Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Easy VPN Issue

Hi 

Everybody,

 

I ' m getting stuck with on of my configuration ( Easy VPN Server)

here is my configuration :

crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2


crypto isakmp client configuration address-pool local DHCP_VPN_Client
crypto isakmp xauth timeout 60
crypto isakmp client configuration group VictoriaIpsec
 key 6 _MSUQ[KP_Lg`Ii\dhfQTWLJQg`XgWPOiBE[YAAB
 dns 10.30.10.1 10.30.10.10
 wins 10.30.10.1 10.30.10.10
 domain victoria.local
 pool DHCP_VPN_Client
 acl SplitAClVPN

crypto ipsec transform-set MyEasy esp-3des esp-sha-hmac 
no crypto ipsec nat-transparency udp-encapsulation

crypto dynamic-map Mymap 1
 set transform-set MyEasy

reverse-route

 

crypto map VPN-TUNNEL client authentication list My_AUTHENT
crypto map VPN-TUNNEL isakmp authorization list VictoriaIpsec
crypto map VPN-TUNNEL client configuration address respond
crypto map VPN-TUNNEL 1 ipsec-isakmp dynamic Mymap 

 

 

Here is some show commands : 

RTBORDER_EDGE2#sh crypto map interface FastEthernet0/1.212
Crypto Map IPv4 "VPN-TUNNEL" 1 ipsec-isakmp
        Dynamic map template tag: Mymap
        Interfaces using crypto map VPN-TUNNEL:
                FastEthernet0/1.212


Crypto Map IPv4 "VPN-TUNNEL" 1 ipsec-isakmp
        Dynamic map template tag: Mymap
        Interfaces using crypto map VPN-TUNNEL:
                FastEthernet0/1.212

 

 


 Pool                     Begin           End             Free  In use   Blocked
 DHCP_VPN_Client          10.30.201.1     10.30.201.50      50       0       0

 

And Also my AAA a working fine

 

Here is the Output from de the debug :

Oct 28 15:11:21.139: ISAKMP (0): received packet from 105.172.0.76 dport 500 sport 44189 Global (N) NEW SA

*Oct 28 15:11:21.139: ISAKMP: Created a peer struct for 105.172.0.76, peer port 44189

*Oct 28 15:11:21.139: ISAKMP: New peer created peer = 0x4BF15664 peer_handle = 0x8000000B

*Oct 28 15:11:21.143: ISAKMP: Locking peer struct 0x4BF15664, refcount 1 for crypto_isakmp_process_block

*Oct 28 15:11:21.143: ISAKMP:(0):Setting client config settings 4B266074

*Oct 28 15:11:21.143: ISAKMP:(0):(Re)Setting client xauth list  and state

*Oct 28 15:11:21.143: ISAKMP/xauth: initializing AAA request

*Oct 28 15:11:21.143: AAA/BIND(00000016): Bind i/f  

*Oct 28 15:11:21.143: ISAKMP: local port 500, remote port 44189

*Oct 28 15:11:21.143: ISAKMP:(0):insert sa successfully sa = 4B582F54

*Oct 28 15:11:21.143: ISAKMP:(0): processing SA payload. message ID = 0

*Oct 28 15:11:21.143: ISAKMP:(0): processing ID payload. message ID = 0

*Oct 28 15:11:21.143: ISAKMP (0): ID payload 

        next-payload : 13

        type         : 11 

        group id     : VictoriaIpsec 

        protocol     : 17 

        port         : 500 

        length       : 21

*Oct 28 15:11:21.143: ISAKMP:(0):: peer matches *none* of the profiles

*Oct 28 15:11:21.143: ISAKMP:(0): processing vendor id payload

*Oct 28 15:11:21.143: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch

*Oct 28 15:11:21.143: ISAKMP:(0): vendor ID is XAUTH

*Oct 28 15:11:21.143: ISAKMP:(0): processing vendor id payload

*Oct 28 15:11:21.143: ISAKMP:(0): vendor ID is DPD

*Oct 28 15:11:21.143: ISAKMP:(0): processing vendor id payload

*Oct 28 15:11:21.143: ISAKMP:(0): processing IKE frag vendor id payload

*Oct 28 15:11:21.147: ISAKMP:(0):Support for IKE Fragmentation not enabled

*Oct 28 15:11:21.147: ISAKMP:(0): processing vendor id payload

*Oct 28 15:11:21.147: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Oct 28 15:11:21.147: ISAKMP:(0): vendor ID is NAT-T v2

*Oct 28 15:11:21.147: ISAKMP:(0): processing vendor id payload

*Oct 28 15:11:21.147: ISAKMP:(0): vendor ID is Unity

*Oct 28 15:11:21.147: ISAKMP:(0): Authentication by xauth preshared

*Oct 28 15:11:21.147: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

*Oct 28 15:11:21.147: ISAKMP:      encryption AES-CBC

*Oct 28 15:11:21.147: ISAKMP:      hash SHA

*Oct 28 15:11:21.147: ISAKMP:      default group 2

*Oct 28 15:11:21.147: ISAKMP:      auth XAUTHInitPreShared

*Oct 28 15:11:21.147: ISAKMP:      life type in seconds

*Oct 28 15:11:21.147: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Oct 28 15:11:21.147: ISAKMP:      keylength of 256

*Oct 28 15:11:21.147: ISAKMP:(0):Proposed key length does not match policy

*Oct 28 15:11:21.147: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Oct 28 15:11:21.147: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy

*Oct 28 15:11:21.147: ISAKMP:      encryption AES-CBC

*Oct 28 15:11:21.147: ISAKMP:      hash MD5

*Oct 28 15:11:21.147: ISAKMP:      default group 2

*Oct 28 15:11:21.147: ISAKMP:      auth XAUTHInitPreShared

*Oct 28 15:11:21.147: ISAKMP:      life type in seconds

*Oct 28 15:11:21.147: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Oct 28 15:11:21.147: ISAKMP:      keylength of 256

*Oct 28 15:11:21.147: ISAKMP:(0):Hash algorithm offered does not match policy!

*Oct 28 15:11:21.147: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Oct 28 15:11:21.147: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy

*Oct 28 15:11:21.147: ISAKMP:      encryption AES-CBC

*Oct 28 15:11:21.147: ISAKMP:      hash SHA

*Oct 28 15:11:21.147: ISAKMP:      default group 2

*Oct 28 15:11:21.147: ISAKMP:      auth pre-share

*Oct 28 15:11:21.147: ISAKMP:      life type in seconds

*Oct 28 15:11:21.147: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Oct 28 15:11:21.151: ISAKMP:      keylength of 256

*Oct 28 15:11:21.151: ISAKMP:(0):Proposed key length does not match policy

*Oct 28 15:11:21.151: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Oct 28 15:11:21.151: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy

*Oct 28 15:11:21.151: ISAKMP:      encryption AES-CBC

*Oct 28 15:11:21.151: ISAKMP:      hash MD5

*Oct 28 15:11:21.151: ISAKMP:      default group 2

*Oct 28 15:11:21.151: ISAKMP:      auth pre-share

*Oct 28 15:11:21.151: ISAKMP:      life type in seconds

*Oct 28 15:11:21.151: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Oct 28 15:11:21.151: ISAKMP:      keylength of 256

*Oct 28 15:11:21.151: ISAKMP:(0):Hash algorithm offered does not match policy!

*Oct 28 15:11:21.151: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Oct 28 15:11:21.151: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy

*Oct 28 15:11:21.151: ISAKMP:      encryption AES-CBC

*Oct 28 15:11:21.151: ISAKMP:      hash SHA

*Oct 28 15:11:21.151: ISAKMP:      default group 2

*Oct 28 15:11:21.151: ISAKMP:      auth XAUTHInitPreShared

*Oct 28 15:11:21.151: ISAKMP:      life type in seconds

*Oct 28 15:11:21.151: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Oct 28 15:11:21.151: ISAKMP:      keylength of 128

*Oct 28 15:11:21.151: ISAKMP:(0):atts are acceptable. Next payload is 3

*Oct 28 15:11:21.151: ISAKMP:(0):Acceptable atts:actual life: 86400

*Oct 28 15:11:21.151: ISAKMP:(0):Acceptable atts:life: 0

*Oct 28 15:11:21.151: ISAKMP:(0):Fill atts in sa vpi_length:4

*Oct 28 15:11:21.151: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483

*Oct 28 15:11:21.151: ISAKMP:(0):Returning Actual lifetime: 86400

*Oct 28 15:11:21.151: ISAKMP:(0)::Started lifetime timer: 86400.

 

*Oct 28 15:11:21.151: ISAKMP:(0): processing KE payload. message ID = 0

*Oct 28 15:11:21.203: ISAKMP:(0): processing NONCE payload. message ID = 0

*Oct 28 15:11:21.203: ISAKMP:(0): vendor ID is NAT-T v2

*Oct 28 15:11:21.203: ISAKMP:(0):peer does not do paranoid keepalives.

 

*Oct 28 15:11:21.203: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer 105.172.0.76)

*Oct 28 15:11:21.203: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY

*Oct 28 15:11:21.203: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

*Oct 28 15:11:21.203: ISAKMP:(0):Old State = IKE_READY  New State = IKE_READY 

 

*Oct 28 15:11:21.207: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 105.172.0.76

RTBORDER_EDGE2#

*Oct 28 15:11:21.207: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer 105.172.0.76) 

*Oct 28 15:11:21.207: ISAKMP: Unlocking peer struct 0x4BF15664 for isadb_mark_sa_deleted(), count 0

*Oct 28 15:11:21.207: ISAKMP: Deleting peer node by peer_reap for 105.172.0.76: 4BF15664

*Oct 28 15:11:21.207: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Oct 28 15:11:21.207: ISAKMP:(0):Old State = IKE_READY  New State = IKE_DEST_SA 

 

*Oct 28 15:11:21.207: IPSEC(key_engine): got a queue event with 1 KMI message(s)

RTBORDER_EDGE2#

*Oct 28 15:11:25.879: ISAKMP (0): received packet from 105.172.0.76 dport 500 sport 44189 Global (R) MM_NO_STATE

RTBORDER_EDGE2#

*Oct 28 15:11:33.347: ISAKMP (0): received packet from 105.172.0.76 dport 500 sport 44189 Global (R) MM_NO_STATE

RTBORDER_EDGE2#

*Oct 28 15:11:37.839: ISAKMP (0): received packet from 105.172.0.76 dport 500 sport 44189 Global (R) MM_NO_STATE

RTBORDER_EDGE2#

 

 

 

 

 

 

 

 

103
Views
0
Helpful
0
Replies
CreatePlease login to create content