Re: Can't match VPN Client transforms with local ISAKMP policy.

michael.leblanc · ‎04-24-2008

Working on a c806 which participates in an IPSec + GRE site-to-site VPN (no functional issues).

It is also configured to perform Mode Config for Cisco VPN Clients.

We have been unable to establish an ISAKMP SA when connecting with the VPN Client.

When the client ISAKMP transforms are compared to local ISAKMP policy on the c806 we are not finding a match in Authentication Method.

We have tested this with and without Xauth configured in the client profile, and have not been able to determine why a mis-match is perceived in Authentication Method.

EZVPN Server: c806 with c806-k9o3sy6-mz.123-8.T11.bin

Cisco VPN Clients: 4.6.02.0011 and/or 5.0.02.0090

Syslog error:

4952: router: Apr 23 15:04:31.901 EDT: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at <ip-addr-removed>

RAVPN ISAKMP Policy:

crypto isakmp policy 5

encr 3des

authentication pre-share

group 2

lifetime 3600

ISAKMP Debug (partial):

Apr 23 16:41:48.730 EDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 9 against priority 5 policy

Apr 23 16:41:48.734 EDT: ISAKMP: encryption 3DES-CBC

Apr 23 16:41:48.734 EDT: ISAKMP: hash SHA

Apr 23 16:41:48.734 EDT: ISAKMP: default group 2

Apr 23 16:41:48.734 EDT: ISAKMP: auth XAUTHInitPreShared

Apr 23 16:41:48.734 EDT: ISAKMP: life type in seconds

Apr 23 16:41:48.738 EDT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

Apr 23 16:41:48.738 EDT: ISAKMP:(0:0:N/A:0):Xauth authentication by pre-shared key offered but does not match policy!

Apr 23 16:41:48.742 EDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

Apr 23 16:41:48.758 EDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 11 against priority 5 policy

Apr 23 16:41:48.758 EDT: ISAKMP: encryption 3DES-CBC

Apr 23 16:41:48.762 EDT: ISAKMP: hash SHA

Apr 23 16:41:48.762 EDT: ISAKMP: default group 2

Apr 23 16:41:48.762 EDT: ISAKMP: auth pre-share

Apr 23 16:41:48.762 EDT: ISAKMP: life type in seconds

Apr 23 16:41:48.762 EDT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

Apr 23 16:41:48.766 EDT: ISAKMP:(0:0:N/A:0):Preshared authentication offered but does not match policy!

Apr 23 16:41:48.766 EDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

Has anyone experienced this issue and/or reached a resolution?

michael.leblanc · ‎04-25-2008

Resolved the issue. The cause was an incorrect group name configured in "Group Authentication" on the client.

I glossed over this ISAMKP debug entry:

Apr 23 16:41:48.346 EDT: ISAKMP:(0:0:N/A:0): peer matches *none* of the profiles

... because I saw these ISAKMP debug entries:

Apr 23 16:41:48.362 EDT: ISAKMP : Scanning profiles for xauth ...

Apr 23 16:41:48.366 EDT: ISAKMP:(0:0:N/A:0): Authentication by xauth preshared

... and focused on these ISAKMP debug entries: