Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AAA authentication : Not configured

I have cisco 851 using ccp to configure EASY VPN

I click on TEST VPN SERVER then click start  the status shows successfull

when I tried to connect a client I get mm_no_state

When I reviewed the report from the test I found

AAA authentication : Not configured

My AAA

aaa new-model

!

!

aaa authentication login tgcsusers local

aaa authorization network tgcsvpn local

!

aaa session-id common

I also attached my config

Any ideas or thoughts?

Need to get my client working.....

Thomas R Grassi Jr
5 ACCEPTED SOLUTIONS

Accepted Solutions

Re: AAA authentication : Not configured

I got connected by username password you provided.

Please check the images I uploaded for you.

Goodnight, sleep tight.

Thanks

Rizwan Rafeek

AAA authentication : Not configured

your vpn is setup for login from internet, once you have vpin in, you will complete access to your inside network.

As you could see, that I was able to ping your inside hosts, as if my computer is physcially connected to your inside network.

I am connected now at this very moment to your network.

at 11:37AM EST  Jan 21 2012.

AAA authentication : Not configured

a RDP session is looks exactly like you are console into a Windows box in front of a monitor.

You can see the log on the router to see who is being authenticated by issuing this "show log"

To start RDP console, issue this command on Run menu on Windows: mstsc

Good luck to with your Windows stuffs.

Take Care

Thanks

Rizwan Rafeek

Re: AAA authentication : Not configured

I believe, it will show with below command.

show crypto isakmp sa

AAA authentication : Not configured

I guess, that information pertains to Windows box, please do little research you may be able to find proper log entry on Windows box, who login information.

Please rate any help post on this thread.

Thanks

Rizwan Rafeek

24 REPLIES

AAA authentication : Not configured

radius-server host 192.168.10.100 (comments: <-your local radius server address) key P@ssw0rd


(comments: use keword 'local' as a fall back, should radius server is not available)

aaa authentication login your-radius-method group radius local

ip radius source-interface Vlan1

crypto map dynmap client authentication list your-radius-method

Check the Windows log, to make sure whether authentication request is hitting on the Windows radius server.

Thanks

Rizwan Rafeek

New Member

AAA authentication : Not configured

Rizwan

so add this to the AAA

aaa authentication login ??????????? group radius local

then

crypto map dynmap client authentication list ??????????????

ip radius source-interface vlan 1

radius-server host 192.168.69.15 auth-port 1812 acct-port 1812 key mykey

what do I put for the ??????????????????  your-radius-method    what is that?

Thanks

Tom

Thomas R Grassi Jr

AAA authentication : Not configured

Just like you had created before this method (tgcsusers) you create a new method.

aaa authentication login your-radius-method group radius local

New Member

AAA authentication : Not configured

I made the changes but no luck

here is my current config  highlightes your changes

MyRouter#show config
Using 8275 out of 131072 bytes
!
! Last configuration change at 14:28:11 EST Thu Jan 19 2012 by netman
! NVRAM config last updated at 14:38:28 EST Thu Jan 19 2012 by netman
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyRouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login tgcsusers local
aaa authentication login tgcsradius group radius local
aaa authorization network tgcsvpn local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time edt recurring
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
ip cef
ip inspect name myrules cuseeme
ip inspect name myrules ftp
ip inspect name myrules h323
ip inspect name myrules icmp
ip inspect name myrules rcmd
ip inspect name myrules realaudio
ip inspect name myrules rtsp
ip inspect name myrules sqlnet
ip inspect name myrules streamworks
ip inspect name myrules tftp
ip inspect name myrules tcp
ip inspect name myrules udp
ip inspect name myrules vdolive
ip domain name TGCSNET.COM
ip name-server 71.242.0.12
ip name-server 71.250.0.12
ip name-server 4.2.2.2
!
!
crypto pki trustpoint TP-self-signed-1164042433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1164042433
revocation-check none
rsakeypair TP-self-signed-1164042433
!
!
crypto pki certificate chain TP-self-signed-1164042433
certificate self-signed 01 nvram:IOS-Self-Sig#3302.cer
username netman privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username mynet privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username vpn01 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group tgcsvpn
key mykey
dns 192.168.69.10 192.168.69.15
wins 192.168.69.10 192.168.69.15
domain our.network.tgcsnet.com
pool dynpool
acl 105
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
!
crypto map dynmap client authentication list tgcsradius
crypto map dynmap isakmp authorization list tgcsvpn
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description ** WAN **
ip address 72.88.223.20 255.255.255.0
ip access-group 101 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map dynmap
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid 010659120255
!
ssid TGCSNET
    vlan 1
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 0 010659120255000000
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.69.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool dynpool 192.168.70.75 192.168.70.80
ip classless
ip route 0.0.0.0 0.0.0.0 72.88.223.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.69.26 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.69.15 5900 interface FastEthernet4 5900
ip nat inside source static tcp 192.168.69.15 21 interface FastEthernet4 21
ip nat inside source static tcp 192.168.69.15 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.69.26 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.69.26 8080 interface FastEthernet4 8080
!
ip access-list extended denyDHCP
deny   udp any any eq bootpc
deny   udp any any eq bootps
permit ip any any
!
ip radius source-interface Vlan1
access-list 23 permit 192.168.69.0 0.0.0.255
access-list 101 remark CCP_ACL Category=17
access-list 101 permit udp any host 72.88.223.20 eq isakmp
access-list 101 permit ip host 192.168.70.75 192.168.69.0 0.0.0.255
access-list 101 permit ip host 192.168.70.76 192.168.69.0 0.0.0.255
access-list 101 permit ip host 192.168.70.77 192.168.69.0 0.0.0.255
access-list 101 permit ip host 192.168.70.78 192.168.69.0 0.0.0.255
access-list 101 permit ip host 192.168.70.79 192.168.69.0 0.0.0.255
access-list 101 permit ip host 192.168.70.80 192.168.69.0 0.0.0.255
access-list 101 permit udp any host 72.88.223.20 eq non500-isakmp
access-list 101 permit udp any host 72.88.223.20
access-list 101 permit esp any host 72.88.223.20
access-list 101 permit ahp any host 72.88.223.20
access-list 101 remark ** Block Telnet **
access-list 101 deny   tcp any any eq telnet
access-list 101 permit tcp any any established
access-list 101 remark ** Permit Exchange Related Traffic **
access-list 101 permit tcp any host 72.88.223.20 eq smtp
access-list 101 permit tcp any host 72.88.223.20 eq www
access-list 101 permit tcp any host 72.88.223.20 eq 443
access-list 101 permit udp any host 72.88.223.20 eq ntp
access-list 101 deny   ip any host 72.88.223.20
access-list 101 remark ** Permit all other traffice **
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 remark ** Deny netbios from internet **
access-list 101 deny   tcp any any eq 139 log
access-list 101 deny   udp any any eq netbios-ns log
access-list 101 deny   udp any any eq netbios-dgm log
access-list 101 deny   udp any any eq netbios-ss log
access-list 105 remark ** VPN Traffic **
access-list 105 permit ip 192.168.69.0 0.0.0.255 any
access-list 110 remark CCP_ACL Category=16
access-list 110 deny   ip 192.168.69.0 0.0.0.255 host 192.168.70.75
access-list 110 deny   ip 192.168.69.0 0.0.0.255 host 192.168.70.76
access-list 110 deny   ip 192.168.69.0 0.0.0.255 host 192.168.70.77
access-list 110 deny   ip 192.168.69.0 0.0.0.255 host 192.168.70.78
access-list 110 deny   ip 192.168.69.0 0.0.0.255 host 192.168.70.79
access-list 110 deny   ip 192.168.69.0 0.0.0.255 host 192.168.70.80
access-list 110 permit ip 192.168.69.0 0.0.0.255 any
access-list 110 deny   ip 192.168.69.0 0.0.0.255 192.168.70.0 0.0.0.255
snmp-server community mycisco01 RO
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 110
!
radius-server host 192.168.69.15 auth-port 1812 acct-port 1812 key mykey
!
control-plane
!
bridge 1 route ip
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco

Replace and with the username and password you want to use
.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17175151
ntp server 141.165.5.137
end

MyRouter#

new debug log  I highlighted some areas I think are a problem this is all new to me

Jan 19 19:36:39.290: ISAKMP:      auth XAUTHInitPreShared
Jan 19 19:36:39.290: ISAKMP:      life type in seconds
Jan 19 19:36:39.290: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 19 19:36:39.290: ISAKMP:      keylength of 128
Jan 19 19:36:39.290: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 19 19:36:39.290: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 19 19:36:39.290: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 p
olicy
Jan 19 19:36:39.290: ISAKMP:      encryption AES-CBC
Jan 19 19:36:39.290: ISAKMP:      hash SHA
Jan 19 19:36:39.290: ISAKMP:      default group 2
Jan 19 19:36:39.290: ISAKMP:      auth pre-share
Jan 19 19:36:39.290: ISAKMP:      life type in seconds
Jan 19 19:36:39.290: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 19 19:36:39.290: ISAKMP:      keylength of 128
Jan 19 19:36:39.290: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 19 19:36:39.290: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 19 19:36:39.294: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 p
olicy
Jan 19 19:36:39.294: ISAKMP:      encryption AES-CBC
Jan 19 19:36:39.294: ISAKMP:      hash MD5
Jan 19 19:36:39.294: ISAKMP:      default group 2
Jan 19 19:36:39.294: ISAKMP:      auth pre-share
Jan 19 19:36:39.294: ISAKMP:      life type in seconds
Jan 19 19:36:39.294: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 19 19:36:39.294: ISAKMP:      keylength of 128
Jan 19 19:36:39.294: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 19 19:36:39.294: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 19 19:36:39.294: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 p
olicy
Jan 19 19:36:39.294: ISAKMP:      encryption 3DES-CBC
Jan 19 19:36:39.294: ISAKMP:      hash SHA
Jan 19 19:36:39.294: ISAKMP:      default group 2
Jan 19 19:36:39.294: ISAKMP:      auth XAUTHInitPreShared
Jan 19 19:36:39.294: ISAKMP:      life type in seconds
Jan 19 19:36:39.294: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 19 19:36:39.294: ISAKMP:(0):Xauth authentication by pre-shared key offered b
ut does not match policy!
Jan 19 19:36:39.294: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 19 19:36:39.294: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1
policy
Jan 19 19:36:39.294: ISAKMP:      encryption 3DES-CBC
Jan 19 19:36:39.294: ISAKMP:      hash MD5
Jan 19 19:36:39.294: ISAKMP:      default group 2
Jan 19 19:36:39.294: ISAKMP:      auth XAUTHInitPreShared
Jan 19 19:36:39.294: ISAKMP:      life type in seconds
Jan 19 19:36:39.294: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 19 19:36:39.294: ISAKMP:(0):Hash algorithm offered does not match policy!
Jan 19 19:36:39.294: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 19 19:36:39.294: ISAKMP:(0):Checking ISAKMP transform 11 against priority 1
policy
Jan 19 19:36:39.294: ISAKMP:      encryption 3DES-CBC
Jan 19 19:36:39.294: ISAKMP:      hash SHA
Jan 19 19:36:39.294: ISAKMP:      default group 2
Jan 19 19:36:39.294: ISAKMP:      auth pre-share
Jan 19 19:36:39.294: ISAKMP:      life type in seconds
Jan 19 19:36:39.294: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 19 19:36:39.294: ISAKMP:(0):Preshared authentication offered but does not ma
tch policy!
Jan 19 19:36:39.294: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 19 19:36:39.298: ISAKMP:(0):Checking ISAKMP transform 12 against priority 1
policy
Jan 19 19:36:39.298: ISAKMP:      encryption 3DES-CBC
Jan 19 19:36:39.298: ISAKMP:      hash MD5
Jan 19 19:36:39.298: ISAKMP:      default group 2
Jan 19 19:36:39.298: ISAKMP:      auth pre-share
Jan 19 19:36:39.298: ISAKMP:      life type in seconds
Jan 19 19:36:39.298: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 19 19:36:39.298: ISAKMP:(0):Hash algorithm offered does not match policy!
Jan 19 19:36:39.298: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 19 19:36:39.298: ISAKMP:(0):Checking ISAKMP transform 13 against priority 1
policy
Jan 19 19:36:39.298: ISAKMP:      encryption DES-CBC
Jan 19 19:36:39.298: ISAKMP:      hash MD5
Jan 19 19:36:39.298: ISAKMP:      default group 2
Jan 19 19:36:39.298: ISAKMP:      auth XAUTHInitPreShared
Jan 19 19:36:39.298: ISAKMP:      life type in seconds
Jan 19 19:36:39.298: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 19 19:36:39.298: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 19 19:36:39.298: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 19 19:36:39.298: ISAKMP:(0):Checking ISAKMP transform 14 against priority 1
policy
Jan 19 19:36:39.298: ISAKMP:      encryption DES-CBC
Jan 19 19:36:39.298: ISAKMP:      hash MD5
Jan 19 19:36:39.298: ISAKMP:      default group 2
Jan 19 19:36:39.298: ISAKMP:      auth pre-share
Jan 19 19:36:39.298: ISAKMP:      life type in seconds
Jan 19 19:36:39.298: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 19 19:36:39.298: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 19 19:36:39.298: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jan 19 19:36:39.298: ISAKMP:(0):Checking ISAKMP transform 1 against priority 655
35 policy
Jan 19 19:36:39.298: ISAKMP:      encryption AES-CBC
Jan 19 19:36:39.298: ISAKMP:      hash SHA
Jan 19 19:36:39.298: ISAKMP:      default group 2
Jan 19 19:36:39.298: ISAKMP:      auth XAUTHInitPreShared
Jan 19 19:36:39.298: ISAKMP:      life type in seconds
Jan 19 19:36:39.298: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 19 19:36:39.298: ISAKMP:      keylength of 256
Jan 19 19:36:39.298: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 19 19:36:39.298: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 19 19:36:39.302: ISAKMP:(0):Checking ISAKMP transform 2 against priority 655
35 policy
Jan 19 19:36:39.302: ISAKMP:      encryption AES-CBC
Jan 19 19:36:39.302: ISAKMP:      hash MD5
Jan 19 19:36:39.302: ISAKMP:      default group 2
Jan 19 19:36:39.302: ISAKMP:      auth XAUTHInitPreShared
Jan 19 19:36:39.302: ISAKMP:      life type in seconds
Jan 19 19:36:39.302: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 19 19:36:39.302: ISAKMP:      keylength of 256
Jan 19 19:36:39.302: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 19 19:36:39.302: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 19 19:36:39.302: ISAKMP:(0):Checking ISAKMP transform 3 against priority 655
35 policy
Jan 19 19:36:39.302: ISAKMP:      encryption AES-CBC
Jan 19 19:36:39.302: ISAKMP:      hash SHA
Jan 19 19:36:39.302: ISAKMP:      default group 2
Jan 19 19:36:39.302: ISAKMP:      auth pre-share
Jan 19 19:36:39.302: ISAKMP:      life type in seconds
Jan 19 19:36:39.302: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 19 19:36:39.302: ISAKMP:      keylength of 256
Jan 19 19:36:39.302: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 19 19:36:39.302: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 19 19:36:39.302: ISAKMP:(0):Checking ISAKMP transform 4 against priority 655
35 policy
Jan 19 19:36:39.302: ISAKMP:      encryption AES-CBC
Jan 19 19:36:39.302: ISAKMP:      hash MD5
Jan 19 19:36:39.302: ISAKMP:      default group 2
Jan 19 19:36:39.302: ISAKMP:      auth pre-share
Jan 19 19:36:39.302: ISAKMP:      life type in seconds
Jan 19 19:36:39.302: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 19 19:36:39.302: ISAKMP:      keylength of 256
Jan 19 19:36:39.302: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 19 19:36:39.302: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 19 19:36:39.302: ISAKMP:(0):Checking ISAKMP transform 5 against priority 655
35 policy
Jan 19 19:36:39.302: ISAKMP:      encryption AES-CBC
Jan 19 19:36:39.302: ISAKMP:      hash SHA
Jan 19 19:36:39.302: ISAKMP:      default group 2
Jan 19 19:36:39.302: ISAKMP:      auth XAUTHInitPreShared
Jan 19 19:36:39.302: ISAKMP:      life type in seconds
Jan 19 19:36:39.302: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 19 19:36:39.302: ISAKMP:      keylength of 128
Jan 19 19:36:39.302: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 19 19:36:39.302: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 19 19:36:39.302: ISAKMP:(0):Checking ISAKMP transform 6 against priority 655
35 policy
Jan 19 19:36:39.306: ISAKMP:      encryption AES-CBC
Jan 19 19:36:39.306: ISAKMP:      hash MD5
Jan 19 19:36:39.306: ISAKMP:      default group 2
Jan 19 19:36:39.306: ISAKMP:      auth XAUTHInitPreShared
Jan 19 19:36:39.306: ISAKMP:      life type in seconds
Jan 19 19:36:39.306: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 19 19:36:39.306: ISAKMP:      keylength of 128
Jan 19 19:36:39.306: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 19 19:36:39.306: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 19 19:36:39.306: ISAKMP:(0):Checking ISAKMP transform 7 against priority 655
35 policy
Jan 19 19:36:39.306: ISAKMP:      encryption AES-CBC
Jan 19 19:36:39.306: ISAKMP:      hash SHA
Jan 19 19:36:39.306: ISAKMP:      default group 2
Jan 19 19:36:39.306: ISAKMP:      auth pre-share
Jan 19 19:36:39.306: ISAKMP:      life type in seconds
Jan 19 19:36:39.306: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 19 19:36:39.306: ISAKMP:      keylength of 128
Jan 19 19:36:39.306: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 19 19:36:39.306: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 19 19:36:39.306: ISAKMP:(0):Checking ISAKMP transform 8 against priority 655
35 policy
Jan 19 19:36:39.306: ISAKMP:      encryption AES-CBC
Jan 19 19:36:39.306: ISAKMP:      hash MD5
Jan 19 19:36:39.306: ISAKMP:      default group 2
Jan 19 19:36:39.306: ISAKMP:      auth pre-share
Jan 19 19:36:39.306: ISAKMP:      life type in seconds
Jan 19 19:36:39.306: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 19 19:36:39.306: ISAKMP:      keylength of 128
Jan 19 19:36:39.306: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 19 19:36:39.306: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 19 19:36:39.306: ISAKMP:(0):Checking ISAKMP transform 9 against priority 655
35 policy
Jan 19 19:36:39.306: ISAKMP:      encryption 3DES-CBC
Jan 19 19:36:39.306: ISAKMP:      hash SHA
Jan 19 19:36:39.306: ISAKMP:      default group 2
Jan 19 19:36:39.306: ISAKMP:      auth XAUTHInitPreShared
Jan 19 19:36:39.306: ISAKMP:      life type in seconds
Jan 19 19:36:39.306: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 19 19:36:39.306: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 19 19:36:39.306: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 19 19:36:39.306: ISAKMP:(0):Checking ISAKMP transform 10 against priority 65
535 policy
Jan 19 19:36:39.306: ISAKMP:      encryption 3DES-CBC
Jan 19 19:36:39.306: ISAKMP:      hash MD5
Jan 19 19:36:39.310: ISAKMP:      default group 2
Jan 19 19:36:39.310: ISAKMP:      auth XAUTHInitPreShared
Jan 19 19:36:39.310: ISAKMP:      life type in seconds
Jan 19 19:36:39.310: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 19 19:36:39.310: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 19 19:36:39.310: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 19 19:36:39.310: ISAKMP:(0):Checking ISAKMP transform 11 against priority 65
535 policy
Jan 19 19:36:39.310: ISAKMP:      encryption 3DES-CBC
Jan 19 19:36:39.310: ISAKMP:      hash SHA
Jan 19 19:36:39.310: ISAKMP:      default group 2
Jan 19 19:36:39.310: ISAKMP:      auth pre-share
Jan 19 19:36:39.310: ISAKMP:      life type in seconds
Jan 19 19:36:39.310: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 19 19:36:39.310: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 19 19:36:39.310: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 19 19:36:39.310: ISAKMP:(0):Checking ISAKMP transform 12 against priority 65
535 policy
Jan 19 19:36:39.310: ISAKMP:      encryption 3DES-CBC
Jan 19 19:36:39.310: ISAKMP:      hash MD5
Jan 19 19:36:39.310: ISAKMP:      default group 2
Jan 19 19:36:39.310: ISAKMP:      auth pre-share
Jan 19 19:36:39.310: ISAKMP:      life type in seconds
Jan 19 19:36:39.310: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 19 19:36:39.310: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 19 19:36:39.310: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 19 19:36:39.310: ISAKMP:(0):Checking ISAKMP transform 13 against priority 65
535 policy
Jan 19 19:36:39.310: ISAKMP:      encryption DES-CBC
Jan 19 19:36:39.310: ISAKMP:      hash MD5
Jan 19 19:36:39.310: ISAKMP:      default group 2
Jan 19 19:36:39.310: ISAKMP:      auth XAUTHInitPreShared
Jan 19 19:36:39.310: ISAKMP:      life type in seconds
Jan 19 19:36:39.310: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 19 19:36:39.310: ISAKMP:(0):Hash algorithm offered does not match policy!
Jan 19 19:36:39.310: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 19 19:36:39.310: ISAKMP:(0):Checking ISAKMP transform 14 against priority 65
535 policy
Jan 19 19:36:39.310: ISAKMP:      encryption DES-CBC
Jan 19 19:36:39.310: ISAKMP:      hash MD5
Jan 19 19:36:39.314: ISAKMP:      default group 2
Jan 19 19:36:39.314: ISAKMP:      auth pre-share
Jan 19 19:36:39.314: ISAKMP:      life type in seconds
Jan 19 19:36:39.314: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 19 19:36:39.314: ISAKMP:(0):Hash algorithm offered does not match policy!
Jan 19 19:36:39.314: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jan 19 19:36:39.314: ISAKMP:(0):no offers accepted!
Jan 19 19:36:39.314: ISAKMP:(0): phase 1 SA policy not acceptable! (local 72.88.
223.20 remote 192.168.69.101)
Jan 19 19:36:39.314: ISAKMP (0:0): incrementing error counter on sa, attempt 1 o
f 5: construct_fail_ag_init
Jan 19 19:36:39.314: ISAKMP:(0): sending packet to 192.168.69.101 my_port 500 pe
er_port 500 (R) AG_NO_STATE
Jan 19 19:36:39.314: ISAKMP:(0):peer does not do paranoid keepalives.

Jan 19 19:36:39.314: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal no
t accepted" state (R) AG_NO_STATE (peer 192.168.69.101)
Jan 19 19:36:39.314: ISAKMP:(0): processing KE payload. message ID = 0
Jan 19 19:36:39.314: ISAKMP:(0): group size changed! Should be 0, is 128
Jan 19 19:36:39.314: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH
:  state = IKE_READY
Jan 19 19:36:39.314: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Jan 19 19:36:39.314: ISAKMP:(0):Old State = IKE_READY  New State = IKE_READY

Jan 19 19:36:39.314: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode
failed with peer at 192.168.69.101
Jan 19 19:36:39.318: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal no
t accepted" state (R) AG_NO_STATE (peer 192.168.69.101)
Jan 19 19:36:39.318: ISAKMP: Unlocking peer struct 0x822B57E0 for isadb_mark_sa_
deleted(), count 0
Jan 19 19:36:39.318: ISAKMP: Deleting peer node by peer_reap for 192.168.69.101:
822B57E0
Jan 19 19:36:39.318: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jan 19 19:36:39.318: ISAKMP:(0):Old State = IKE_READY  New State = IKE_DEST_SA

Jan 19 19:36:39.318: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jan 19 19:36:44.332: ISAKMP (0:0): received packet from 192.168.69.101 dport 500
sport 500 Global (R) MM_NO_STATE
Jan 19 19:36:49.403: ISAKMP (0:0): received packet from 192.168.69.101 dport 500
sport 500 Global (R) MM_NO_STATE
Jan 19 19:36:54.473: ISAKMP (0:0): received packet from 192.168.69.101 dport 500
sport 500 Global (R) MM_NO_STATE


IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
72.88.223.20    192.168.69.101  MM_NO_STATE          0    0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

MyRouter#un all
All possible debugging has been turned off
MyRouter#

you can see MM_NO_STATE  still

any ideas?

Thomas R Grassi Jr

AAA authentication : Not configured

Can you remove this line below from your config and try it.

no crypto isakmp client configuration address-pool local dynpool

New Member

Re: AAA authentication : Not configured

I removed that line

Same results

here is my current running config   and below the debug

! Last configuration change at 02:52:13 EST Fri Jan 20 2012 by netman
! NVRAM config last updated at 14:38:28 EST Thu Jan 19 2012 by netman
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyRouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$ugk2$8duXZZ2K76qdM/H4ktMNI/
!
aaa new-model
!
!
aaa authentication login tgcsusers local
aaa authentication login tgcsradius group radius local
aaa authorization network tgcsvpn local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time edt recurring
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
ip cef
ip inspect name myrules cuseeme
ip inspect name myrules ftp
ip inspect name myrules h323
ip inspect name myrules icmp
ip inspect name myrules rcmd
ip inspect name myrules realaudio
ip inspect name myrules rtsp
ip inspect name myrules sqlnet
ip inspect name myrules streamworks
ip inspect name myrules tftp
ip inspect name myrules tcp
ip inspect name myrules udp
ip inspect name myrules vdolive
ip domain name TGCSNET.COM
ip name-server 71.242.0.12
ip name-server 71.250.0.12
ip name-server 4.2.2.2
!
!
crypto pki trustpoint TP-self-signed-1164042433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1164042433
revocation-check none
rsakeypair TP-self-signed-1164042433
!
!
crypto pki certificate chain TP-self-signed-1164042433
certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313634 30343234 3333301E 170D3032 30333031 30303038
  34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31363430
  34323433 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B993 8AAE8B8C D8869842 C0C80A8C 57559B0A 243A306C EF726BD6 A79FBB30
  63569C86 5117E6D9 9E14BF1D 2721D4C6 2CCFB67A D7A03AC3 6BC719DB 1237121C
  8E310E9F 68F65DF7 B5986355 71B6C338 C34EC816 A677028D 0E131859 3A50E498
  C1F94525 2DA35215 3EF10350 018C419A 4F49245F 1218C545 0BE18AA4 04A8F049
  7AA90203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
  551D1104 18301682 144D7952 6F757465 722E5447 43534E45 542E434F 4D301F06
  03551D23 04183016 80149A8A F1DA8EF9 7BC577ED 349FDA87 2E93A11F 8D16301D
  0603551D 0E041604 149A8AF1 DA8EF97B C577ED34 9FDA872E 93A11F8D 16300D06
  092A8648 86F70D01 01040500 03818100 3092C5D5 9FA063C7 E85E37A5 7F9B3AC3
  A71B0BF1 A0BE1E4B 088C151A 6E056769 8E8FFCC9 3FA38091 38C53A49 CE1F20BE
  172A1C93 282C5F97 19A6D3B0 CF65552D FEADA8C0 E89075DD 667B6ABE 9CF76D13
  5E23D7CA A3BEC64D 21941DFB 3915D0C4 4221F663 1306DDF8 DF48E0AC DCC43028
  0D392C9C 66EABDED BB4F4D54 5ED039B9
  quit
username netman privilege 15 secret 5 xxxxxxxxx
username mynet privilege 15 secret 5 xxxxxxxxxxx
username vpn01 secret 5 xxxxxxxxxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group tgcsvpn
key mykey
dns 192.168.69.10 192.168.69.15
wins 192.168.69.10 192.168.69.15
domain our.network.tgcsnet.com
pool dynpool
acl 105
netmask 255.255.255.0
!
!
NO crypto isakmp client configuration address-pool local dynpool
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
!
crypto map dynmap client authentication list tgcsradius
crypto map dynmap isakmp authorization list tgcsvpn
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description ** WAN **
ip address 72.88.223.20 255.255.255.0
ip access-group 101 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map dynmap
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid 010659120255
!
ssid TGCSNET
    vlan 1
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 0 010659120255000000
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.69.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool dynpool 192.168.70.75 192.168.70.80
ip classless
ip route 0.0.0.0 0.0.0.0 72.88.223.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.69.26 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.69.15 5900 interface FastEthernet4 5900
ip nat inside source static tcp 192.168.69.15 21 interface FastEthernet4 21
ip nat inside source static tcp 192.168.69.15 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.69.26 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.69.26 8080 interface FastEthernet4 8080
!
ip access-list extended denyDHCP
deny   udp any any eq bootpc
deny   udp any any eq bootps
permit ip any any
!
ip radius source-interface Vlan1
access-list 23 permit 192.168.69.0 0.0.0.255
access-list 101 remark CCP_ACL Category=17
access-list 101 permit udp any host 72.88.223.20 eq isakmp
access-list 101 permit ip host 192.168.70.75 192.168.69.0 0.0.0.255
access-list 101 permit ip host 192.168.70.76 192.168.69.0 0.0.0.255
access-list 101 permit ip host 192.168.70.77 192.168.69.0 0.0.0.255
access-list 101 permit ip host 192.168.70.78 192.168.69.0 0.0.0.255
access-list 101 permit ip host 192.168.70.79 192.168.69.0 0.0.0.255
access-list 101 permit ip host 192.168.70.80 192.168.69.0 0.0.0.255
access-list 101 permit udp any host 72.88.223.20 eq non500-isakmp
access-list 101 permit udp any host 72.88.223.20
access-list 101 permit esp any host 72.88.223.20
access-list 101 permit ahp any host 72.88.223.20
access-list 101 remark ** Block Telnet **
access-list 101 deny   tcp any any eq telnet
access-list 101 permit tcp any any established
access-list 101 remark ** Permit Exchange Related Traffic **
access-list 101 permit tcp any host 72.88.223.20 eq smtp
access-list 101 permit tcp any host 72.88.223.20 eq www
access-list 101 permit tcp any host 72.88.223.20 eq 443
access-list 101 permit udp any host 72.88.223.20 eq ntp
access-list 101 deny   ip any host 72.88.223.20
access-list 101 remark ** Permit all other traffice **
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 remark ** Deny netbios from internet **
access-list 101 deny   tcp any any eq 139 log
access-list 101 deny   udp any any eq netbios-ns log
access-list 101 deny   udp any any eq netbios-dgm log
access-list 101 deny   udp any any eq netbios-ss log
access-list 105 remark ** VPN Traffic **
access-list 105 permit ip 192.168.69.0 0.0.0.255 any
access-list 110 remark CCP_ACL Category=16
access-list 110 deny   ip 192.168.69.0 0.0.0.255 host 192.168.70.75
access-list 110 deny   ip 192.168.69.0 0.0.0.255 host 192.168.70.76
access-list 110 deny   ip 192.168.69.0 0.0.0.255 host 192.168.70.77
access-list 110 deny   ip 192.168.69.0 0.0.0.255 host 192.168.70.78
access-list 110 deny   ip 192.168.69.0 0.0.0.255 host 192.168.70.79
access-list 110 deny   ip 192.168.69.0 0.0.0.255 host 192.168.70.80
access-list 110 permit ip 192.168.69.0 0.0.0.255 any
access-list 110 deny   ip 192.168.69.0 0.0.0.255 192.168.70.0 0.0.0.255
snmp-server community mycisco01 RO
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 110
!
radius-server host 192.168.69.15 auth-port 1812 acct-port 1812 key mykey
!
control-plane
!
bridge 1 route ip
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco

Replace and with the username and password you want to use
.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17175119
ntp server 141.165.5.137
end

MyRouter#

Jan 20 14:12:00.247: ISAKMP:      hash MD5
Jan 20 14:12:00.247: ISAKMP:      default group 2
Jan 20 14:12:00.247: ISAKMP:      auth XAUTHInitPreShared
Jan 20 14:12:00.247: ISAKMP:      life type in seconds
Jan 20 14:12:00.247: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.247: ISAKMP:      keylength of 128
Jan 20 14:12:00.247: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 20 14:12:00.247: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.247: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
Jan 20 14:12:00.247: ISAKMP:      encryption AES-CBC
Jan 20 14:12:00.247: ISAKMP:      hash SHA
Jan 20 14:12:00.247: ISAKMP:      default group 2
Jan 20 14:12:00.247: ISAKMP:      auth pre-share
Jan 20 14:12:00.247: ISAKMP:      life type in seconds
Jan 20 14:12:00.247: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.247: ISAKMP:      keylength of 128
Jan 20 14:12:00.247: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 20 14:12:00.247: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.247: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 p
olicy
Jan 20 14:12:00.247: ISAKMP:      encryption AES-CBC
Jan 20 14:12:00.247: ISAKMP:      hash MD5
Jan 20 14:12:00.247: ISAKMP:      default group 2
Jan 20 14:12:00.247: ISAKMP:      auth pre-share
Jan 20 14:12:00.247: ISAKMP:      life type in seconds
Jan 20 14:12:00.247: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.247: ISAKMP:      keylength of 128
Jan 20 14:12:00.247: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 20 14:12:00.247: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.247: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 p
olicy
Jan 20 14:12:00.247: ISAKMP:      encryption 3DES-CBC
Jan 20 14:12:00.247: ISAKMP:      hash SHA
Jan 20 14:12:00.247: ISAKMP:      default group 2
Jan 20 14:12:00.247: ISAKMP:      auth XAUTHInitPreShared
Jan 20 14:12:00.247: ISAKMP:      life type in seconds
Jan 20 14:12:00.251: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.251: ISAKMP:(0):Xauth authentication by pre-shared key offered b
ut does not match policy!
Jan 20 14:12:00.251: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.251: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1
policy
Jan 20 14:12:00.251: ISAKMP:      encryption 3DES-CBC
Jan 20 14:12:00.251: ISAKMP:      hash MD5
Jan 20 14:12:00.251: ISAKMP:      default group 2
Jan 20 14:12:00.251: ISAKMP:      auth XAUTHInitPreShared
Jan 20 14:12:00.251: ISAKMP:      life type in seconds
Jan 20 14:12:00.251: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.251: ISAKMP:(0):Hash algorithm offered does not match policy!
Jan 20 14:12:00.251: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.251: ISAKMP:(0):Checking ISAKMP transform 11 against priority 1
policy
Jan 20 14:12:00.251: ISAKMP:      encryption 3DES-CBC
Jan 20 14:12:00.251: ISAKMP:      hash SHA
Jan 20 14:12:00.251: ISAKMP:      default group 2
Jan 20 14:12:00.251: ISAKMP:      auth pre-share
Jan 20 14:12:00.251: ISAKMP:      life type in seconds
Jan 20 14:12:00.251: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.251: ISAKMP:(0):Preshared authentication offered but does not ma
tch policy!
Jan 20 14:12:00.251: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.251: ISAKMP:(0):Checking ISAKMP transform 12 against priority 1
policy
Jan 20 14:12:00.251: ISAKMP:      encryption 3DES-CBC
Jan 20 14:12:00.251: ISAKMP:      hash MD5
Jan 20 14:12:00.251: ISAKMP:      default group 2
Jan 20 14:12:00.251: ISAKMP:      auth pre-share
Jan 20 14:12:00.251: ISAKMP:      life type in seconds
Jan 20 14:12:00.251: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.251: ISAKMP:(0):Hash algorithm offered does not match policy!
Jan 20 14:12:00.251: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.251: ISAKMP:(0):Checking ISAKMP transform 13 against priority 1
policy
Jan 20 14:12:00.251: ISAKMP:      encryption DES-CBC
Jan 20 14:12:00.251: ISAKMP:      hash MD5
Jan 20 14:12:00.251: ISAKMP:      default group 2
Jan 20 14:12:00.251: ISAKMP:      auth XAUTHInitPreShared
Jan 20 14:12:00.251: ISAKMP:      life type in seconds
Jan 20 14:12:00.251: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.251: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 20 14:12:00.255: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.255: ISAKMP:(0):Checking ISAKMP transform 14 against priority 1
policy
Jan 20 14:12:00.255: ISAKMP:      encryption DES-CBC
Jan 20 14:12:00.255: ISAKMP:      hash MD5
Jan 20 14:12:00.255: ISAKMP:      default group 2
Jan 20 14:12:00.255: ISAKMP:      auth pre-share
Jan 20 14:12:00.255: ISAKMP:      life type in seconds
Jan 20 14:12:00.255: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.255: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 20 14:12:00.255: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jan 20 14:12:00.255: ISAKMP:(0):Checking ISAKMP transform 1 against priority 655
35 policy
Jan 20 14:12:00.255: ISAKMP:      encryption AES-CBC
Jan 20 14:12:00.255: ISAKMP:      hash SHA
Jan 20 14:12:00.255: ISAKMP:      default group 2
Jan 20 14:12:00.255: ISAKMP:      auth XAUTHInitPreShared
Jan 20 14:12:00.255: ISAKMP:      life type in seconds
Jan 20 14:12:00.255: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.255: ISAKMP:      keylength of 256
Jan 20 14:12:00.255: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 20 14:12:00.255: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.255: ISAKMP:(0):Checking ISAKMP transform 2 against priority 655
35 policy
Jan 20 14:12:00.255: ISAKMP:      encryption AES-CBC
Jan 20 14:12:00.255: ISAKMP:      hash MD5
Jan 20 14:12:00.255: ISAKMP:      default group 2
Jan 20 14:12:00.255: ISAKMP:      auth XAUTHInitPreShared
Jan 20 14:12:00.255: ISAKMP:      life type in seconds
Jan 20 14:12:00.255: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.255: ISAKMP:      keylength of 256
Jan 20 14:12:00.255: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 20 14:12:00.255: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.255: ISAKMP:(0):Checking ISAKMP transform 3 against priority 655
35 policy
Jan 20 14:12:00.255: ISAKMP:      encryption AES-CBC
Jan 20 14:12:00.255: ISAKMP:      hash SHA
Jan 20 14:12:00.255: ISAKMP:      default group 2
Jan 20 14:12:00.255: ISAKMP:      auth pre-share
Jan 20 14:12:00.255: ISAKMP:      life type in seconds
Jan 20 14:12:00.255: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.255: ISAKMP:      keylength of 256
Jan 20 14:12:00.255: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 20 14:12:00.255: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.255: ISAKMP:(0):Checking ISAKMP transform 4 against priority 655
35 policy
Jan 20 14:12:00.259: ISAKMP:      encryption AES-CBC
Jan 20 14:12:00.259: ISAKMP:      hash MD5
Jan 20 14:12:00.259: ISAKMP:      default group 2
Jan 20 14:12:00.259: ISAKMP:      auth pre-share
Jan 20 14:12:00.259: ISAKMP:      life type in seconds
Jan 20 14:12:00.259: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.259: ISAKMP:      keylength of 256
Jan 20 14:12:00.259: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 20 14:12:00.259: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.259: ISAKMP:(0):Checking ISAKMP transform 5 against priority 655
35 policy
Jan 20 14:12:00.259: ISAKMP:      encryption AES-CBC
Jan 20 14:12:00.259: ISAKMP:      hash SHA
Jan 20 14:12:00.259: ISAKMP:      default group 2
Jan 20 14:12:00.259: ISAKMP:      auth XAUTHInitPreShared
Jan 20 14:12:00.259: ISAKMP:      life type in seconds
Jan 20 14:12:00.259: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.259: ISAKMP:      keylength of 128
