We are evaluating an asa5520 and are attempting to build a site to site 3des ipsec vpn with an 851. We followed the examples in a cisco how to, but can't get the tunnel up. Show crypto isakmp sa shows the router is in AG_INIT_EXCH state, and debugs show the following error "Encryption algorithm offered does not match policy!" Attempts to auth on the router with the "crypto ipsec client ezvpn xauth" command says there are no xauth requests pending.
The 851 crypto ipsec client ezvpn is set to connect auto so I'm stumped atm....
We have abandoned the EZVPN method and are attempting to get a lan 2 lan 3des ipsec vpn tunnel established between the asa5520 and the 851 router. There is no "show isakmp policy" command on either device, however I have included an attached file that contains the relevant configurations for both devices, as well as debug outputs.
It appears to me that phase 1 completes, but that the ASA does not recognize the cyrpto map ipsec data from the 851. Please review the attached file and let me know what you think.
Thanks Jay for the link. I followed the steps but still can't get the tunnel to build. I believe the problem is on the ASA end, and I noticed that the cyrpto policy command syntax in the docuemt is different than the commands in our 7.21-k8.bin ver on the asa5520 (the cmds are subsets of the policy, which should work but are different):
crypto isakmp policy 4
On the ASA, I see that Phase 1 completes, but we keep getting a QM FSM error (see below):
%ASA-3-713119: Group = <851 ext addy>, IP = <851 ext addy>, PHASE 1 COMPLETED
%ASA-3-713061: Group = <851 ext addy>, IP = <851 ext addy>, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.1.55.80/255.255.255.240/0/0 local proxy 10.0.0.0/255.0.0.0/0/0 on interface outside
%ASA-3-713902: Group = <851 ext addy>, IP = <851 ext addy>, QM FSM error (P2 struct &0x46f8388, mess id 0x61122fc8)!
%ASA-3-713902: Group = <851 ext addy>, IP = <851 ext addy>, Removing peer from correlator table failed, no match!
Thanks Jay I found the problem. The acl's defined on the 851 for interesting traffic were less granular than the filters on the asa, so even though the acl was getting matches, the phase 2 was never completing to build the tunnel.
I presumed (incorrectly) that having a filter that encompassed the ranges of networks was sufficient, but apparently the statements must be congruent.
I am doing EZVPN Server (ASA5500) and EZVPN client (Cisco 1841) methold. My Cisco 1841 using dynamic IP as well. Working fine. My Cisco 1841 config. (To establish VPN connection, user just need to launch a browser and go to any site, the authentication will prompt)
username cisco password cisco
crypto ipsec client ezvpn SUPERMAN
group remotevpn key cisco
xauth userid mode http-intercept 401
ip address 11.x.11.x.255.255.0
ip nat inside
crypto ipsec client ezvpn SUPERMAN inside
ip address dhcp
ip nat outside
crypto ipsec client ezvpn SUPERMAN
ip nat inside source list 105 interface FastEthernet0/1 overload
access-list 105 deny ip 18.104.22.168 0.0.0.255 192.168.188.0 0.0.0.255
access-list 105 permit ip 22.214.171.124 0.0.0.255 any
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :