Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Easy VPN setup error need help

using CCP 2.1 I was trying to assign the ip address to the new loopback interface when I did a show ip interface br it showed the interface unassigned

Virtual-Access1            unassigned      YES unset  down                  down

Loopback1                  unassigned      YES TFTP   up                    up

Virtual-Template2          unassigned      NO  TFTP   down                  down

here is the code that the ccp created

interface Loopback1

no shutdown

ip address 10.69.241.0 255.255.255.0

exit

So I tried to add the ip address thru the console

MyRouter(config)#interface loopback1

MyRouter(config-if)#no shutdown

MyRouter(config-if)#ip address 10.69.241.0 255.255.255.0

Bad mask /24 for address 10.69.241.0

MyRouter(config-if)#

What am I doing wrong?

Thanks

Tom

Thomas R Grassi Jr
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Easy VPN setup error need help

Connection using the Cisco VPN client (version 5.0.07.0440 64-bit binary on Windows 7 Ultimate) gets one to your password prompt after initially specifiying your 72.88.223.20 public IP and the TGCSVPN group with tgcsvpn01 group password. A valid username and password would be required to successfully complete login authentication and validate your VPN setup.

27 REPLIES
New Member

Easy VPN setup error need help

I changed it to 10.69.241.0 255.0.0.0   and it accepted it now show ip interface brief

Virtual-Access1            unassigned      YES unset  down                  down

Loopback1                  10.69.241.0     YES manual up                    up

Virtual-Template2          10.69.241.0     YES TFTP   down                  down

does Virtual-template2 need to be up or does it come up when a client accesses the router?

Also I am still not able to get any clients connected

Tom

Thomas R Grassi Jr
New Member

Easy VPN setup error need help

I guess ESAYVPN Server is not so EASY maybe they should change the name

No one can connect my remote users do not connect here is my running config can anyone see anything wrong?

Show crypto isakmp sa show nothing but I think thats because no one can connect am i right?


-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco

Replace and with the username and password you want to use
.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------


User Access Verification

Username: netman
Password:

MyRouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status

IPv6 Crypto ISAKMP SA

MyRouter#show config
Using 6108 out of 131072 bytes
!
! Last configuration change at 21:16:45 EST Fri Dec 30 2011 by netman
! NVRAM config last updated at 21:16:48 EST Fri Dec 30 2011 by netman
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyRouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!
aaa new-model
!
!
aaa group server radius sdm-vpn-server-group-1
server 192.168.69.15 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 group sdm-vpn-server-group-1 loc
al
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 group sdm-vpn-server-group-1 lo
cal
aaa authorization network ciscocp_vpn_group_ml_2 local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time edt recurring
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
ip cef
ip domain name TGCSNET.COM
ip name-server 71.242.0.12
ip name-server 71.250.0.12
ip name-server 4.2.2.2
!
!
crypto pki trustpoint TP-self-signed-1164042433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1164042433
revocation-check none
rsakeypair TP-self-signed-1164042433
!
!
crypto pki certificate chain TP-self-signed-1164042433
certificate self-signed 01 nvram:IOS-Self-Sig#3302.cer
username netman privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username mynet privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
group 2
!
crypto isakmp client configuration group TGCSVPN
key tgcsvpn01
dns 192.168.69.10 192.168.69.15
wins 192.168.69.10 192.168.69.15
domain our
pool SDM_POOL_1
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group TGCSVPN
   client authentication list ciscocp_vpn_xauth_ml_2
   isakmp authorization list ciscocp_vpn_group_ml_2
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
!
!
bridge irb
!
!
interface Loopback1
ip address 10.69.241.0 255.0.0.0
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$
ip address 72.88.223.20 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid 010659120255
!
ssid TGCSNET
    vlan 1
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 0 010659120255000000
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.69.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 192.168.70.75 192.168.70.99
ip classless
ip route 0.0.0.0 0.0.0.0 72.88.223.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 110 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.69.26 8080 interface FastEthernet4 8080
ip nat inside source static tcp 192.168.69.26 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.69.15 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.69.15 21 interface FastEthernet4 21
ip nat inside source static tcp 192.168.69.15 5900 interface FastEthernet4 5900
ip nat inside source static tcp 192.168.69.26 443 interface FastEthernet4 443
!
ip access-list extended denyDHCP
deny   udp any any eq bootpc
deny   udp any any eq bootps
permit ip any any
!
ip radius source-interface BVI1
access-list 23 permit 192.168.69.0 0.0.0.255
access-list 110 permit ip 192.168.69.0 0.0.0.255 any
no cdp run
radius-server host 192.168.69.15 auth-port 1645 acct-port 1646
!
control-plane
!
bridge 1 route ip
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco

Replace and with the username and password you want to use
.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17175152
ntp server 141.165.5.137
end

MyRouter#

Happy new year everyone

I hope someone out there can figure this out for me

I am new to VPN on a cisco so I need all the help I can get

I have document 112037 that I used to guide me thru the setup  using CCP 2.1

Command line changes would be the best for me

Thanks

Tom

Thomas R Grassi Jr
Cisco Employee

Easy VPN setup error need help

Hi Thomas ,

Happy new Year , Easy is a strange word ,  can you please provide the following :

debug cry isa

and try to connect from any client to the router using the vpn client ?

the virtual interface will become up when you connect successfully .

cheers.

New Member

Easy VPN setup error need help

Mohammad

thank you so much

One question I never ran debug before

when I issue the debug cry isa where do I get the information from

I guess I must first stop the debug  but where is the information keep and how to I get to it what command?

and also how to stop debug?

thanks

Tom

Thomas R Grassi Jr
Cisco Employee

Easy VPN setup error need help

you should see it on the terminal , if you are connecting using a telnet/ssh session then use the following command before enabling debugs :

terminal monitor

to stop debugs use the following command :

un all

cheers.

New Member

Easy VPN setup error need help

Mohammad

MyRouter#terminal monitor

MyRouter#debug crypto isakmp

Crypto ISAKMP debugging is on

MyRouter#debug crypto ipsec

Crypto IPSEC debugging is on

MyRouter#

I tried to connect and received no information

I am using a Windows vista laptop and a windows 7 desktop both using Network and sharing center with a VPN connection setup

I should not need to install anything else right?  I should not need any vpn client software?

Think maybe you could try to vpn in?

You have the address in my config above

Let me know if you get anywhere

Tom

Thomas R Grassi Jr
Cisco Employee

Easy VPN setup error need help

Happy new YEar Thomas .

i connected using CISCO VPN CLIENT software to the router and i was able to see the username/password prompt . so VPN is workong .

you need to  use the following software :

cisco vpn client .

New Member

Easy VPN setup error need help

Mohammad

Thanks

Been trying to download the client but having issues I can logon on to this site but my logon does not work for the download site very strange

Do you have links to a 64bit version and a 32 bit version?

Thakns

Tom

Thomas R Grassi Jr
Cisco Employee

Easy VPN setup error need help

Hi Thomas ,

the only way to download the client is to login and then try the download , you may need to check your CCOID .

cheers.

New Member

Easy VPN setup error need help

Mohammad

Thanks

I do not have a ccoid

Any way I can get a copy without having one?

Or do I need to purchase the software they should give it away for free

Tom

Thomas R Grassi Jr
Cisco Employee

Easy VPN setup error need help

Hi Thomas .

to be able to download this software , you have to login using a valid CCOID and download it .

HTH

Mohammad.

New Member

Easy VPN setup error need help

mohammad

If you have time could you try to connect to my vpn again

I want to do a show crypto isakmp sa

So I can see what it looks like when someone is connected

Also I posted a RSA  PEM PKCS12 question if you can take a look at that also

Let me know when you connect

Thanks

Tom

Thomas R Grassi Jr
Hall of Fame Super Silver

Easy VPN setup error need help

Tom,

Have you tried to set up a CCO (Cisco Connection Online is the old name used on cisco.com) ID? You don't need to have a service contract to have a userid.

AFAIK the Cisco VPN Client software is free of charge. Using it will keep you off the rabbit hole of Shrewsoft etc. Creating a connection in the Cisco client will generate a *.pcf file that can be distributed to users to allow them to connect with fewer steps (i.e., without having to type in the gateway IP etc.).

BTW you should be using preshared key authentication, not certificate-based.

New Member

Re: Easy VPN setup error need help

Marvin

No I do not know about CCO, how do I go about getting the Cisco VPN software for free

Do you have links that you can post?

BTW I believe I have preshared defined I choose that when I used ccp to define EASYVPN server

Tom

Marvin

I just did a search on CCO and every link I find brings me right back to the new cisco site and requires a service contract to download the vpn client

Thomas R Grassi Jr
Hall of Fame Super Silver

Easy VPN setup error need help

Create an account for yourself at the cisco.com main site. You should be able to use the same userid you use for here (the Cisco support community). Once you've done that, see if it will allow you to download the Cisco VPN client. the link for that download would be this. 32-bit for Windows is the default version but you can choose others from the menu tree on that page.

The only legitimate source for the software is to get it from Cisco. Any third parties distributing it would likely be unauthorized.

I mentioned the preshared key because of your post about RSA and certificates. If you're using PSK, you shouldn't need to be concerend about certificates.

You really should consider a Smartnet contract for your little 800 series router. It should be less than $100 a year and would pay for itself 5 times over just getting you working for this case.

New Member

Easy VPN setup error need help

Marvin

I tried that yesterday using my account only gives me guest access and that does not allow me to download the vpn client

This should not be so default cant believe there is not a version that I can test to make sure it works without having to go thru hoops to get it to work this should be straight forward

My router works fine and really should not have to purchase a support contract just to get a client software package

Yes I do not like getting third party software packages who knows what holes they left in the software

If as you say it is free then is there any way you can get me a copy?

Is there any way you can connect to my VPN just to see if it is really working or not?

Let me kow I want to watch the console when you connect so I cansee what is going on

Thanks

Tom

Thomas R Grassi Jr
Hall of Fame Super Silver

Easy VPN setup error need help

I sent you a PM re testing.

No you shouldn't have to purchase Smartnet for the client software. If you purchased your router through authorized channels you do get 90 day warranty support at no charge. You should be able to get the TAC to provide the client software under that warranty term. It may take a call as oppposed to opening a case online and you may need your PO number to confirm entitlement. Of course, if you got it on eBay, then all bets are off as far as support.

Smartnet gives you technical support throught the Cisco TAC. They will work with you directly, via Webex if necessary, to identify any configuration problems to get your system working.

I'm just saying one TAC call gives you return on investment for the support cost. I figure for a device like yours, the cost of Smartnet support is less than 2 hours of staff time for a reasonably-compensated engineer, say even three hours for a technician. If you can save that many hours of effort (or more) with TAC support, it's paid for itself after one call.

New Member

Easy VPN setup error need help

Marvin

The warrenty period is over I bought it from a cisco retailer but that was over a year or more ago

I called cisco today and they are closed

What is a PM re testing?

Tom

Thomas R Grassi Jr
Hall of Fame Super Silver

Re: Easy VPN setup error need help

Cisco TAC is open 24x7, even on Christmas. Use contact numbers listed here. But if you are past warranty and without a service contract that won't help.

PM is a Private Message. You should get an e-mail notification or alternatively can look on this page under "Account, Private Messages" to see them.

New Member

Easy VPN setup error need help

Marvin

Thanks

Hey your prior post triggered something when you said about certificates I then went back to using microsofts VPN connection and changed the setting to the preshared key and now I am connecting but not getting any further than that

MyRouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
72.88.223.20    192.168.69.101  MM_NO_STATE          0    0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

then it times out with error 800 unable to establish the vpn connection

This is what I get when I am connected

I will look at your PM in a while thanks

Tom

Thomas R Grassi Jr
Hall of Fame Super Silver

Re: Easy VPN setup error need help

MM_NO_STATE means you failed to connect (IKE Phase 1 negotiation didn't succeed). That is explained here.

I wouldn't expect the Microsoft VPN connection client to work, thus that message.

New Member

Easy VPN setup error need help

Marvin

Thanks

the link failed page 404 can you send it again

Tom

I am guessing I dont have the windows vpn connection setup properly but I am one step further along baby steps here I guess.

Thomas R Grassi Jr
Hall of Fame Super Silver

Easy VPN setup error need help

Try this link. The section tags seem to be giving cisco.com fits:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

or you can just Google the document title:

"IPsec Troubleshooting: Understanding and Using debug Commands".

In any case, the Microsoft VPN connection is not the right client to use.



New Member

Easy VPN setup error need help

Marvin

thanks

I turned on debugging when I attempted to connect

MyRouter#debug crypto isakmp
Crypto ISAKMP debugging is on
MyRouter#debug crypto ipsec
Crypto IPSEC debugging is on
MyRouter#terminal monitor
MyRouter#
.Jan  2 17:28:43.078: ISAKMP (0:0): received packet from 192.168.69.101 dport 50
0 sport 500 Global (N) NEW SA
.Jan  2 17:28:43.078: ISAKMP: Created a peer struct for 192.168.69.101, peer por
t 500
.Jan  2 17:28:43.078: ISAKMP: New peer created peer = 0x82B83A40 peer_handle = 0
x80000010
.Jan  2 17:28:43.078: ISAKMP: Locking peer struct 0x82B83A40, refcount 1 for cry
pto_isakmp_process_block
.Jan  2 17:28:43.078: ISAKMP: local port 500, remote port 500
.Jan  2 17:28:43.078: insert sa successfully sa = 82B5F3EC
.Jan  2 17:28:43.078: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
.Jan  2 17:28:43.078: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

