10-12-2010 05:57 AM
Hi guys,
Im pretty new to cisco products, and is playing around with a 1812... I'm trying to setup a Easy VPN Server, with Radius support, and as far as I can see I have done all tasks right, but there is a problem, because the router do not contact the RADIUS server, and the RADIUS server has been tested ok.
Anyone who can see what I am missing ??? Have worked with this issue for 3 days now.
Here is my conf.
Current configuration : 9170 bytes
!
! Last configuration change at 13:44:49 UTC Tue Oct 12 2010
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
!
aaa new-model
!
!
aaa group server radius sdm-vpn-server-group-1
server 90.0.0.245 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 passwd-expiry group sdm-vpn-server-group-1
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-250973313
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-250973313
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-250973313
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C040355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32353039 37333331 33301E17 0D313031 30313230 39343333
395A170D 32303031 30313030 30303030 5A303031 2E302C06 03540403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3235 30393733
33313330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BCF94FB0 77240E92 B703CE70 556D5D22 A57823E5 DD4CD4C4 12D639DE 5E97DB2D
81FBB304 9FA677A6 CAD84F96 9734081B F8F8FAAE 000B02FB AEF7C7B1 73AFA44B
7D27E112 8991F03B 3D4FD484 34E2EA9F BD426F73 48778F2A AD35AAD6 EC00805D
249B8702 D545AEEA 40670DFD 3E6BEC29 EE48A0C6 CB7694FD 722D1A62 3A499CC5
02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
11040A30 08820652 6F757465 72301F06 03551D23 04183016 801462CB F6BD12F6
080C8A89 F9FBBDCE 9751528A FFFD301D 0603551D 0E041604 1462CBF6 BD12F608
0C8A89F9 FBBDCE97 51528AFF FD300D06 092A8648 86F70D01 01040500 03818100
ACA87977 55225FC6 9147E57E 8B5A8CA8 46348CAF 801D11C6 9DA57C69 14FA5076
6844F0CC 4CBEB541 136A483A 69F7B7F0 E44474E8 14DC2E80 CC04F840 3531B884
F08A492D 8C3902C0 725EE93D AC83A29F 799AAE0F 5795484B B3D02F84 911DB135
21B0B9D4 5C189766 C30DA111 6B9B4E46 E999DA5B 202A6900 07A93D8D 41C7FD21
quit
dot11 syslog
ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1812/K9 sn FCZ10232108
username admin privilege 15 secret 5 $1$P677$Rggfdgt8MeD8letZDL08d/
!
!
!
class-map type inspect match-all sdm-nat-smtp-1
match access-group 101
match protocol smtp
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-smtp-1
inspect
class class-default
drop
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group Sindby
key TheSommerOf03
dns 90.0.0.240 8.8.8.8
wins 90.0.0.240
domain SBYNET
pool SDM_POOL_2
max-users 15
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group Sindby
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA9 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA10 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA10
set isakmp-profile sdm-ike-profile-1
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
description $FW_OUTSIDE$
ip address 93.166.xxx.xxx 255.255.255.248
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $FW_INSIDE$
ip address 90.0.0.190 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
ip local pool SDM_POOL_1 90.0.0.25 90.0.0.29
ip local pool SDM_POOL_2 90.0.0.75 90.0.0.90
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.1.200 25 interface FastEthernet0 25
ip nat inside source list 1 interface FastEthernet0 overload
ip route 0.0.0.0 0.0.0.0 93.166.xxx.xxx
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
!
logging esm config
access-list 1 permit 90.0.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 93.166.xxx.xxx 0.0.0.7 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.1.200
!
!
!
!
!
!
radius-server host 90.0.0.245 auth-port 1645 acct-port 1646
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
transport input telnet ssh
!
end
Solved! Go to Solution.
10-12-2010 11:08 PM
Hi,
It looks like you are missing the radius server key configuration "radius-server host 90.0.0.245 auth-port 1645 acct-port 1646 key your_key".