Jan 20 14:12:00.259: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 20 14:12:00.259: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.259: ISAKMP:(0):Checking ISAKMP transform 6 against priority 655
35 policy
Jan 20 14:12:00.259: ISAKMP:      encryption AES-CBC
Jan 20 14:12:00.259: ISAKMP:      hash MD5
Jan 20 14:12:00.259: ISAKMP:      default group 2
Jan 20 14:12:00.259: ISAKMP:      auth XAUTHInitPreShared
Jan 20 14:12:00.259: ISAKMP:      life type in seconds
Jan 20 14:12:00.259: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.259: ISAKMP:      keylength of 128
Jan 20 14:12:00.259: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 20 14:12:00.259: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.259: ISAKMP:(0):Checking ISAKMP transform 7 against priority 655
35 policy
Jan 20 14:12:00.259: ISAKMP:      encryption AES-CBC
Jan 20 14:12:00.259: ISAKMP:      hash SHA
Jan 20 14:12:00.259: ISAKMP:      default group 2
Jan 20 14:12:00.259: ISAKMP:      auth pre-share
Jan 20 14:12:00.259: ISAKMP:      life type in seconds
Jan 20 14:12:00.259: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.259: ISAKMP:      keylength of 128
Jan 20 14:12:00.263: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 20 14:12:00.263: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.263: ISAKMP:(0):Checking ISAKMP transform 8 against priority 655
35 policy
Jan 20 14:12:00.263: ISAKMP:      encryption AES-CBC
Jan 20 14:12:00.263: ISAKMP:      hash MD5
Jan 20 14:12:00.263: ISAKMP:      default group 2
Jan 20 14:12:00.263: ISAKMP:      auth pre-share
Jan 20 14:12:00.263: ISAKMP:      life type in seconds
Jan 20 14:12:00.263: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.263: ISAKMP:      keylength of 128
Jan 20 14:12:00.263: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 20 14:12:00.263: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.263: ISAKMP:(0):Checking ISAKMP transform 9 against priority 655
35 policy
Jan 20 14:12:00.263: ISAKMP:      encryption 3DES-CBC
Jan 20 14:12:00.263: ISAKMP:      hash SHA
Jan 20 14:12:00.263: ISAKMP:      default group 2
Jan 20 14:12:00.263: ISAKMP:      auth XAUTHInitPreShared
Jan 20 14:12:00.263: ISAKMP:      life type in seconds
Jan 20 14:12:00.263: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.263: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 20 14:12:00.263: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.263: ISAKMP:(0):Checking ISAKMP transform 10 against priority 65
535 policy
Jan 20 14:12:00.263: ISAKMP:      encryption 3DES-CBC
Jan 20 14:12:00.263: ISAKMP:      hash MD5
Jan 20 14:12:00.263: ISAKMP:      default group 2
Jan 20 14:12:00.263: ISAKMP:      auth XAUTHInitPreShared
Jan 20 14:12:00.263: ISAKMP:      life type in seconds
Jan 20 14:12:00.263: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.263: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 20 14:12:00.263: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.263: ISAKMP:(0):Checking ISAKMP transform 11 against priority 65
535 policy
Jan 20 14:12:00.263: ISAKMP:      encryption 3DES-CBC
Jan 20 14:12:00.263: ISAKMP:      hash SHA
Jan 20 14:12:00.263: ISAKMP:      default group 2
Jan 20 14:12:00.263: ISAKMP:      auth pre-share
Jan 20 14:12:00.263: ISAKMP:      life type in seconds
Jan 20 14:12:00.263: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.263: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 20 14:12:00.263: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.263: ISAKMP:(0):Checking ISAKMP transform 12 against priority 65
535 policy
Jan 20 14:12:00.267: ISAKMP:      encryption 3DES-CBC
Jan 20 14:12:00.267: ISAKMP:      hash MD5
Jan 20 14:12:00.267: ISAKMP:      default group 2
Jan 20 14:12:00.267: ISAKMP:      auth pre-share
Jan 20 14:12:00.267: ISAKMP:      life type in seconds
Jan 20 14:12:00.267: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.267: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Jan 20 14:12:00.267: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.267: ISAKMP:(0):Checking ISAKMP transform 13 against priority 65
535 policy
Jan 20 14:12:00.267: ISAKMP:      encryption DES-CBC
Jan 20 14:12:00.267: ISAKMP:      hash MD5
Jan 20 14:12:00.267: ISAKMP:      default group 2
Jan 20 14:12:00.267: ISAKMP:      auth XAUTHInitPreShared
Jan 20 14:12:00.267: ISAKMP:      life type in seconds
Jan 20 14:12:00.267: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.267: ISAKMP:(0):Hash algorithm offered does not match policy!
Jan 20 14:12:00.267: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.267: ISAKMP:(0):Checking ISAKMP transform 14 against priority 65
535 policy
Jan 20 14:12:00.267: ISAKMP:      encryption DES-CBC
Jan 20 14:12:00.267: ISAKMP:      hash MD5
Jan 20 14:12:00.267: ISAKMP:      default group 2
Jan 20 14:12:00.267: ISAKMP:      auth pre-share
Jan 20 14:12:00.267: ISAKMP:      life type in seconds
Jan 20 14:12:00.267: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.267: ISAKMP:(0):Hash algorithm offered does not match policy!
Jan 20 14:12:00.267: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jan 20 14:12:00.267: ISAKMP:(0):no offers accepted!
Jan 20 14:12:00.267: ISAKMP:(0): phase 1 SA policy not acceptable! (local 72.88.
223.20 remote 192.168.69.101)
Jan 20 14:12:00.267: ISAKMP (0:0): incrementing error counter on sa, attempt 1 o
f 5: construct_fail_ag_init
Jan 20 14:12:00.267: ISAKMP:(0): sending packet to 192.168.69.101 my_port 500 pe
er_port 61527 (R) AG_NO_STATE
Jan 20 14:12:00.267: ISAKMP:(0):peer does not do paranoid keepalives.

Jan 20 14:12:00.267: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal no
t accepted" state (R) AG_NO_STATE (peer 192.168.69.101)
Jan 20 14:12:00.271: ISAKMP:(0): processing KE payload. message ID = 0
Jan 20 14:12:00.271: ISAKMP:(0): group size changed! Should be 0, is 128
Jan 20 14:12:00.271: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH
:  state = IKE_READY
Jan 20 14:12:00.271: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Jan 20 14:12:00.271: ISAKMP:(0):Old State = IKE_READY  New State = IKE_READY

Jan 20 14:12:00.271: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode
failed with peer at 192.168.69.101
Jan 20 14:12:00.271: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal no
t accepted" state (R) AG_NO_STATE (peer 192.168.69.101)
Jan 20 14:12:00.271: ISAKMP: Unlocking peer struct 0x822B57E0 for isadb_mark_sa_
deleted(), count 0
Jan 20 14:12:00.271: ISAKMP: Deleting peer node by peer_reap for 192.168.69.101:
822B57E0
Jan 20 14:12:00.271: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jan 20 14:12:00.271: ISAKMP:(0):Old State = IKE_READY  New State = IKE_DEST_SA

Jan 20 14:12:00.271: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jan 20 14:12:05.382: ISAKMP (0:0): received packet from 192.168.69.101 dport 500
sport 61527 Global (R) MM_NO_STATE
Jan 20 14:12:10.456: ISAKMP (0:0): received packet from 192.168.69.101 dport 500
sport 61527 Global (R) MM_NO_STATE
Jan 20 14:12:15.523: ISAKMP (0:0): received packet from 192.168.69.101 dport 500
sport 61527 Global (R) MM_NO_STATE
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
72.88.223.20    192.168.69.101  MM_NO_STATE          0    0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

MyRouter#

Thomas R Grassi Jr

AAA authentication : Not configured

You posted earlier the debug output shows phase-1 policy do not match what client is offering, so please create an extra phrase 1 policy as shown below.

crypto isakmp policy 2

authentication pre-share

encryption aes

hash sha

group 2

Also please remove the highlighted command below and make BVI1 interface to be the source-interface instead, which is the routed port.

no ip radius source-interface vlan 1

ip radius source-interface interface BVI1

Does Radius server logs shows that request for authentication is coming to the server at 192.168.69.15?

New Member

AAA authentication : Not configured

The server 192.168.69.15 shows no activity I beileve it is not even getting that far yet do you know the name of the log file?

here is the current running and new debug after changes

I entered hash sha but it does not show in the config is that one of those that just gets set how can you know if it was entered?

The clinet is using no certificates Group Authentication is tgcsvpn mykey

Transport enable transparent tunneling is checked and IPSEC over UDP (NAT / PAT ) is selected

Tried IPSEC over tcp  using port 10000 same results

Antivirus is off on on no effect use Kaspersky internetsuite

Here is the current running and new debug after changes  looks like hash is the first to fail but still see encryption failing

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyRouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$ugk2$8duXZZ2K76qdM/H4ktMNI/
!
aaa new-model
!
!
aaa authentication login tgcsusers local
aaa authentication login tgcsradius group radius local
aaa authorization network tgcsvpn local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time edt recurring
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
ip cef
ip inspect name myrules cuseeme
ip inspect name myrules ftp
ip inspect name myrules h323
ip inspect name myrules icmp
ip inspect name myrules rcmd
ip inspect name myrules realaudio
ip inspect name myrules rtsp
ip inspect name myrules sqlnet
ip inspect name myrules streamworks
ip inspect name myrules tftp
ip inspect name myrules tcp
ip inspect name myrules udp
ip inspect name myrules vdolive
ip domain name TGCSNET.COM
ip name-server 71.242.0.12
ip name-server 71.250.0.12
ip name-server 4.2.2.2
!
!
crypto pki trustpoint TP-self-signed-1164042433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1164042433
revocation-check none
rsakeypair TP-self-signed-1164042433
!
!
crypto pki certificate chain TP-self-signed-1164042433
certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313634 30343234 3333301E 170D3032 30333031 30303038
  34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31363430
  34323433 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B993 8AAE8B8C D8869842 C0C80A8C 57559B0A 243A306C EF726BD6 A79FBB30
  63569C86 5117E6D9 9E14BF1D 2721D4C6 2CCFB67A D7A03AC3 6BC719DB 1237121C
  8E310E9F 68F65DF7 B5986355 71B6C338 C34EC816 A677028D 0E131859 3A50E498
  C1F94525 2DA35215 3EF10350 018C419A 4F49245F 1218C545 0BE18AA4 04A8F049
  7AA90203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
  551D1104 18301682 144D7952 6F757465 722E5447 43534E45 542E434F 4D301F06
  03551D23 04183016 80149A8A F1DA8EF9 7BC577ED 349FDA87 2E93A11F 8D16301D
  0603551D 0E041604 149A8AF1 DA8EF97B C577ED34 9FDA872E 93A11F8D 16300D06
  092A8648 86F70D01 01040500 03818100 3092C5D5 9FA063C7 E85E37A5 7F9B3AC3
  A71B0BF1 A0BE1E4B 088C151A 6E056769 8E8FFCC9 3FA38091 38C53A49 CE1F20BE
  172A1C93 282C5F97 19A6D3B0 CF65552D FEADA8C0 E89075DD 667B6ABE 9CF76D13
  5E23D7CA A3BEC64D 21941DFB 3915D0C4 4221F663 1306DDF8 DF48E0AC DCC43028
  0D392C9C 66EABDED BB4F4D54 5ED039B9
  quit
username netman privilege 15 secret 5 xxxxxxxxx
username mynet privilege 15 secret 5 xxxxxxxxxxxxx
username vpn01 secret 5 xxxxxxxxxxxxxxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group tgcsvpn
key mykey

dns 192.168.69.10 192.168.69.15
wins 192.168.69.10 192.168.69.15
domain our.network.tgcsnet.com
pool dynpool
acl 105
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
!
crypto map dynmap client authentication list tgcsradius
crypto map dynmap isakmp authorization list tgcsvpn
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description ** WAN **
ip address 72.88.223.20 255.255.255.0
ip access-group 101 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map dynmap
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid 010659120255
!
ssid TGCSNET
    vlan 1
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 0 010659120255000000
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.69.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool dynpool 192.168.70.75 192.168.70.80
ip classless
ip route 0.0.0.0 0.0.0.0 72.88.223.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.69.26 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.69.15 5900 interface FastEthernet4 5900
ip nat inside source static tcp 192.168.69.15 21 interface FastEthernet4 21
ip nat inside source static tcp 192.168.69.15 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.69.26 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.69.26 8080 interface FastEthernet4 8080
!
ip access-list extended denyDHCP
deny   udp any any eq bootpc
deny   udp any any eq bootps
permit ip any any
!
ip radius source-interface BVI1
access-list 23 permit 192.168.69.0 0.0.0.255
access-list 101 remark CCP_ACL Category=17
access-list 101 permit udp any host 72.88.223.20 eq isakmp
access-list 101 permit ip host 192.168.70.75 192.168.69.0 0.0.0.255
access-list 101 permit ip host 192.168.70.76 192.168.69.0 0.0.0.255
access-list 101 permit ip host 192.168.70.77 192.168.69.0 0.0.0.255
access-list 101 permit ip host 192.168.70.78 192.168.69.0 0.0.0.255
access-list 101 permit ip host 192.168.70.79 192.168.69.0 0.0.0.255
access-list 101 permit ip host 192.168.70.80 192.168.69.0 0.0.0.255
access-list 101 permit udp any host 72.88.223.20 eq non500-isakmp
access-list 101 permit udp any host 72.88.223.20
access-list 101 permit esp any host 72.88.223.20
access-list 101 permit ahp any host 72.88.223.20
access-list 101 remark ** Block Telnet **
access-list 101 deny   tcp any any eq telnet
access-list 101 permit tcp any any established
access-list 101 remark ** Permit Exchange Related Traffic **
access-list 101 permit tcp any host 72.88.223.20 eq smtp
access-list 101 permit tcp any host 72.88.223.20 eq www
access-list 101 permit tcp any host 72.88.223.20 eq 443
access-list 101 permit udp any host 72.88.223.20 eq ntp
access-list 101 deny   ip any host 72.88.223.20
access-list 101 remark ** Permit all other traffice **
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 remark ** Deny netbios from internet **
access-list 101 deny   tcp any any eq 139 log
access-list 101 deny   udp any any eq netbios-ns log
access-list 101 deny   udp any any eq netbios-dgm log
access-list 101 deny   udp any any eq netbios-ss log
access-list 105 remark ** VPN Traffic **
access-list 105 permit ip 192.168.69.0 0.0.0.255 any
access-list 110 remark CCP_ACL Category=16
access-list 110 deny   ip 192.168.69.0 0.0.0.255 host 192.168.70.75
access-list 110 deny   ip 192.168.69.0 0.0.0.255 host 192.168.70.76
access-list 110 deny   ip 192.168.69.0 0.0.0.255 host 192.168.70.77
access-list 110 deny   ip 192.168.69.0 0.0.0.255 host 192.168.70.78
access-list 110 deny   ip 192.168.69.0 0.0.0.255 host 192.168.70.79
access-list 110 deny   ip 192.168.69.0 0.0.0.255 host 192.168.70.80
access-list 110 permit ip 192.168.69.0 0.0.0.255 any
access-list 110 deny   ip 192.168.69.0 0.0.0.255 192.168.70.0 0.0.0.255
snmp-server community mycisco01 RO
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 110
!
radius-server host 192.168.69.15 auth-port 1812 acct-port 1812 key mykey!
control-plane
!
bridge 1 route ip
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco

Replace and with the username and password you want to use
.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17175146
ntp server 141.165.5.137
end

MyRouter#

Jan 20 16:21:46.241: ISAKMP:      hash MD5
Jan 20 16:21:46.241: ISAKMP:      default group 2
Jan 20 16:21:46.241: ISAKMP:      auth XAUTHInitPreShared
Jan 20 16:21:46.241: ISAKMP:      life type in seconds
Jan 20 16:21:46.241: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 16:21:46.241: ISAKMP:      keylength of 128
Jan 20 16:21:46.241: ISAKMP:(0):Hash algorithm offered does not match policy!
Jan 20 16:21:46.241: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 16:21:46.241: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
Jan 20 16:21:46.241: ISAKMP:      encryption AES-CBC
Jan 20 16:21:46.241: ISAKMP:      hash SHA
Jan 20 16:21:46.241: ISAKMP:      default group 2
Jan 20 16:21:46.241: ISAKMP:      auth pre-share
Jan 20 16:21:46.241: ISAKMP:      life type in seconds
Jan 20 16:21:46.241: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 16:21:46.241: ISAKMP:      keylength of 128
Jan 20 16:21:46.241: ISAKMP:(0):Preshared authentication offered but does not match policy!
Jan 20 16:21:46.241: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 16:21:46.241: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
Jan 20 16:21:46.241: ISAKMP:      encryption AES-CBC
Jan 20 16:21:46.241: ISAKMP:      hash MD5
Jan 20 16:21:46.241: ISAKMP:      default group 2
Jan 20 16:21:46.241: ISAKMP:      auth pre-share
Jan 20 16:21:46.241: ISAKMP:      life type in seconds
Jan 20 16:21:46.241: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 16:21:46.241: ISAKMP:      keylength of 128
Jan 20 16:21:46.241: ISAKMP:(0):Hash algorithm offered does not match policy!
Jan 20 16:21:46.241: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 16:21:46.241: ISAKMP:(0):Checking ISAKMP transform 9 against priority 2 policy
Jan 20 16:21:46.241: ISAKMP:      encryption 3DES-CBC
Jan 20 16:21:46.241: ISAKMP:      hash SHA
Jan 20 16:21:46.241: ISAKMP:      default group 2
Jan 20 16:21:46.241: ISAKMP:      auth XAUTHInitPreShared
Jan 20 16:21:46.241: ISAKMP:      life type in seconds
Jan 20 16:21:46.241: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 16:21:46.241: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 16:21:46.241: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 16:21:46.241: ISAKMP:(0):Checking ISAKMP transform 10 against priority 2 policy
Jan 20 16:21:46.245: ISAKMP:      encryption 3DES-CBC
Jan 20 16:21:46.245: ISAKMP:      hash MD5
Jan 20 16:21:46.245: ISAKMP:      default group 2
Jan 20 16:21:46.245: ISAKMP:      auth XAUTHInitPreShared
Jan 20 16:21:46.245: ISAKMP:      life type in seconds
Jan 20 16:21:46.245: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 16:21:46.245: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 16:21:46.245: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 16:21:46.245: ISAKMP:(0):Checking ISAKMP transform 11 against priority 2 policy
Jan 20 16:21:46.245: ISAKMP:      encryption 3DES-CBC
Jan 20 16:21:46.245: ISAKMP:      hash SHA
Jan 20 16:21:46.245: ISAKMP:      default group 2
Jan 20 16:21:46.245: ISAKMP:      auth pre-share
Jan 20 16:21:46.245: ISAKMP:      life type in seconds
Jan 20 16:21:46.245: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 16:21:46.245: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 16:21:46.245: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 16:21:46.245: ISAKMP:(0):Checking ISAKMP transform 12 against priority 2 policy
Jan 20 16:21:46.245: ISAKMP:      encryption 3DES-CBC
Jan 20 16:21:46.245: ISAKMP:      hash MD5
Jan 20 16:21:46.245: ISAKMP:      default group 2
Jan 20 16:21:46.245: ISAKMP:      auth pre-share
Jan 20 16:21:46.245: ISAKMP:      life type in seconds
Jan 20 16:21:46.245: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 16:21:46.245: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 16:21:46.245: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 16:21:46.245: ISAKMP:(0):Checking ISAKMP transform 13 against priority 2 policy
Jan 20 16:21:46.245: ISAKMP:      encryption DES-CBC
Jan 20 16:21:46.245: ISAKMP:      hash MD5
Jan 20 16:21:46.245: ISAKMP:      default group 2
Jan 20 16:21:46.245: ISAKMP:      auth XAUTHInitPreShared
Jan 20 16:21:46.245: ISAKMP:      life type in seconds
Jan 20 16:21:46.245: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 16:21:46.245: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 16:21:46.245: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 16:21:46.245: ISAKMP:(0):Checking ISAKMP transform 14 against priority 2 policy
Jan 20 16:21:46.245: ISAKMP:      encryption DES-CBC
Jan 20 16:21:46.245: ISAKMP:      hash MD5
Jan 20 16:21:46.245: ISAKMP:      default group 2
Jan 20 16:21:46.245: ISAKMP:      auth pre-share
Jan 20 16:21:46.245: ISAKMP:      life type in seconds
Jan 20 16:21:46.245: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 16:21:46.245: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 16:21:46.245: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jan 20 16:21:46.249: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65535 policy
Jan 20 16:21:46.249: ISAKMP:      encryption AES-CBC
Jan 20 16:21:46.249: ISAKMP:      hash SHA
Jan 20 16:21:46.249: ISAKMP:      default group 2
Jan 20 16:21:46.249: ISAKMP:      auth XAUTHInitPreShared
Jan 20 16:21:46.249: ISAKMP:      life type in seconds
Jan 20 16:21:46.249: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 16:21:46.249: ISAKMP:      keylength of 256
Jan 20 16:21:46.249: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 16:21:46.249: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 16:21:46.249: ISAKMP:(0):Checking ISAKMP transform 2 against priority 65535 policy
Jan 20 16:21:46.249: ISAKMP:      encryption AES-CBC
Jan 20 16:21:46.249: ISAKMP:      hash MD5
Jan 20 16:21:46.249: ISAKMP:      default group 2
Jan 20 16:21:46.249: ISAKMP:      auth XAUTHInitPreShared
Jan 20 16:21:46.249: ISAKMP:      life type in seconds
Jan 20 16:21:46.249: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 16:21:46.249: ISAKMP:      keylength of 256
Jan 20 16:21:46.249: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 16:21:46.249: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 16:21:46.249: ISAKMP:(0):Checking ISAKMP transform 3 against priority 65535 policy
Jan 20 16:21:46.249: ISAKMP:      encryption AES-CBC
Jan 20 16:21:46.249: ISAKMP:      hash SHA
Jan 20 16:21:46.249: ISAKMP:      default group 2
Jan 20 16:21:46.249: ISAKMP:      auth pre-share
Jan 20 16:21:46.249: ISAKMP:      life type in seconds
Jan 20 16:21:46.249: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 16:21:46.249: ISAKMP:      keylength of 256
Jan 20 16:21:46.249: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 16:21:46.249: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 16:21:46.249: ISAKMP:(0):Checking ISAKMP transform 4 against priority 65535 policy
Jan 20 16:21:46.249: ISAKMP:      encryption AES-CBC
Jan 20 16:21:46.249: ISAKMP:      hash MD5
Jan 20 16:21:46.249: ISAKMP:      default group 2
Jan 20 16:21:46.249: ISAKMP:      auth pre-share
Jan 20 16:21:46.249: ISAKMP:      life type in seconds
Jan 20 16:21:46.249: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 16:21:46.249: ISAKMP:      keylength of 256
Jan 20 16:21:46.249: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 16:21:46.249: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 16:21:46.249: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65535 policy
Jan 20 16:21:46.253: ISAKMP:      encryption AES-CBC
Jan 20 16:21:46.253: ISAKMP:      hash SHA
Jan 20 16:21:46.253: ISAKMP:      default group 2
Jan 20 16:21:46.253: ISAKMP:      auth XAUTHInitPreShared
Jan 20 16:21:46.253: ISAKMP:      life type in seconds
Jan 20 16:21:46.253: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 16:21:46.253: ISAKMP:      keylength of 128
Jan 20 16:21:46.253: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 16:21:46.253: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 16:21:46.253: ISAKMP:(0):Checking ISAKMP transform 6 against priority 65535 policy
Jan 20 16:21:46.253: ISAKMP:      encryption AES-CBC
Jan 20 16:21:46.253: ISAKMP:      hash MD5
Jan 20 16:21:46.253: ISAKMP:      default group 2
Jan 20 16:21:46.253: ISAKMP:      auth XAUTHInitPreShared
Jan 20 16:21:46.253: ISAKMP:      life type in seconds
Jan 20 16:21:46.253: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 16:21:46.253: ISAKMP:      keylength of 128
Jan 20 16:21:46.253: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 16:21:46.253: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 16:21:46.253: ISAKMP:(0):Checking ISAKMP transform 7 against priority 65535 policy
Jan 20 16:21:46.253: ISAKMP:      encryption AES-CBC
Jan 20 16:21:46.253: ISAKMP:      hash SHA
Jan 20 16:21:46.253: ISAKMP:      default group 2
Jan 20 16:21:46.253: ISAKMP:      auth pre-share
Jan 20 16:21:46.253: ISAKMP:      life type in seconds
Jan 20 16:21:46.253: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 16:21:46.253: ISAKMP:      keylength of 128
Jan 20 16:21:46.253: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 16:21:46.253: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 16:21:46.253: ISAKMP:(0):Checking ISAKMP transform 8 against priority 65535 policy
Jan 20 16:21:46.253: ISAKMP:      encryption AES-CBC
Jan 20 16:21:46.253: ISAKMP:      hash MD5
Jan 20 16:21:46.253: ISAKMP:      default group 2
Jan 20 16:21:46.253: ISAKMP:      auth pre-share
Jan 20 16:21:46.253: ISAKMP:      life type in seconds
Jan 20 16:21:46.253: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 16:21:46.253: ISAKMP:      keylength of 128
Jan 20 16:21:46.253: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 16:21:46.253: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 16:21:46.253: ISAKMP:(0):Checking ISAKMP transform 9 against priority 65535 policy
Jan 20 16:21:46.253: ISAKMP:      encryption 3DES-CBC
Jan 20 16:21:46.257: ISAKMP:      hash SHA
Jan 20 16:21:46.257: ISAKMP:      default group 2
Jan 20 16:21:46.257: ISAKMP:      auth XAUTHInitPreShared
Jan 20 16:21:46.257: ISAKMP:      life type in seconds
Jan 20 16:21:46.257: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 16:21:46.257: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 16:21:46.257: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 16:21:46.257: ISAKMP:(0):Checking ISAKMP transform 10 against priority 65535 policy
Jan 20 16:21:46.257: ISAKMP:      encryption 3DES-CBC
Jan 20 16:21:46.257: ISAKMP:      hash MD5
Jan 20 16:21:46.257: ISAKMP:      default group 2
Jan 20 16:21:46.257: ISAKMP:      auth XAUTHInitPreShared
Jan 20 16:21:46.257: ISAKMP:      life type in seconds
Jan 20 16:21:46.257: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 16:21:46.257: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 16:21:46.257: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 16:21:46.257: ISAKMP:(0):Checking ISAKMP transform 11 against priority 65535 policy
Jan 20 16:21:46.257: ISAKMP:      encryption 3DES-CBC
Jan 20 16:21:46.257: ISAKMP:      hash SHA
Jan 20 16:21:46.257: ISAKMP:      default group 2
Jan 20 16:21:46.257: ISAKMP:      auth pre-share
Jan 20 16:21:46.257: ISAKMP:      life type in seconds
Jan 20 16:21:46.257: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 16:21:46.257: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 16:21:46.257: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 16:21:46.257: ISAKMP:(0):Checking ISAKMP transform 12 against priority 65535 policy
Jan 20 16:21:46.257: ISAKMP:      encryption 3DES-CBC
Jan 20 16:21:46.257: ISAKMP:      hash MD5
Jan 20 16:21:46.257: ISAKMP:      default group 2
Jan 20 16:21:46.257: ISAKMP:      auth pre-share
Jan 20 16:21:46.257: ISAKMP:      life type in seconds
Jan 20 16:21:46.257: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 16:21:46.257: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 16:21:46.257: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 16:21:46.257: ISAKMP:(0):Checking ISAKMP transform 13 against priority 65535 policy
Jan 20 16:21:46.257: ISAKMP:      encryption DES-CBC
Jan 20 16:21:46.257: ISAKMP:      hash MD5
Jan 20 16:21:46.257: ISAKMP:      default group 2
Jan 20 16:21:46.257: ISAKMP:      auth XAUTHInitPreShared
Jan 20 16:21:46.257: ISAKMP:      life type in seconds
Jan 20 16:21:46.257: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 16:21:46.261: ISAKMP:(0):Hash algorithm offered does not match policy!
Jan 20 16:21:46.261: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 16:21:46.261: ISAKMP:(0):Checking ISAKMP transform 14 against priority 65535 policy
Jan 20 16:21:46.261: ISAKMP:      encryption DES-CBC
Jan 20 16:21:46.261: ISAKMP:      hash MD5
Jan 20 16:21:46.261: ISAKMP:      default group 2
Jan 20 16:21:46.261: ISAKMP:      auth pre-share
Jan 20 16:21:46.261: ISAKMP:      life type in seconds
Jan 20 16:21:46.261: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 16:21:46.261: ISAKMP:(0):Hash algorithm offered does not match policy!
Jan 20 16:21:46.261: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jan 20 16:21:46.261: ISAKMP:(0):no offers accepted!
Jan 20 16:21:46.261: ISAKMP:(0): phase 1 SA policy not acceptable! (local 72.88.223.20 remote 192.168.69.101)
Jan 20 16:21:46.261: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
Jan 20 16:21:46.261: ISAKMP:(0): sending packet to 192.168.69.101 my_port 500 peer_port 57972 (R) AG_NO_STATE
Jan 20 16:21:46.261: ISAKMP:(0):peer does not do paranoid keepalives.

