Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our beta test area to get started.

New Member

Connecting a VPN cleint to a cisco IOS access server

Hi all,

I want to make a vpn with a pc connecting to a lan to an access server, I m using Cisco VPN cleint version 3.6.3 and the IOS installed on cisco is Version 12.2(11)T3 the problem is that always the connection is refused by the access server,mentioned that i used DES encryption not 3des because the ios is not supporting the 3des, configuration is as follow:

aaa new-model

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

crypto isakmp policy 3

encr des

authentication pre-share

group 2

crypto isakmp client configuration group 3000client

key cisco123

pool ippool

!

crypto ipsec transform-set myset esp-des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

Also debug is found below:

Feb 4 10:26:00.931 GMT: ISAKMP: Created a peer node for 62.140.64.222

Feb 4 10:26:00.931 GMT: ISAKMP (0:1): Setting client config settings 66AF2940

Feb 4 10:26:00.931 GMT: ISAKMP (0:1): (Re)Setting client xauth list userauthen and state

Feb 4 10:26:00.931 GMT: ISAKMP: Locking CONFIG struct 0x66AF2940 from crypto_ikmp_config_initialize_sa, count 1

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): processing SA payload. message ID = 0

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): processing ID payload. message ID = 0

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): processing vendor id payload

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): vendor ID is XAUTH

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): processing vendor id payload

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): vendor ID is DPD

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): processing vendor id payload

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): processing vendor id payload

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): processing vendor id payload

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): vendor ID is Unity

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 3 policy

Feb 4 10:26:00.935 GMT: ISAKMP: encryption... What? 7?

Feb 4 10:26:00.935 GMT: ISAKMP: hash SHA

Feb 4 10:26:00.935 GMT: ISAKMP: default group 2

Feb 4 10:26:00.935 GMT: ISAKMP: auth XAUTHInitPreShared

Feb 4 10:26:00.935 GMT: ISAKMP: life type in seconds

Feb 4 10:26:00.935 GMT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

Feb 4 10:26:00.935 GMT: ISAKMP: attribute 14

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): Encryption algorithm offered does not match policy!

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): atts are not acceptable. Next payload is 3

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): Checking ISAKMP transform 2 against priority 3 policy

Feb 4 10:26:00.935 GMT: ISAKMP: encryption... What? 7?

Feb 4 10:26:00.935 GMT: ISAKMP: hash MD5

Feb 4 10:26:00.935 GMT: ISAKMP: default group 2

Feb 4 10:26:00.935 GMT: ISAKMP: auth XAUTHInitPreShared

Feb 4 10:26:00.935 GMT: ISAKMP: life type in seconds

Feb 4 10:26:00.935 GMT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

Feb 4 10:26:00.935 GMT: ISAKMP: attribute 14

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): Encryption algorithm offered does not match policy!

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): atts are not acceptable. Next payload is 3

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): Checking ISAKMP transform 3 against priority 3 policy

Feb 4 10:26:00.935 GMT: ISAKMP: encryption... What? 7?

Feb 4 10:26:00.935 GMT: ISAKMP: hash SHA

Feb 4 10:26:00.935 GMT: ISAKMP: default group 2

Feb 4 10:26:00.935 GMT: ISAKMP: auth pre-share

Feb 4 10:26:00.935 GMT: ISAKMP: life type in seconds

Feb 4 10:26:00.935 GMT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

Feb 4 10:26:00.935 GMT: ISAKMP: attribute 14

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): Encryption algorithm offered does not match policy!

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): atts are not acceptable. Next payload is 3

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): Checking ISAKMP transform 4 against priority 3 policy

Feb 4 10:26:00.935 GMT: ISAKMP: encryption... What? 7?

Feb 4 10:26:00.935 GMT: ISAKMP: hash MD5

Feb 4 10:26:00.935 GMT: ISAKMP: default group 2

Feb 4 10:26:00.935 GMT: ISAKMP: auth pre-share

Feb 4 10:26:00.935 GMT: ISAKMP: life type in seconds

Feb 4 10:26:00.935 GMT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

Feb 4 10:26:00.935 GMT: ISAKMP: attribute 14

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): Encryption algorithm offered does not match policy!

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): atts are not acceptable. Next payload is 3

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): Checking ISAKMP transform 5 against priority 3 policy

Feb 4 10:26:00.935 GMT: ISAKMP: encryption... What? 7?

Feb 4 10:26:00.935 GMT: ISAKMP: hash SHA

Feb 4 10:26:00.935 GMT: ISAKMP: default group 2

Feb 4 10:26:00.935 GMT: ISAKMP: auth XAUTHInitPreShared

Feb 4 10:26:00.935 GMT: ISAKMP: life type in seconds

Feb 4 10:26:00.935 GMT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

Feb 4 10:26:00.935 GMT: ISAKMP: attribute 14

Feb 4 10:26:00.935 GMT: ISAKMP (0:1): Encryption algorithm offered does not match policy!

Please Help

regards,

  • VPN
1 REPLY
Cisco Employee

Re: Connecting a VPN cleint to a cisco IOS access server

Try the following:

crypto isakmp policy 3

   hash md5

The 3.6 client (and higher) no longer proposes a DES/SHA policy which is what you have configured. Changing it to DES/MD5 should get you past Phase 1 at least.

127
Views
0
Helpful
1
Replies