Thanks,
Wen
10-12-2010 08:27 AM
Hi,
Have you run a "test aaa authentication" to confirm the connectivity between the server and the router? Also, please do enable "ip inspect log drop-pkt" prior to running the "test aaa authentication" thereby you should be able to see syslogs pointing to dropped packets by the zone based firewall configuration, if any.
Let me know how it goes!!
Thanks and Regards,
Prapanch
10-12-2010 12:16 PM
Hi Prapanch,
I have added the inspect line, and when I try to run the test, i issue this command:
Router#test aaa authentication radius host 90.0.0.245
^
% Invalid input detected at '^' marker.
10-12-2010 05:26 PM
Hi Jesper,
The command actually is "test aaa group {group-name | radius} username password". Not really an expert in AAA
Thanks and Regards,
Prapanch
10-12-2010 10:46 PM
Hi Prapanch,
I tried to test the aaa server, and this is what came out:
test aaa group radius ja@sbynet.local xxxxxx legacy
Attempting authentication test to server-group radius using radius
No authoritative response from any server.
Router#
*Oct 13 06:44:08.742: AAA: parse name=
*Oct 13 06:44:08.742: AAA/MEMORY: create_user (0x86BF6A18) user='ja@sbynet.local' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
*Oct 13 06:44:08.742: RADIUS: Pick NAS IP for u=0x86BF6A18 tableid=0 cfg_addr=0.0.0.0
*Oct 13 06:44:08.742: RADIUS: ustruct sharecount=1
*Oct 13 06:44:08.742: Radius: radius_port_info() success=0 radius_nas_port=1
*Oct 13 06:44:08.742: RADIUS/ENCODE: Best Local IP-Address 90.0.0.190 for Radius-Server 90.0.0.245
*Oct 13 06:44:08.742: RADIUS: No secret to encode request (rctx:0x86C11688)
*Oct 13 06:44:08.742: RADIUS: Unable to encrypt (rctx:0x86C11688)
*Oct 13 06:44:08.742: RADIUS: No secret to encode request (rctx:0x86C11688)
*Oct 13 06:44:08.742: RADIUS: Unable to encrypt (rctx:0x86C11688)
*Oct 13 06:44:08.742: RADIUS: No secret to encode request (rctx:0x86C11688)
*Oct 13 06:44:08.742: RADIUS: Unable to encrypt (rctx:0x86C11688)
*Oct 13 06:44:08.742: RADIUS: No secret to encode request (rctx:0x86C11688)
*Oct 13 06:44:08.742: RADIUS: Unable to encrypt (rctx:0x86C11688)
*Oct 13 06:44:08.742: RADIUS: No secret to encode request (rctx:0x86C11688)
*Oct 13 06:44:08.742: RADIUS: Unable to encrypt (rctx:0x86C11688)
*Oct 13 06:44:08.742: RADIUS: No response from server
*Oct 13 06:44:08.742: AAA/MEMORY: free_user (0x86BF6A18) user='ja@sbynet.local' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
How do I see the log, we activated before testing... (The inspect command ? According to this I cannot see anything which is been blocked.)
I am 100% sure that the Radius server is working, because it works with another Zyxel router.
/Jesper
10-12-2010 11:08 PM
Hi,
It looks like you are missing the radius server key configuration "radius-server host 90.0.0.245 auth-port 1645 acct-port 1646 key your_key".
Thanks,
Wen
10-12-2010 11:14 PM
wzhang,
Thank you very much, after adding the line, I am now able to successfully authenticate to the radius server...
/Jesper
10-13-2010 12:12 AM
I hoped that the VPN connection worked now, but I get this error when try to connect now.
Do you know what is wrong here ?
*Oct 13 08:14:48.778: ISAKMP (0): received packet from xx.xxx.xx.xx dport 500 sport 13747 Global (N) NEW SA
*Oct 13 08:14:48.778: ISAKMP: Created a peer struct for xx.xxx.xx.xx, peer port 13747
*Oct 13 08:14:48.778: ISAKMP: New peer created peer = 0x86F84250 peer_handle = 0x80000013
*Oct 13 08:14:48.778: ISAKMP: Locking peer struct 0x86F84250, refcount 1 for crypto_isakmp_process_block
*Oct 13 08:14:48.778: ISAKMP: local port 500, remote port 13747
*Oct 13 08:14:48.778: ISAKMP:(0):insert sa successfully sa = 874C6244
*Oct 13 08:14:48.778: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 13 08:14:48.778: ISAKMP:(0): processing ID payload. message ID = 0
*Oct 13 08:14:48.778: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : sindby
protocol : 17
port : 500
length : 14
*Oct 13 08:14:48.778: ISAKMP:(0):: peer matches *none* of the profiles
*Oct 13 08:14:48.778: ISAKMP:(0): processing vendor id payload
*Oct 13 08:14:48.778: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Oct 13 08:14:48.778: ISAKMP:(0): vendor ID is XAUTH
*Oct 13 08:14:48.778: ISAKMP:(0): processing vendor id payload
*Oct 13 08:14:48.778: ISAKMP:(0): vendor ID is DPD
*Oct 13 08:14:48.778: ISAKMP:(0): processing vendor id payload
*Oct 13 08:14:48.778: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 13 08:14:48.778: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 13 08:14:48.778: ISAKMP:(0): processing vendor id payload
*Oct 13 08:14:48.778: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 13 08:14:48.778: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 13 08:14:48.778: ISAKMP:(0): processing vendor id payload
*Oct 13 08:14:48.778: ISAKMP:(0): vendor ID is Unity
*Oct 13 08:14:48.778: ISAKMP : Scanning profiles for xauth ... sdm-ike-profile-1
*Oct 13 08:14:48.778: ISAKMP:(0): Authentication by xauth preshared
*Oct 13 08:14:48.778: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Oct 13 08:14:48.778: ISAKMP: encryption AES-CBC
*Oct 13 08:14:48.778: ISAKMP: hash SHA
*Oct 13 08:14:48.778: ISAKMP: default group 2
*Oct 13 08:14:48.778: ISAKMP: auth XAUTHInitPreShared
*Oct 13 08:14:48.782: ISAKMP: life type in seconds
*Oct 13 08:14:48.782: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 13 08:14:48.782: ISAKMP: keylength of 256
*Oct 13 08:14:48.782: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 13 08:14:48.782: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 13 08:14:48.782: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 13 08:14:48.782: ISAKMP: encryption AES-CBC
*Oct 13 08:14:48.782: ISAKMP: hash MD5
*Oct 13 08:14:48.782: ISAKMP: default group 2
*Oct 13 08:14:48.782: ISAKMP: auth XAUTHInitPreShared
*Oct 13 08:14:48.782: ISAKMP: life type in seconds
*Oct 13 08:14:48.782: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 13 08:14:48.782: ISAKMP: keylength of 256
*Oct 13 08:14:48.782: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 13 08:14:48.782: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 13 08:14:48.782: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Oct 13 08:14:48.782: ISAKMP: encryption AES-CBC
*Oct 13 08:14:48.782: ISAKMP: hash SHA
*Oct 13 08:14:48.782: ISAKMP: default group 2
*Oct 13 08:14:48.782: ISAKMP: auth pre-share
*Oct 13 08:14:48.782: ISAKMP: life type in seconds
*Oct 13 08:14:48.782: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 13 08:14:48.782: ISAKMP: keylength of 256
*Oct 13 08:14:48.782: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 13 08:14:48.782: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 13 08:14:48.782: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Oct 13 08:14:48.782: ISAKMP: encryption AES-CBC
*Oct 13 08:14:48.782: ISAKMP: hash MD5
*Oct 13 08:14:48.782: ISAKMP: default group 2
*Oct 13 08:14:48.782: ISAKMP: auth pre-share