.Jan  2 17:28:43.082: ISAKMP:(0): processing SA payload. message ID = 0
.Jan  2 17:28:43.082: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.082: ISAKMP:(0): vendor ID seems Unity/DPD but major 228 mismat
ch
.Jan  2 17:28:43.082: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.082: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatc
h
.Jan  2 17:28:43.082: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.082: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismat
ch
.Jan  2 17:28:43.082: ISAKMP:(0): vendor ID is NAT-T v2
.Jan  2 17:28:43.082: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.082: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismat
ch
.Jan  2 17:28:43.082: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.082: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismat
ch
.Jan  2 17:28:43.082: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.082: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismat
ch
.Jan  2 17:28:43.082: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.082: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismat
ch
.Jan  2 17:28:43.082: ISAKMP:(0):No pre-shared key with 192.168.69.101!
.Jan  2 17:28:43.082: ISAKMP : Scanning profiles for xauth ... ciscocp-ike-profi
le-1
.Jan  2 17:28:43.082: ISAKMP:(0): Authentication by xauth preshared
.Jan  2 17:28:43.082: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1
policy
.Jan  2 17:28:43.082: ISAKMP:      encryption AES-CBC
.Jan  2 17:28:43.082: ISAKMP:      keylength of 256
.Jan  2 17:28:43.082: ISAKMP:      hash SHA
.Jan  2 17:28:43.082: ISAKMP:      unknown DH group 20
.Jan  2 17:28:43.082: ISAKMP:      auth pre-share
.Jan  2 17:28:43.082: ISAKMP:      life type in seconds
.Jan  2 17:28:43.082: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.086: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan  2 17:28:43.086: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan  2 17:28:43.086: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1
policy
.Jan  2 17:28:43.086: ISAKMP:      encryption AES-CBC
.Jan  2 17:28:43.086: ISAKMP:      keylength of 128
.Jan  2 17:28:43.086: ISAKMP:      hash SHA
.Jan  2 17:28:43.086: ISAKMP:      unknown DH group 19
.Jan  2 17:28:43.086: ISAKMP:      auth pre-share
.Jan  2 17:28:43.086: ISAKMP:      life type in seconds
.Jan  2 17:28:43.086: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.086: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan  2 17:28:43.086: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan  2 17:28:43.086: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1
policy
.Jan  2 17:28:43.086: ISAKMP:      encryption 3DES-CBC
.Jan  2 17:28:43.086: ISAKMP:      hash SHA
.Jan  2 17:28:43.086: ISAKMP:      unknown DH group 14
.Jan  2 17:28:43.086: ISAKMP:      auth pre-share
.Jan  2 17:28:43.086: ISAKMP:      life type in seconds
.Jan  2 17:28:43.086: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.086: ISAKMP:(0):Preshared authentication offered but does not m
atch policy!
.Jan  2 17:28:43.086: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan  2 17:28:43.086: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1
policy
.Jan  2 17:28:43.086: ISAKMP:      encryption 3DES-CBC
.Jan  2 17:28:43.086: ISAKMP:      hash SHA
.Jan  2 17:28:43.086: ISAKMP:      default group 2
.Jan  2 17:28:43.086: ISAKMP:      auth pre-share
.Jan  2 17:28:43.086: ISAKMP:      life type in seconds
.Jan  2 17:28:43.086: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.086: ISAKMP:(0):Preshared authentication offered but does not m
atch policy!
.Jan  2 17:28:43.086: ISAKMP:(0):atts are not acceptable. Next payload is 0
.Jan  2 17:28:43.086: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2
policy
.Jan  2 17:28:43.086: ISAKMP:      encryption AES-CBC
.Jan  2 17:28:43.086: ISAKMP:      keylength of 256
.Jan  2 17:28:43.086: ISAKMP:      hash SHA
.Jan  2 17:28:43.086: ISAKMP:      unknown DH group 20
.Jan  2 17:28:43.086: ISAKMP:      auth pre-share
.Jan  2 17:28:43.090: ISAKMP:      life type in seconds
.Jan  2 17:28:43.090: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.090: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan  2 17:28:43.090: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan  2 17:28:43.090: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2
policy
.Jan  2 17:28:43.090: ISAKMP:      encryption AES-CBC
.Jan  2 17:28:43.090: ISAKMP:      keylength of 128
.Jan  2 17:28:43.090: ISAKMP:      hash SHA
.Jan  2 17:28:43.090: ISAKMP:      unknown DH group 19
.Jan  2 17:28:43.090: ISAKMP:      auth pre-share
.Jan  2 17:28:43.090: ISAKMP:      life type in seconds
.Jan  2 17:28:43.090: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.090: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan  2 17:28:43.090: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan  2 17:28:43.090: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2
policy
.Jan  2 17:28:43.090: ISAKMP:      encryption 3DES-CBC
.Jan  2 17:28:43.090: ISAKMP:      hash SHA
.Jan  2 17:28:43.090: ISAKMP:      unknown DH group 14
.Jan  2 17:28:43.090: ISAKMP:      auth pre-share
.Jan  2 17:28:43.090: ISAKMP:      life type in seconds
.Jan  2 17:28:43.090: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.090: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan  2 17:28:43.090: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan  2 17:28:43.090: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2
policy
.Jan  2 17:28:43.090: ISAKMP:      encryption 3DES-CBC
.Jan  2 17:28:43.090: ISAKMP:      hash SHA
.Jan  2 17:28:43.090: ISAKMP:      default group 2
.Jan  2 17:28:43.090: ISAKMP:      auth pre-share
.Jan  2 17:28:43.090: ISAKMP:      life type in seconds
.Jan  2 17:28:43.090: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.090: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan  2 17:28:43.090: ISAKMP:(0):atts are not acceptable. Next payload is 0
.Jan  2 17:28:43.090: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65
535 policy
.Jan  2 17:28:43.090: ISAKMP:      encryption AES-CBC
.Jan  2 17:28:43.090: ISAKMP:      keylength of 256
.Jan  2 17:28:43.090: ISAKMP:      hash SHA
.Jan  2 17:28:43.090: ISAKMP:      unknown DH group 20
.Jan  2 17:28:43.090: ISAKMP:      auth pre-share
.Jan  2 17:28:43.090: ISAKMP:      life type in seconds
.Jan  2 17:28:43.090: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.094: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan  2 17:28:43.094: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan  2 17:28:43.094: ISAKMP:(0):Checking ISAKMP transform 2 against priority 65
535 policy
.Jan  2 17:28:43.094: ISAKMP:      encryption AES-CBC
.Jan  2 17:28:43.094: ISAKMP:      keylength of 128
.Jan  2 17:28:43.094: ISAKMP:      hash SHA
.Jan  2 17:28:43.094: ISAKMP:      unknown DH group 19
.Jan  2 17:28:43.094: ISAKMP:      auth pre-share
.Jan  2 17:28:43.094: ISAKMP:      life type in seconds
.Jan  2 17:28:43.094: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.094: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan  2 17:28:43.094: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan  2 17:28:43.094: ISAKMP:(0):Checking ISAKMP transform 3 against priority 65
535 policy
.Jan  2 17:28:43.094: ISAKMP:      encryption 3DES-CBC
.Jan  2 17:28:43.094: ISAKMP:      hash SHA
.Jan  2 17:28:43.094: ISAKMP:      unknown DH group 14
.Jan  2 17:28:43.094: ISAKMP:      auth pre-share
.Jan  2 17:28:43.094: ISAKMP:      life type in seconds
.Jan  2 17:28:43.094: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.094: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan  2 17:28:43.094: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan  2 17:28:43.094: ISAKMP:(0):Checking ISAKMP transform 4 against priority 65
535 policy
.Jan  2 17:28:43.094: ISAKMP:      encryption 3DES-CBC
.Jan  2 17:28:43.094: ISAKMP:      hash SHA
.Jan  2 17:28:43.094: ISAKMP:      default group 2
.Jan  2 17:28:43.094: ISAKMP:      auth pre-share
.Jan  2 17:28:43.094: ISAKMP:      life type in seconds
.Jan  2 17:28:43.094: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.094: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan  2 17:28:43.094: ISAKMP:(0):atts are not acceptable. Next payload is 0
.Jan  2 17:28:43.094: ISAKMP:(0):no offers accepted!
.Jan  2 17:28:43.094: ISAKMP:(0): phase 1 SA policy not acceptable! (local 72.88
.223.20 remote 192.168.69.101)
.Jan  2 17:28:43.094: ISAKMP (0:0): incrementing error counter on sa, attempt 1
of 5: construct_fail_ag_init
.Jan  2 17:28:43.094: ISAKMP:(0): sending packet to 192.168.69.101 my_port 500 p
eer_port 500 (R) MM_NO_STATE
.Jan  2 17:28:43.094: ISAKMP:(0):peer does not do paranoid keepalives.