Jan 20 16:21:46.261: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.69.101)
Jan 20 16:21:46.261: ISAKMP:(0): processing KE payload. message ID = 0
Jan 20 16:21:46.261: ISAKMP:(0): group size changed! Should be 0, is 128
Jan 20 16:21:46.261: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY
Jan 20 16:21:46.261: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Jan 20 16:21:46.261: ISAKMP:(0):Old State = IKE_READY  New State = IKE_READY

Jan 20 16:21:46.261: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.69.101
Jan 20 16:21:46.265: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R)AG_NO_STATE (peer 192.168.69.101)
Jan 20 16:21:46.265: ISAKMP: Unlocking peer struct 0x82B69F00 for isadb_mark_sa_deleted(), count 0
Jan 20 16:21:46.265: ISAKMP: Deleting peer node by peer_reap for 192.168.69.101: 82B69F00
Jan 20 16:21:46.265: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jan 20 16:21:46.265: ISAKMP:(0):Old State = IKE_READY  New State = IKE_DEST_SA

Jan 20 16:21:46.265: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jan 20 16:21:51.507: ISAKMP (0:0): received packet from 192.168.69.101 dport 500 sport 57972 Global (R) MM_NO_STATE
Jan 20 16:21:56.590: ISAKMP (0:0): received packet from 192.168.69.101 dport 500 sport 57972 Global (R) MM_NO_STATE
Jan 20 16:22:01.660: ISAKMP (0:0): received packet from 192.168.69.101 dport 500 sport 57972 Global (R) MM_NO_STATE

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
72.88.223.20    192.168.69.101 MM_NO_STATE          0    0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

MyRouter#

Thomas R Grassi Jr

AAA authentication : Not configured

Please tell me, you are trying to establish vpn client session from inside the router or from outside of the router?

New Member

AAA authentication : Not configured

My laptop is currently on the same lan

Have not tried wireless yet want to get it to work locally first.

Can you try to see what you get?

I can send you  a PM with the real key

Thomas R Grassi Jr

AAA authentication : Not configured

Sure, you send via private messaging the username and password, email me the pcf file as well.

I was under the impression that you are trying establish vpn session via outside interface and VPN is configured to be login from outside.

interface FastEthernet4

description ** WAN **

ip address 72.88.223.20 255.255.255.0

ip access-group 101 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map dynmap

Re: AAA authentication : Not configured

Re: AAA authentication : Not configured

I got connected by username password you provided.

Please check the images I uploaded for you.

Goodnight, sleep tight.

Thanks

Rizwan Rafeek

New Member

AAA authentication : Not configured

Great

So my config is good for outside users

What about internal?

I see you can ping the servers and my router

on 192.1668,.69.15 event log

Type :  Error
Date :  1/20/2012
Time :  7:18:22 PM
Event :  13
Source :  IAS
Category : None
User :  N/A
Computer : SERVER02

Description:
A RADIUS message was received from the invalid RADIUS client IP address 192.168.69.1.

Also how do I logon to the domain?

Thanks

I am up around 8:30 AM EST

Tom

Thomas R Grassi Jr

AAA authentication : Not configured

once you login to vpn from outside via the internet, you can open a RDP session to login into domain controller.

I assume, you provided domain username and password and vpn authenction successfully went thought via MS Radius Server, right?

I do not get it, why you need vpn access from inside?

New Member

AAA authentication : Not configured

can you try again?  the userid and password I sent you is a valid domain user id now

see if you can get logged onto the domain

screen shots would be great

RDP is that remote desktop?

Wanted inside vpn access only for testing. If I use my laptop on my wireless would that work?

I will be here for about 3 more hours

Thanks

Tom

Thomas R Grassi Jr

AAA authentication : Not configured

your vpn is setup for login from internet, once you have vpin in, you will complete access to your inside network.

As you could see, that I was able to ping your inside hosts, as if my computer is physcially connected to your inside network.

I am connected now at this very moment to your network.

at 11:37AM EST  Jan 21 2012.

AAA authentication : Not configured

your DC name is: TGCS002

I was being prompt for login cridential, when RDP.

New Member

AAA authentication : Not configured

great thanks

Could you show me a screen shot of the RDP I would like to see what it looks like

I found the log file on the server INxxxxx.log

But only one entry in the file

Any way to see who connects and how often?

I setup up the log file on the IAS sever and checked all options

Tom

Thomas R Grassi Jr

AAA authentication : Not configured

a RDP session is looks exactly like you are console into a Windows box in front of a monitor.

You can see the log on the router to see who is being authenticated by issuing this "show log"

To start RDP console, issue this command on Run menu on Windows: mstsc

Good luck to with your Windows stuffs.

Take Care

Thanks

Rizwan Rafeek

New Member

AAA authentication : Not configured

Thanks for all your help

I did a show log

MyRouter#show log
Syslog logging: enabled (1 messages dropped, 2 messages rate-limited,
                1 flushes, 0 overruns, xml disabled, filtering disabled)
    Console logging: level debugging, 3286 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 2754 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level warnings, 14 messages logged, xml disabled,
                    filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled

No active filter modules.

    Trap logging: level informational, 113 message lines logged

Log Buffer (51200 bytes):

*Mar  1 00:00:08.411: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
*Mar  1 00:08:29.803: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar  1 00:08:30.979: %LINK-3-UPDOWN: Interface FastEthernet3, changed state to up
*Mar  1 00:08:30.983: %LINK-3-UPDOWN: Interface FastEthernet2, changed state to up
*Mar  1 00:08:30.987: %LINK-3-UPDOWN: Interface FastEthernet1, changed state to up
*Mar  1 00:08:30.991: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
Jan 12 18:28:50.233: %RADIUS-4-SERVREF: Warning: Server 192.168.69.15:1645,1646
is still referenced by server group.
Jan 14 19:05:00.613: %RADIUS-4-SERVREF: Warning: Server 192.168.69.15:1812,1812
is still referenced by server group.
Jan 17 00:25:39.553: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.69.15:1812,181
2 is not responding.
Jan 17 00:25:39.553: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.69.15:1812,18
12 has returned.
Jan 17 03:14:57.268: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.69.15:1812,181
2 is not responding.
Jan 17 03:14:57.268: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.69.15:1812,18
12 has returned.
Jan 17 03:22:53.841: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.69.15:1812,181
2 is not responding.
Jan 17 03:22:53.841: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.69.15:1812,18
12 has returned.
MyRouter#

But I do not see any vpn client info I see radius info

How can i tell how many clients accessed my vpn etc

Tom
MyRouter#
MyRouter#

Thomas R Grassi Jr

Re: AAA authentication : Not configured

I believe, it will show with below command.

show crypto isakmp sa

New Member

AAA authentication : Not configured

Thanks I know about that command

Show crypto isaakmp sa will only show you active connections

I am looking for a way to see the history of who was connected and when

the INxxxx.log file on the server running IAS has nly one entry in it after I get some more testing done maybe it will have what I am looking for

Thomas R Grassi Jr

AAA authentication : Not configured

I guess, that information pertains to Windows box, please do little research you may be able to find proper log entry on Windows box, who login information.

Please rate any help post on this thread.

Thanks

Rizwan Rafeek

1348
Views
0
Helpful
24
Replies
CreatePlease to create content