*Oct 13 08:14:48.782: ISAKMP: life type in seconds
*Oct 13 08:14:48.782: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 13 08:14:48.782: ISAKMP: keylength of 256
*Oct 13 08:14:48.782: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 13 08:14:48.782: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 13 08:14:48.782: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Oct 13 08:14:48.782: ISAKMP: encryption AES-CBC
*Oct 13 08:14:48.782: ISAKMP: hash SHA
*Oct 13 08:14:48.782: ISAKMP: default group 2
*Oct 13 08:14:48.782: ISAKMP: auth XAUTHInitPreShared
*Oct 13 08:14:48.782: ISAKMP: life type in seconds
*Oct 13 08:14:48.782: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 13 08:14:48.782: ISAKMP: keylength of 128
*Oct 13 08:14:48.782: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 13 08:14:48.782: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 13 08:14:48.782: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
*Oct 13 08:14:48.782: ISAKMP: encryption AES-CBC
*Oct 13 08:14:48.782: ISAKMP: hash MD5
*Oct 13 08:14:48.782: ISAKMP: default group 2
*Oct 13 08:14:48.782: ISAKMP: auth XAUTHInitPreShared
*Oct 13 08:14:48.782: ISAKMP: life type in seconds
*Oct 13 08:14:48.782: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 13 08:14:48.782: ISAKMP: keylength of 128
*Oct 13 08:14:48.782: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 13 08:14:48.782: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 13 08:14:48.782: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
*Oct 13 08:14:48.782: ISAKMP: encryption AES-CBC
*Oct 13 08:14:48.782: ISAKMP: hash SHA
*Oct 13 08:14:48.782: ISAKMP: default group 2
*Oct 13 08:14:48.782: ISAKMP: auth pre-share
*Oct 13 08:14:48.782: ISAKMP: life type in seconds
*Oct 13 08:14:48.782: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 13 08:14:48.782: ISAKMP: keylength of 128
*Oct 13 08:14:48.782: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 13 08:14:48.782: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 13 08:14:48.782: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
*Oct 13 08:14:48.782: ISAKMP: encryption AES-CBC
*Oct 13 08:14:48.782: ISAKMP: hash MD5
*Oct 13 08:14:48.782: ISAKMP: default group 2
*Oct 13 08:14:48.782: ISAKMP: auth pre-share
*Oct 13 08:14:48.782: ISAKMP: life type in seconds
*Oct 13 08:14:48.782: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 13 08:14:48.782: ISAKMP: keylength of 128
*Oct 13 08:14:48.782: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 13 08:14:48.782: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 13 08:14:48.782: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy
*Oct 13 08:14:48.782: ISAKMP: encryption 3DES-CBC
*Oct 13 08:14:48.782: ISAKMP: hash SHA
*Oct 13 08:14:48.782: ISAKMP: default group 2
*Oct 13 08:14:48.782: ISAKMP: auth XAUTHInitPreShared
*Oct 13 08:14:48.782: ISAKMP: life type in seconds
*Oct 13 08:14:48.782: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 13 08:14:48.782: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 13 08:14:48.782: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 13 08:14:48.782: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1 policy
*Oct 13 08:14:48.782: ISAKMP: encryption 3DES-CBC
*Oct 13 08:14:48.782: ISAKMP: hash MD5
*Oct 13 08:14:48.782: ISAKMP: default group 2
*Oct 13 08:14:48.782: ISAKMP: auth XAUTHInitPreShared
*Oct 13 08:14:48.782: ISAKMP: life type in seconds
*Oct 13 08:14:48.782: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 13 08:14:48.782: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 13 08:14:48.782: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 13 08:14:48.782: ISAKMP:(0):Checking ISAKMP transform 11 against priority 1 policy
*Oct 13 08:14:48.782: ISAKMP: encryption 3DES-CBC