.Jan  2 17:28:43.094: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal n
ot accepted" state (R) MM_NO_STATE (peer 192.168.69.101)
.Jan  2 17:28:43.098: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.098: ISAKMP:(0): vendor ID seems Unity/DPD but major 228 mismat
ch
.Jan  2 17:28:43.098: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.098: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatc
h
.Jan  2 17:28:43.098: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.098: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismat
ch
.Jan  2 17:28:43.098: ISAKMP:(0): vendor ID is NAT-T v2
.Jan  2 17:28:43.098: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.098: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismat
ch
.Jan  2 17:28:43.098: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.098: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismat
ch
.Jan  2 17:28:43.098: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.098: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismat
ch
.Jan  2 17:28:43.098: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.098: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismat
ch
.Jan  2 17:28:43.098: ISAKMP (0:0): FSM action returned error: 2
.Jan  2 17:28:43.098: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MOD
E
.Jan  2 17:28:43.098: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

.Jan  2 17:28:43.098: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal n
ot accepted" state (R) MM_NO_STATE (peer 192.168.69.101)
.Jan  2 17:28:43.098: ISAKMP: Unlocking peer struct 0x82B83A40 for isadb_mark_sa
_deleted(), count 0
.Jan  2 17:28:43.102: ISAKMP: Deleting peer node by peer_reap for 192.168.69.101
: 82B83A40
.Jan  2 17:28:43.102: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
.Jan  2 17:28:43.102: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA

.Jan  2 17:28:43.102: IPSEC(key_engine): got a queue event with 1 KMI message(s)
.Jan  2 17:28:43.102: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_
STATE (peer 192.168.69.101)
.Jan  2 17:28:43.102: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
.Jan  2 17:28:43.102: ISAKMP:(0):Old State = IKE_DEST_SA  New State = IKE_DEST_S
A

.Jan  2 17:28:45.077: ISAKMP (0:0): received packet from 192.168.69.101 dport 50
0 sport 500 Global (R) MM_NO_STATE
.Jan  2 17:28:48.080: ISAKMP (0:0): received packet from 192.168.69.101 dport 50
0 sport 500 Global (R) MM_NO_STATE
.Jan  2 17:28:52.079: ISAKMP (0:0): received packet from 192.168.69.101 dport 50
0 sport 500 Global (R) MM_NO_STATE
.Jan  2 17:29:01.081: ISAKMP (0:0): received packet from 192.168.69.101 dport 50
0 sport 500 Global (R) MM_NO_STATE
.Jan  2 17:29:18.084: ISAKMP (0:0): received packet from 192.168.69.101 dport 50
0 sport 500 Global (R) MM_NO_STATE
.Jan  2 17:29:34.092: ISAKMP (0:0): received packet from 192.168.69.101 dport 50
0 sport 500 Global (R) MM_NO_STATE
.Jan  2 17:29:43.085: ISAKMP:(0):purging SA., sa=82B5F3EC, delme=82B5F3EC

What you think?

Tom

Thomas R Grassi Jr
Hall of Fame Super Silver

Easy VPN setup error need help

Tom,

Debug just gives you the gory details of why Microsoft's built-in client does not work:

     Encryption algorithm offered does not match policy!

All those details show the router trying one after another of the Cisco-suppported standard IPSec algorithms and the Microsoft client not matching any of them. You MIGHT be able to wrestle the MS client into working. I see one post out there of a guy who did it with XP:

http://www.smallnetbuilder.com/lanwan/lanwan-howto/24429-howtoxpipsec

The Cisco VPN client will do all that automagically.

New Member

Easy VPN setup error need help

Marvin

Thaks but not going to switch to a linksys device now

Need to get the cisco vpn client will have to wait till tuesday when they open

You said you connected to my site ok right?  are you using cisco vpn client? If so what version? what OS ?

Tom

Thomas R Grassi Jr
Hall of Fame Super Silver

Re: Easy VPN setup error need help

Connection using the Cisco VPN client (version 5.0.07.0440 64-bit binary on Windows 7 Ultimate) gets one to your password prompt after initially specifiying your 72.88.223.20 public IP and the TGCSVPN group with tgcsvpn01 group password. A valid username and password would be required to successfully complete login authentication and validate your VPN setup.

1164
Views
0
Helpful
27
Replies
CreatePlease to create content