers I wonder if you could also check the methodology I am using.
I have included (below)the steps I have taken, in order with cmds:
1) SET ISAKMP POLICY
crypto isakmp policy 2
encryption des
authentication pre-share
hash md5
group 2
lifetime 300
2) SET ISAKMP KEY AND ADDRESS
crypto isakmp key cisco123 address 0.0.0.0
3) SET ISAKMP CLIENT CONFIG
crypto isakmp client configuration address-pool local ippool
4) SET TRANSFER SET
crypto ipsec transform-set dynamic-set-1 esp-des esp-md5-hmac
5) SPECIFY DYNAMIC CRYPTO MAP TEMPLATE
crypto dynamic-map rtpmap 10
set transform-set dynamic-set-1
crypto map dynamic-set-1 99 ipsec-isakmp dynamic rtpmap
ip local pool ippool 172.16.1.1 172.16.1.100
6) MORE CLIENT CONFIG
crytpo map dynamic-set-1 client configuration address initiate
crytpo map dynamic-set-1 client configuration address respond
crytpo map dynamic-set-1 10 ipsec-isakmp dynamic dynmap
crypto isakmp client configuration group vpnpinnacles
7) APPLY CHANGES TO INTERFACE E0
(config)# interface Ethernet 0
(config-if)# crypto map dynamic-set-1
Thank you in advance.
RJ
01-15-2003 04:50 PM
this link may help lead you in the right direction
http://www.cisco.com/en/US/tech/tk648/tk367/technologies_configuration_example09186a00800ef7ba.shtml
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: