I erased the configuration of the router and start all over again. This time with radius enabled for authentication to remote vpn users. Now I can't even connect using vpn. Below is the debug messages I got. Do you have any clue what part of the configuration I should go to fix the vpn access? I am using vpn client version 4. Thanks.

===debug messages======

*Dec 1 23:39:12.715: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!

*Dec 1 23:39:12.715: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

*Dec 1 23:39:12.715: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against priority 1 policy

*Dec 1 23:39:12.715: ISAKMP: encryption AES-CBC

*Dec 1 23:39:12.715: ISAKMP: hash SHA

*Dec 1 23:39:12.715: ISAKMP: default group 2

*Dec 1 23:39:12.715: ISAKMP: auth pre-share

*Dec 1 23:39:12.715: ISAKMP: life type in seconds

*Dec 1 23:39:12.715: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Dec 1 23:39:12.715: ISAKMP: keylength of 256

..............

*Dec 1 23:39:12.715: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 5 against priority 1 policy

*Dec 1 23:39:12.715: ISAKMP: encryption AES-CBC

*Dec 1 23:39:12.715: ISAKMP: hash SHA

*Dec 1 23:39:12.715: ISAKMP: default group 2

*Dec 1 23:39:12.715: ISAKMP: auth XAUTHInitPreShared

*Dec 1 23:39:12.715: ISAKMP: life type in seconds

*Dec 1 23:39:12.715: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Dec 1 23:39:12.715: ISAKMP: keylength of 128

*Dec 1 23:39:12.715: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!

*Dec 1 23:39:12.715: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

......................

*Dec 1 23:39:12.771: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0

*Dec 1 23:39:12.839: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0

*Dec 1 23:39:12.839: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v2

*Dec 1 23:39:12.839: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

*Dec 1 23:39:12.839: ISAKMP:(0:1:SW:1):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT

*Dec 1 23:39:12.919: ISAKMP:(0:1:SW:1): constructed NAT-T vendor-02 ID

*Dec 1 23:39:12.919: ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR

*Dec 1 23:39:12.919: ISAKMP (0:134217729): ID payload

next-payload : 10

type : 1

address : 209.xxx.xx.xx

protocol : 17

port : 0

length : 12

*Dec 1 23:39:12.919: ISAKMP:(0:1:SW:1):Total payload length: 12

*Dec 1 23:39:12.919: ISAKMP:(0:1:SW:1): sending packet to 63.xx.xx.xx my_port 500 peer_port 3 (R) AG_INIT_EXCH

*Dec 1 23:39:12.919: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY

*Dec 1 23:39:12.919: ISAKMP:(0:1:SW:1):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2

........................

*Dec 1 23:39:49.191: ISAKMP (0:134217730): received packet from 64.xx.xx.xx dport 500 sport 3 Global (R) AG_INIT_EXCH

*Dec 1 23:39:49.191: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 64.xx.xx.xx was not encrypted and it should've been.

Here's d running config:

version 12.4

..............deleted.........

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_2 group radius

!

aaa session-id common

memory-size iomem 25

ip cef

!

!

ip inspect max-incomplete high 1100

ip inspect one-minute high 1100

[delete]

ip inspect name FastEthernet_0 tftp

!

!

ip domain name abcd.com

ip name-server 20x.xxx.xxx.xxx

ip name-server 20x.xxx.xxx.xxx

!

!

crypto pki trustpoint TP-self-signed-458006412

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-458006412

revocation-check none

rsakeypair TP-self-signed-458006412

!

!

crypto pki certificate chain TP-self-signed-458006412

certificate self-signed 01

[deleted]

quit

username abcdef privilege 15 secret 5 $abcdefgjhAm.

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpngroup

key abcdef

dns 192.168.1.1 192.168.1.2

wins 192.168.1.1 192.168.1.2

domain domain.local

pool SDM_POOL_1

!

!

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec df-bit clear

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA1

reverse-route

!

!

crypto map SDM_CMAP_1 client authentication list default

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

!

!

interface FastEthernet0/0

description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ETH-LAN$

ip address 192.168.1.200 255.255.255.0

ip access-group 100 in

ip inspect FastEthernet_0 in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

description $ETH-LAN$

ip address 10.10.10.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0/0

ip address 20x.xxx.xx.xx 255.255.255.0

ip access-group 101 in

ip nat outside

ip virtual-reassembly

service-module t1 remote-alarm-enable

no cdp enable

crypto map SDM_CMAP_1

!

ip local pool SDM_POOL_1 172.16.1.1 172.16.1.30

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface Serial0/0/0 overload

!

access-list 10 remark SDM_ACL Category=16

access-list 10 permit 192.0.0.0 0.255.255.255

access-list 100 remark SDM_ACL Category=17

access-list 100 permit udp host 192.168.1.1 eq 1645 host 192.168.1.200

access-list 100 permit udp host 192.168.1.1 eq 1646 host 192.168.1.200

access-list 100 permit ip any any

access-list 101 remark SDM_ACL Category=17

access-list 101 permit ip 172.16.1.0 0.0.0.31 any

access-list 101 permit udp any host 20x.xxx.xx.xx eq non500-isakmp

access-list 101 permit udp any host 20x.xxx.xx.xx eq isakmp

access-list 101 permit esp any host 20x.xxx.xx.xx

access-list 101 permit ahp any host 20x.xxx.xx.xx

access-list 101 permit tcp any any eq telnet

access-list 101 permit icmp any any echo-reply

access-list 101 deny ip any any

access-list 102 remark SDM_ACL Category=2

access-list 102 deny ip any 172.16.1.0 0.0.0.31

access-list 102 permit ip 192.0.0.0 0.255.255.255 any

no cdp run

route-map SDM_RMAP_1 permit 1

match ip address 102

!

!

radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 timeout 10 key abcdefg

!

control-plane

!

banner login ^CC

....deleted.....

^C

!

line con 0

exec-timeout 0 0

login authentication abcdefg

line aux 0

line vty 0 4

transport input telnet ssh

line vty 5 15

transport input telnet ssh

!

scheduler allocate 20000 1000

end

r1841#

Hi,

Do you want to authenticate the users on radius or the VPN Group.

CONFIG:

aaa authorization network sdm_vpn_group_ml_2 group radius

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2

Based upon the above configuration, you have configured the router to go to radius for Group Name, Preshared key, etc. If you only want to authenticate the users via Radius and use the VPNGroup Parameters configured on the router, you need to reconfigure the router.

REVISED CONFIG:

aaa authorization network sdm_vpn_group_ml_2 local

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2

And for authenticate the users via Radius, configure the router with the below configuration:

aaa authentication login VPNXAUTH group radius

crypto map SDM_CMAP_1 client authentication list VPNXAUTH

Let me know how it goes.

Regards,

Arul

** Please rate all helpful posts **