*Oct 13 08:14:48.782: ISAKMP: hash SHA
*Oct 13 08:14:48.782: ISAKMP: default group 2
*Oct 13 08:14:48.782: ISAKMP: auth pre-share
*Oct 13 08:14:48.782: ISAKMP: life type in seconds
*Oct 13 08:14:48.782: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 13 08:14:48.782: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct 13 08:14:48.782: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 13 08:14:48.782: ISAKMP:(0):Checking ISAKMP transform 12 against priority 1 policy
*Oct 13 08:14:48.782: ISAKMP: encryption 3DES-CBC
*Oct 13 08:14:48.782: ISAKMP: hash MD5
*Oct 13 08:14:48.782: ISAKMP: default group 2
*Oct 13 08:14:48.782: ISAKMP: auth pre-share
*Oct 13 08:14:48.782: ISAKMP: life type in seconds
*Oct 13 08:14:48.782: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 13 08:14:48.782: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 13 08:14:48.786: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 13 08:14:48.786: ISAKMP:(0):Checking ISAKMP transform 13 against priority 1 policy
*Oct 13 08:14:48.786: ISAKMP: encryption DES-CBC
*Oct 13 08:14:48.786: ISAKMP: hash MD5
*Oct 13 08:14:48.786: ISAKMP: default group 2
*Oct 13 08:14:48.786: ISAKMP: auth XAUTHInitPreShared
*Oct 13 08:14:48.786: ISAKMP: life type in seconds
*Oct 13 08:14:48.786: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 13 08:14:48.786: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 13 08:14:48.786: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 13 08:14:48.786: ISAKMP:(0):Checking ISAKMP transform 14 against priority 1 policy
*Oct 13 08:14:48.786: ISAKMP: encryption DES-CBC
*Oct 13 08:14:48.786: ISAKMP: hash MD5
*Oct 13 08:14:48.786: ISAKMP: default group 2
*Oct 13 08:14:48.786: ISAKMP: auth pre-share
*Oct 13 08:14:48.786: ISAKMP: life type in seconds
*Oct 13 08:14:48.786: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 13 08:14:48.786: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 13 08:14:48.786: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 13 08:14:48.786: ISAKMP:(0):no offers accepted!
*Oct 13 08:14:48.786: ISAKMP:(0): phase 1 SA policy not acceptable! (local 93.166.138.93 remote xx.xxx.xx.xx)
*Oct 13 08:14:48.786: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Oct 13 08:14:48.786: ISAKMP:(0): Failed to construct AG informational message.
*Oct 13 08:14:48.786: ISAKMP:(0): sending packet to xx.xxx.xx.xx my_port 500 peer_port 13747 (R) AG_NO_STATE
*Oct 13 08:14:48.786: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 13 08:14:48.786: ISAKMP:(0):peer does not do paranoid keepalives.
*Oct 13 08:14:48.786: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer xx.xxx.xx.xx)
*Oct 13 08:14:48.786: ISAKMP:(0): processing KE payload. message ID = 0
*Oct 13 08:14:48.786: ISAKMP:(0): group size changed! Should be 0, is 128
*Oct 13 08:14:48.786: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
*Oct 13 08:14:48.786: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY
*Oct 13 08:14:48.786: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Oct 13 08:14:48.786: ISAKMP:(0):Old State = IKE_READY New State = IKE_READY
*Oct 13 08:14:48.786: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at xx.xxx.xx.xx
*Oct 13 08:14:48.786: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer xx.xxx.xx.xx)
*Oct 13 08:14:48.786: ISAKMP: Unlocking peer struct 0x86F84250 for isadb_mark_sa_deleted(), count 0
*Oct 13 08:14:48.786: ISAKMP: Deleting peer node by peer_reap for xx.xxx.xx.xx: 86F84250
*Oct 13 08:14:48.786: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 13 08:14:48.786: ISAKMP:(0):Old State = IKE_READY New State = IKE_DEST_SA
10-13-2010 12:48 AM
Never mind guys.... I had a typo in the group profile name. Its working now.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: