Solved: Cisco 1841 to Vigor VPN

markyd1985 · ‎11-24-2010

Hi All,

I'm in desperate need of some help. I've spent the last 48 hrs trawling the internet try to find how to set this up secessfully

I have ports 80 and 443 port forwarded for 78.25.xxx.xxx to our local mailserver 192.168.6.65. But all im presented with is page cannot be displayed when i try and connect to the external IP within the LAN. However if i try and access this address outside the lan then it works great?

My other problem I have is i would like to setup 7 vpn's which all dial in to this router. They are setup to use ipsec with an ike pre-shared key. The dial in router's are vigor 2600-2820 series and i was going to use the following config for the cisco but it hangs at crypto map cm-cryptomap.

If anyone can help me i would really really appreciate it.

Network setup
PRIVATE IP PUBLIC IP
HUB SITE(CISCO 1841) 192.168.6.0 78.XX.XXX.48
SPOKE SITE(VIGOR 2600) 192.168.88.0 85.XX.XXX.85

################# attempted vpn config which didnt work #######

crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key 123 address 85.189.xxx.xxx (spoke site)
crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
crypto map cm-cryptomap local-address FastEthernet0/0
crypto map cm-cryptomap 1 ipsec-isakmp
set peer 85.189.155.85 (spoke site)
set transform-set cm-transformset-1
match address 100

interface FastEthernet0/0
crypto map cm-cryptomap
access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255

Below is the full config less vpn info which works flawlessly with bonded adsl
################ FULL CONFIG ################

Current configuration : 3938 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BURTON
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxx
!
no aaa new-model
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip name-server 62.121.0.2
ip name-server 195.54.225.10
!
!
crypto pki trustpoint TP-self-signed-692553461
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-692553461
revocation-check none
rsakeypair TP-self-signed-692553461
!
!
crypto pki certificate chain TP-self-signed-692553461
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36393235 35333436 31301E17 0D313031 31323431 34343930
325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3639 32353533
34363130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BA51CDF7 D418D270 7DCE516E 1ADE6DF5 82FE4507 CD1EBE0A 4B6E4B15 9A3C20ED
B1D19FC9 63D0B925 0A4611FF CE8D935C 264FC3FE DF8BFAC2 76EC38ED 68115F43
20A68D85 C04A564E 8BDE86FE 127F79B4 8E123D9C 8430940C BCD5CDA4 ADAAE387
FA1E14A6 ECF92197 0CF54E89 B33915E7 A4E01EC7 CE45DDF6 AA60D168 38C92E67
02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
11040A30 08820642 5552544F 4E301F06 03551D23 04183016 8014645E 3FDE4E90
A8773580 81EE4217 F4821238 993A301D 0603551D 0E041604 14645E3F DE4E90A8
77358081 EE4217F4 82123899 3A300D06 092A8648 86F70D01 01040500 03818100
B9B21771 6B8C0F9E C66B907A AC7A09BF 1FFCB332 0C7B6446 22483A32 5EE7D1FC
0A29DD8B 4ABE123D 250070DF 30964615 128A9224 E70FFE29 513455AB 6A1747C4
E67A33F0 4E61AB87 9AE1D2DC 72741BE7 3A9AD79D 13B622B3 BCADCDAA 9D5EA74C
567D2852 AD429722 9AE90E13 7D80027F 4FA37A7F 65014A45 43CB141C 36FCB96B
quit
!
!
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 192.168.6.40 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp reliable-link
ppp authentication chap callin
ppp chap hostname username@supplier.co.uk
ppp chap password 0 xxxxxxxx
ppp ipcp dns request
ppp link reorders
ppp multilink
ppp multilink slippage mru 16
ppp multilink fragment delay 10
ppp multilink interleave
ppp multilink multiclass
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.6.65 25 interface Dialer0 25
ip nat inside source static tcp 192.168.6.45 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.6.65 80 78.XX.XXX.61 80 extendable
ip nat inside source static tcp 192.168.6.65 443 78.XX.XXX.61 443 extendable
ip nat inside source static tcp 192.168.6.30 80 78.XX.XXX.62 80 extendable
ip nat inside source static tcp 192.168.6.30 443 78.XX.XXX.62 443 extendable
!
access-list 100 permit ip 192.168.6.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password xxxxxxxxxxxx
login
!
scheduler allocate 20000 1000
end

Vikas Saxena · ‎11-25-2010

The crypto is working fine it seems.

The error which you are receiving is I think because vigor side is able to encrypt an ip subnet (range) which is not defined by Cisco.

The vigor is sending it down to Cisco and after decrypting it the IPSEC SA is dropping it because it is not part of the interesting traffic.

But, I guess you are already up and running.

View solution in original post

Vikas Saxena · ‎11-26-2010

Hello Mark,

This looks like a defect to me.

Post your show version please.

View solution in original post

Vikas Saxena · ‎11-24-2010

Please tell us more about the errors which you are getting. By the looks of it the configuration is fine.

################# attempted vpn config which didnt work #######

crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 3600

crypto isakmp key 123 address 85.189.xxx.xxx (spoke site)
crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac

crypto map cm-cryptomap local-address FastEthernet0/0

crypto map cm-cryptomap 1 ipsec-isakmp
set peer 85.189.155.85 (spoke site)
set transform-set cm-transformset-1
match address 100

interface FastEthernet0/0
crypto map cm-cryptomap

access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255

markyd1985 · ‎11-24-2010

First off when im entering this config i get down to crypto map cm-cryptomap and then the router is then uncontactable? so i can't even put the correct acl in from then on. I'm a complete novice at cisco's to be honest, managed to setup the bonded lines ok and some port forwarding but really am struggling here.

How can i debug the vpn connection or see the errors?

Thanks

markyd1985 · ‎11-24-2010

I've turned some sort of debugging on

Router# debug crypto verbose
Router# debug crypto isakmp
Router# term monitor

markyd1985 · ‎11-24-2010

Below my latest attempt, will switch this over when i get to work tomorrow and see if it works.

Building configuration...

Current configuration : 4729 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BURTON
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxx
!
no aaa new-model
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nod
!
!
ip name-server 62.121.0.2
ip name-server 195.54.225.10
!
!
crypto pki trustpoint TP-self-signed-692553461
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-692553461
revocation-check none
rsakeypair TP-self-signed-692553461
!
!
crypto pki certificate chain TP-self-signed-692553461
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36393235 35333436 3
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3639 32353533
34363130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BA51CDF7 D418D270 7DCE516E 1ADE6DF5 82FE4507 CD1EBE0A 4B6E4B15 9A3C20ED
B1D19FC9 63D0B925 0A4611FF CE8D935C 264FC3FE DF8BFAC2 76EC38ED 68115F43
20A68D85 C04A564E 8BDE86FE 127F79B4 8E123D9C 8430940C BCD5CDA4 ADAAE387
FA1E14A6 ECF92197 0CF54E89 B33915E7 A4E01EC7 CE45DDF6 AA60D168 38C92E
02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
11040A30 08820642 5552544F 4E301F06 03551D23 04183016 8014645E 3FDE4E90
A8773580 81EE4217 F4821238 993A301D 0603551D 0E041604 14645E3F DE4E90A8
77358081 EE4217F4 82123899 3A300D06 092A8648 86F70D01 01040500 03818100
5FE3DF70 3253B1F7 D1359012 24F8E1E3 57E1DF58 A2010295 A03A8C75 FA41E51D
09C5E211 8BD9C42E D1D242FB 6BDCD933 B22256C9 ADB1841D BD015A05 28D41A86
E1E80740 1CDC4B02 FD689446 426DE1D6 0D1500A6 C5558839 029AA0D0 B8AA33
88DACDDA AC58BC10 799FC7CD FBCB8A3A 0FB8A789 9756338C F51AF115 159ADC52
quit
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxx address 77.xxx.xxx.176
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 77.xxx.xxx.176
set transform-set AES-SHA-compression
set pfs group2
match address Crypto-list
!
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 192.168.6.40 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN-Map-1
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp reliable-link
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxx
ppp chap password 0 xxxxxxxxxxx
ppp ipcp dns request
ppp link reorders
ppp mult
ppp multilink slippage mru 16
ppp multilink fragment delay 10
ppp multilink interleave
ppp multilink multiclass
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.6.45 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.6.65 25 interface Dialer0 25
ip nat inside source static tcp 192.168.6.65 80 78.xxx.xxx.61 80 extendable
ip nat inside source static tcp 192.168.6.65 443 78.xxx.xxx.61 443 extendable
ip nat inside source static tcp 192.168.6.30 80 78.xxx.xxx.62 80 extendable
ip nat inside source static tcp 192.168.6.30 443 78.xxx.xxx.62 443 extendable
!
ip access-list extended Crypto-list
permit ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255
ip access-list extended Internet-inbound-ACL
permit udp host 77.xxx.xxx.176 any eq isakmp
permit esp host 77.xxx.xxx.176 any
!
access-list 100 permit ip 192.168.6.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password xxxxxxxxxxx
login
!
scheduler allocate 20000 1000
end

markyd1985 · ‎11-24-2010

I'm not sure if this is correct? The FastEthernet 0/0 is the internal interface and ATM0/0/0 and ATM0/1/0 are the external interface there is also the Dailer0, can someone confirm this is correct or not.

interface FastEthernet0/0
description $ETH-LAN$
ip address 192.168.6.40 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN-Map-1

Vikas Saxena · ‎11-24-2010

Hello Mark,

The crypto map will be on the outbound interface which is connected to the internet. In your case it will be the dialer interface. To remember, the crypto map will normally be on a interface which has 'ip nat outside' for internet bound traffic.

Vikas Saxena · ‎11-24-2010

Hello Mark,

These are the correct debugs in case you need to troubleshoot it further.

I hope after putting the crypto ACL first then the crypto map things may work.

Vikas Saxena · ‎11-24-2010

Hello Mark,

You need to put the crypto ACL first then attach the crypto map on the interface.

If you will attach the crypto map to the interface without defining the crypto acl then by default ALL the traffic is going to be encrypted by this router. That is the reason why the router become inaccessible through SSH or telnet or any other traffic for that matter.

markyd1985 · ‎11-24-2010

Hi Vikas,

Thanks for your help in this matter.

I've done this

ip access-list extended Crypto-list
permit ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255

Should this be okay? I've taken the cryto map off the ethernet interface and put it on the dialer0.

Vikas Saxena · ‎11-24-2010

Hello Mark,

That's correct.

markyd1985 · ‎11-25-2010

I'm getting somewhere...

It looks like an encryption problem

########################### CONFIG ########################################

crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key burtonst1 address 78.XX.XXX.48
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 78.XX.XXX.48
set transform-set 3DES-SHA
set pfs group2
match address Crypto-list
!
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 192.168.78.40 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp reliable-link
ppp authentication chap callin
ppp chap hostname XXXXXXXXXXXXXXXXXXX

ppp chap password 0 XXXXXXX

ppp ipcp dns request
ppp link reorders
ppp multilink
ppp multilink slippage mru 16
ppp multilink fragment delay 10
ppp multilink interleave
ppp multilink multiclass
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
!
ip access-list extended Crypto-list
permit ip 192.168.78.0 0.0.0.255 192.168.6.0 0.0.0.255
ip access-list extended Internet-inbound-ACL
permit udp host 78.XX.XX.48 any eq isakmp
permit esp host 78.XX.XXX.48 any
!
access-list 100 permit ip 192.168.78.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO

############################################################################

*Nov 25 10:55:17.663: ISAKMP: New peer created peer = 0x6377038C peer_handle = 0
x80000007
*Nov 25 10:55:17.663: ISAKMP: Locking peer struct 0x6377038C, IKE refcount 1 for
crypto_isakmp_process_block
*Nov 25 10:55:17.663: ISAKMP: local port 500, remote port 500
*Nov 25 10:55:17.667: insert sa successfully sa = 63955158
*Nov 25 10:55:17.667: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Nov 25 10:55:17.667: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_
R_MM1

*Nov 25 10:55:17.667: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Nov 25 10:55:17.667: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 78.2
5.240.48
*Nov 25 10:55:17.667: ISAKMP:(0:0:N/A:0): local preshared key found
*Nov 25 10:55:17.667: ISAKMP : Scanning profiles for xauth ...
*Nov 25 10:55:17.667: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 0 against pri
ority 1 policy
*Nov 25 10:55:17.667: ISAKMP:      life type in seconds
*Nov 25 10:55:17.667: ISAKMP:      life duration (basic) of 28800
*Nov 25 10:55:17.667: ISAKMP:      encryption DES-CBC
*Nov 25 10:55:17.667: ISAKMP:      hash MD5
*Nov 25 10:55:17.667: ISAKMP:      auth pre-share
*Nov 25 10:55:17.667: ISAKMP:      default group 1
*Nov 25 10:55:17.667: ISAKMP:(0:0:N/A:0):Diffie-Hellman group offered does not m
atch policy!
*Nov 25 10:55:17.667: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Nov 25 10:55:17.667: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against pri
ority 1 policy
*Nov 25 10:55:17.667: ISAKMP:      life type in seconds
*Nov 25 10:55:17.667: ISAKMP:      life duration (basic) of 28800
*Nov 25 10:55:17.667: ISAKMP:      encryption DES-CBC
*Nov 25 10:55:17.667: ISAKMP:      hash SHA
*Nov 25 10:55:17.667: ISAKMP:      auth pre-share
*Nov 25 10:55:17.667: ISAKMP:      default group 1
*Nov 25 10:55:17.667: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match p
olicy!
*Nov 25 10:55:17.667: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Nov 25 10:55:17.667: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against pri
ority 1 policy
*Nov 25 10:55:17.667: ISAKMP:      life type in seconds
*Nov 25 10:55:17.667: ISAKMP:      life duration (basic) of 28800
*Nov 25 10:55:17.667: ISAKMP:      encryption 3DES-CBC
*Nov 25 10:55:17.667: ISAKMP:      hash MD5
*Nov 25 10:55:17.667: ISAKMP:      auth pre-share
*Nov 25 10:55:17.667: ISAKMP:      default group 1
*Nov 25 10:55:17.667: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Nov 25 10:55:17.667: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Nov 25 10:55:17.671: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against pri
ority 1 policy
*Nov 25 10:55:17.671: ISAKMP:      life type in seconds
*Nov 25 10:55:17.671: ISAKMP:      life duration (basic) of 28800
*Nov 25 10:55:17.671: ISAKMP:      encryption 3DES-CBC
*Nov 25 10:55:17.671: ISAKMP:      hash MD5
*Nov 25 10:55:17.671: ISAKMP:      auth pre-share
*Nov 25 10:55:17.671: ISAKMP:      default group 2
*Nov 25 10:55:17.671: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Nov 25 10:55:17.671: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 0
*Nov 25 10:55:17.671: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 0 against pri
ority 65535 policy
*Nov 25 10:55:17.671: ISAKMP:      life type in seconds
*Nov 25 10:55:17.671: ISAKMP:      life duration (basic) of 28800
*Nov 25 10:55:17.671: ISAKMP:      encryption DES-CBC
*Nov 25 10:55:17.671: ISAKMP:      hash MD5
*Nov 25 10:55:17.671: ISAKMP:      auth pre-share
*Nov 25 10:55:17.671: ISAKMP:      default group 1
*Nov 25 10:55:17.671: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match p
olicy!
*Nov 25 10:55:17.671: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Nov 25 10:55:17.671: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against pri
ority 65535 policy
*Nov 25 10:55:17.671: ISAKMP:      life type in seconds
*Nov 25 10:55:17.671: ISAKMP:      life duration (basic) of 28800
*Nov 25 10:55:17.671: ISAKMP:      encryption DES-CBC
*Nov 25 10:55:17.671: ISAKMP:      hash SHA
*Nov 25 10:55:17.671: ISAKMP:      auth pre-share
*Nov 25 10:55:17.671: ISAKMP:      default group 1
*Nov 25 10:55:17.671: ISAKMP:(0:0:N/A:0):Authentication method offered does not
match policy!
*Nov 25 10:55:17.671: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Nov 25 10:55:17.671: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against pri
ority 65535 policy
*Nov 25 10:55:17.671: ISAKMP:      life type in seconds
*Nov 25 10:55:17.671: ISAKMP:      life duration (basic) of 28800
*Nov 25 10:55:17.671: ISAKMP:      encryption 3DES-CBC
*Nov 25 10:55:17.671: ISAKMP:      hash MD5
*Nov 25 10:55:17.671: ISAKMP:      auth pre-share
*Nov 25 10:55:17.671: ISAKMP:      default group 1
*Nov 25 10:55:17.671: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Nov 25 10:55:17.671: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Nov 25 10:55:17.671: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against pri
ority 65535 policy
*Nov 25 10:55:17.671: ISAKMP:      life type in seconds
*Nov 25 10:55:17.671: ISAKMP:      life duration (basic) of 28800
*Nov 25 10:55:17.671: ISAKMP:      encryption 3DES-CBC
*Nov 25 10:55:17.671: ISAKMP:      hash MD5
*Nov 25 10:55:17.671: ISAKMP:      auth pre-share
*Nov 25 10:55:17.671: ISAKMP:      default group 2
*Nov 25 10:55:17.671: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Nov 25 10:55:17.671: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 0
*Nov 25 10:55:17.671: ISAKMP:(0:0:N/A:0):no offers accepted!
*Nov 25 10:55:17.671: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (loc
al 77.107.173.176 remote 78.XX.XXX.48)
*Nov 25 10:55:17.671: ISAKMP (0:0): incrementing error counter on sa, attempt 1
of 5: construct_fail_ag_init
*Nov 25 10:55:17.671: ISAKMP:(0:0:N/A:0): sending packet to 78.XX.XXX.48 my_port
500 peer_port 500 (R) MM_NO_STATE
*Nov 25 10:55:17.675: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

*Nov 25 10:55:17.675: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy

Vikas Saxena · ‎11-25-2010

*Nov 25 10:55:17.671: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable!

Your configuration:

crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 3600

Since you have not specified the encryption, by default it is DES.

Can you create one more policy with:

Cry isakmp policy 5

Hash md5

Encr 3des

Authen pre-share

Group 2

(All lower case).

markyd1985 · ‎11-25-2010

Still having problems, the vigor is setup with 3DES with encryption

dst src state conn-id slot status
77.xx.xx.176 78.xx.xxx.48 MM_NO_STATE 0 0 ACTIVE (deleted)

################## CONFIG ############

crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key burtonst1 address 78.xx.xxx.48
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 78.xx.xxx.48
set transform-set 3DES-SHA
set pfs group2
match address Crypto-list
!
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 192.168.78.40 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp reliable-link
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxx

ppp chap password 0 xxxxxxxx
ppp ipcp dns request
ppp link reorders
ppp multilink
ppp multilink slippage mru 16
ppp multilink fragment delay 10
ppp multilink interleave
ppp multilink multiclass
crypto map VPN-Map-1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
!
ip access-list extended Crypto-list
permit ip 192.168.78.0 0.0.0.255 192.168.6.0 0.0.0.255
ip access-list extended Internet-inbound-ACL
permit udp host 78.xx.xxx.48 any eq isakmp
permit esp host 78.xx.xxx.48 any
!
access-list 100 permit ip 192.168.78.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO

##############################################################

*Nov 25 12:08:45.491: ISAKMP: New peer created peer = 0x632737F8 peer_handle = 0
x80000017
*Nov 25 12:08:45.491: ISAKMP: Locking peer struct 0x632737F8, IKE refcount 1 for
crypto_isakmp_process_block
*Nov 25 12:08:45.491: ISAKMP: local port 500, remote port 500
*Nov 25 12:08:45.491: insert sa successfully sa = 639559E8
*Nov 25 12:08:45.491: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Nov 25 12:08:45.491: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_
R_MM1

*Nov 25 12:08:45.491: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Nov 25 12:08:45.491: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 78.2
5.240.48
*Nov 25 12:08:45.491: ISAKMP:(0:0:N/A:0): local preshared key found
*Nov 25 12:08:45.491: ISAKMP : Scanning profiles for xauth ...
*Nov 25 12:08:45.495: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 0 against pri
ority 1 policy
*Nov 25 12:08:45.495: ISAKMP:      life type in seconds
*Nov 25 12:08:45.495: ISAKMP:      life duration (basic) of 28800
*Nov 25 12:08:45.495: ISAKMP:      encryption DES-CBC
*Nov 25 12:08:45.495: ISAKMP:      hash MD5
*Nov 25 12:08:45.495: ISAKMP:      auth pre-share
*Nov 25 12:08:45.495: ISAKMP:      default group 1
*Nov 25 12:08:45.495: ISAKMP:(0:0:N/A:0):Diffie-Hellman group offered does not m
atch policy!
*Nov 25 12:08:45.495: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 0
*Nov 25 12:08:45.495: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 0 against pri
ority 5 policy
*Nov 25 12:08:45.495: ISAKMP:      life type in seconds
*Nov 25 12:08:45.495: ISAKMP:      life duration (basic) of 28800
*Nov 25 12:08:45.495: ISAKMP:      encryption DES-CBC
*Nov 25 12:08:45.495: ISAKMP:      hash MD5
*Nov 25 12:08:45.495: ISAKMP:      auth pre-share
*Nov 25 12:08:45.495: ISAKMP:      default group 1
*Nov 25 12:08:45.495: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Nov 25 12:08:45.495: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 0
*Nov 25 12:08:45.495: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 0 against pri
ority 65535 policy
*Nov 25 12:08:45.495: ISAKMP:      life type in seconds
*Nov 25 12:08:45.495: ISAKMP:      life duration (basic) of 28800
*Nov 25 12:08:45.495: ISAKMP:      encryption DES-CBC
*Nov 25 12:08:45.495: ISAKMP:      hash MD5
*Nov 25 12:08:45.495: ISAKMP:      auth pre-share
*Nov 25 12:08:45.495: ISAKMP:      default group 1
*Nov 25 12:08:45.495: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match p
olicy!
*Nov 25 12:08:45.495: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 0
*Nov 25 12:08:45.495: ISAKMP:(0:0:N/A:0):no offers accepted!
*Nov 25 12:08:45.495: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (loc
al 77.107.173.176 remote 78.xx.xxx.48)
*Nov 25 12:08:45.495: ISAKMP (0:0): incrementing error counter on sa, attempt 1
of 5: construct_fail_ag_init
*Nov 25 12:08:45.495: ISAKMP:(0:0:N/A:0): sending packet to 78.xx.xxx.48 my_port
500 peer_port 500 (R) MM_NO_STATE
*Nov 25 12:08:45.495: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

*Nov 25 12:08:45.495: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy pr
oposal not accepted" state (R) MM_NO_STATE (peer 78.xx.xxx.48)
*Nov 25 12:08:45.495: ISAKMP (0:0): FSM action returned error: 2
*Nov 25 12:08:45.495: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_
MAIN_MODE
*Nov 25 12:08:45.499: ISAKMP:(0:0:N/A:0):Old State = IKE_R_MM1 New State = IKE_
R_MM1

*Nov 25 12:08:45.499: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy pr
oposal not accepted" state (R) MM_NO_STATE (peer 78.xx.xxx.48)
*Nov 25 12:08:45.499: ISAKMP: Unlocking IKE struct 0x632737F8 for isadb_mark_sa_
deleted(), count 0
*Nov 25 12:08:45.499: ISAKMP: Deleting peer node by peer_reap for 78.xx.xxx.48:
632737F8
*Nov 25 12:08:45.499: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_D
EL
*Nov 25 12:08:45.499: ISAKMP:(0:0:N/A:0):Old State = IKE_R_MM1 New State = IKE_
DEST_SA

*Nov 25 12:08:45.499: IPSEC(key_engine): got a queue event with 1 kei messages
*Nov 25 12:08:45.499: ISAKMP:(0:0:N/A:0):deleting SA reason "No reason" state (R
) MM_NO_STATE (peer 78.xx.xxx.48)
*Nov 25 12:08:45.499: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_
ERROR
*Nov 25 12:08:45.499: ISAKMP:(0:0:N/A:0):Old State = IKE_DEST_SA New State = IK
E_DEST_SA

Vikas Saxena · ‎11-25-2010

Hello,

I have no idea about Vigor router (device) but it seems that the P1 proposals are not a match:

*Nov 25 12:08:45.495: ISAKMP: life type in seconds
*Nov 25 12:08:45.495: ISAKMP: life duration (basic) of 28800
*Nov 25 12:08:45.495: ISAKMP: encryption DES-CBC
*Nov 25 12:08:45.495: ISAKMP: hash MD5
*Nov 25 12:08:45.495: ISAKMP: auth pre-share
*Nov 25 12:08:45.495: ISAKMP: default group 1

Let us try to match it with what it is sending us

Create a new policy

Crypto isakmp policy 2

hash md5

authentication pre-share

group 1

encr des

Is there a way you post the phase1 and phase 2 parameters from the vigor