Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Remote Access VPN with existing site-to-site tunnel

Hi there!

I have successfully configured my Cisco router to create a VPN tunnel to Azure. This is working fine. Now I am trying to add a remote access VPN for clients. I want to use IPsec and not PPTP.

I'm not a networking guy, but from what I've read, you basically need to add a dynamic crypto map for the remote access VPN to the crypto map on the external interface (AzureCryptoMap in this case). I've read that the dynamic crypto map should be applied after the non-dynamic maps.

The problem is that the VPN clients do not successfully negotiate phase 1. It's almost like the router does not try the dynamic map. I have tried specifying it to come ahead of the static crypto map policy, but this doesn't change anything. Here is some output from the debugging ipsec and isakmp:

murasaki#
*Oct  6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
*Oct  6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
*Oct  6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
*Oct  6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
*Oct  6 08:06:43: ISAKMP: local port 500, remote port 500
*Oct  6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
*Oct  6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct  6 08:06:43: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*Oct  6 08:06:43: ISAKMP:(0): processing SA payload. message ID = 0
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Oct  6 08:06:43: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 198 mismatch
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 29 mismatch
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Oct  6 08:06:43: ISAKMP (0): vendor ID is NAT-T v7
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 114 mismatch
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 227 mismatch
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 250 mismatch
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Oct  6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v3
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct  6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v2
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
*Oct  6 08:06:43: ISAKMP:(0): vendor ID is XAUTH
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID is Unity
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): processing IKE frag vendor id payload
*Oct  6 08:06:43: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct  6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct  6 08:06:43: ISAKMP:(0): vendor ID is DPD
*Oct  6 08:06:43: ISAKMP:(0):No pre-shared key with 1.158.149.255!
*Oct  6 08:06:43: ISAKMP : Scanning profiles for xauth ... Client-VPN
*Oct  6 08:06:43: ISAKMP:(0): Authentication by xauth preshared
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 256
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 128
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 256
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 128
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption 3DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption 3DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 256
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 128
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 256
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 128
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption 3DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption 3DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 256
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 128
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Proposed key length does not match policy
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 256
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption AES-CBC
*Oct  6 08:06:43: ISAKMP:      keylength of 128
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption 3DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption 3DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash SHA
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
*Oct  6 08:06:43: ISAKMP:      life type in seconds
*Oct  6 08:06:43: ISAKMP:      life duration (basic) of 3600
*Oct  6 08:06:43: ISAKMP:      encryption DES-CBC
*Oct  6 08:06:43: ISAKMP:      auth XAUTHInitPreShared
*Oct  6 08:06:43: ISAKMP:      hash MD5
*Oct  6 08:06:43: ISAKMP:      default group 2
*Oct  6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct  6 08:06:43: ISAKMP:(0):no offers accepted!
*Oct  6 08:06:43: ISAKMP:(0): phase 1 SA policy not acceptable! (local x.x.x.x remote 1.158.149.255)
*Oct  6 08:06:43: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Oct  6 08:06:43: ISAKMP:(0): Failed to construct AG informational message.
*Oct  6 08:06:43: ISAKMP:(0): sending packet to 1.158.149.255 my_port 500 peer_port 500 (R) MM_NO_STATE
*Oct  6 08:06:43: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct  6 08:06:43: ISAKMP:(0):peer does not do paranoid keepalives.

*Oct  6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
*Oct  6 08:06:43: ISAKMP (0): FSM action returned error: 2
*Oct  6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct  6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Oct  6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
*Oct  6 08:06:43: ISAKMP: Unlocking peer struct 0x87B97490 for isadb_mark_sa_deleted(), count 0
*Oct  6 08:06:43: ISAKMP: Deleting peer node by peer_reap for 1.158.149.255: 87B97490
*Oct  6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct  6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA

*Oct  6 08:06:43: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct  6 08:06:47: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (R) MM_NO_STATEmurasaki#
*Oct  6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
*Oct  6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
*Oct  6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
*Oct  6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
*Oct  6 08:06:43: ISAKMP: local port 500, remote port 500
*Oct  6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
*Oct  6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct  6 08:06:43: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

If I specify my key like a site-to-site VPN key like this:

crypto isakmp key xxx address 0.0.0.0

Then it does complete phase 1 (and then fails to find the client configuration). This suggests to me that the dynamic map is not being tried.

Configuration:

!
! Last configuration change at 07:55:02 AEDT Mon Oct 6 2014 by timothy
version 15.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
no service dhcp
!
hostname murasaki
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login client_vpn_authentication local
aaa authorization network default local 
aaa authorization network client_vpn_authorization local 
!
!
!
!
!
aaa session-id common
wan mode dsl
clock timezone AEST 10 0
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
!
!
!
!
!
ip inspect name normal_traffic tcp
ip inspect name normal_traffic udp
ip domain name router.xxx
ip name-server xxx
ip name-server xxx
ip cef
ipv6 unicast-routing
ipv6 cef
!
!
!
!
crypto pki trustpoint TP-self-signed-591984024
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-591984024
 revocation-check none
 rsakeypair TP-self-signed-591984024
!
crypto pki trustpoint TP-self-signed-4045734018
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4045734018
 revocation-check none
 rsakeypair TP-self-signed-4045734018
!
!
crypto pki certificate chain TP-self-signed-591984024
crypto pki certificate chain TP-self-signed-4045734018
!
!
object-group network CLOUD_SUBNETS 
 description Azure subnet
 172.16.0.0 255.252.0.0
!
object-group network INTERNAL_LAN 
 description All Internal subnets which should be allowed out to the Internet
 192.168.1.0 255.255.255.0
 192.168.20.0 255.255.255.0
!
username timothy privilege 15 secret 5 xxx
!
!
controller VDSL 0
!
ip ssh version 2
! 
!
!
!
no crypto isakmp default policy
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key xxx address xxxx   no-xauth
!
crypto isakmp client configuration group VPN_CLIENTS
 key xxx
 dns 192.168.1.24 192.168.1.20
 domain xxx
 pool Client-VPN-Pool
 acl CLIENT_VPN
crypto isakmp profile Client-VPN
   description Remote Client IPSec VPN
   match identity group VPN_CLIENTS
   client authentication list client_vpn_authentication
   isakmp authorization list client_vpn_authorization
   client configuration address respond
!
!
crypto ipsec transform-set AzureIPSec esp-aes 256 esp-sha-hmac 
 mode tunnel
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac 
 mode tunnel
!
!
!
crypto dynamic-map ClientVPNCryptoMap 1
 set transform-set TRANS_3DES_SHA 
 set isakmp-profile Client-VPN
 reverse-route
 qos pre-classify
!
!
!
crypto map AzureCryptoMap 12 ipsec-isakmp 
 set peer xxxx
 set security-association lifetime kilobytes 102400000
 set transform-set AzureIPSec 
 match address AzureEastUS
crypto map AzureCryptoMap 65535 ipsec-isakmp dynamic ClientVPNCryptoMap 
!
bridge irb
!
!
!
!
interface ATM0
 mtu 1492
 no ip address
 no atm ilmi-keepalive
 pvc 8/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Ethernet0
 no ip address
 shutdown
!
interface FastEthernet0
 switchport mode trunk
 no ip address
!
interface FastEthernet1
 no ip address
 spanning-tree portfast
!
interface FastEthernet2
 switchport mode trunk
 no ip address
 spanning-tree portfast
!
interface FastEthernet3
 no ip address
!
interface GigabitEthernet0
 switchport mode trunk
 no ip address
!
interface GigabitEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Vlan1
 description Main LAN
 ip address 192.168.1.97 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Dialer1
 mtu 1492
 ip address negotiated
 ip access-group PORTS_ALLOWED_IN in
 ip flow ingress
 ip inspect normal_traffic out
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1350
 dialer pool 1
 dialer-group 1
 ipv6 address autoconfig
 ipv6 enable
 ppp chap hostname xxx
 ppp chap password 7 xxx
 ppp ipcp route default
 no cdp enable
 crypto map AzureCryptoMap
!
ip local pool Client-VPN-Pool 192.168.20.10 192.168.20.15
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat translation timeout 360
ip nat inside source list SUBNETS_AND_PROTOCOLS_ALLOWED_OUT interface Dialer1 overload
ip nat inside source static tcp 192.168.1.43 55663 interface Dialer1 55663
ip nat inside source static tcp 192.168.1.43 22 interface Dialer1 22
ip nat inside source static udp 192.168.1.43 55663 interface Dialer1 55663
!
ip access-list extended AzureEastUS
 permit ip 192.168.20.0 0.0.0.255 172.16.0.0 0.15.255.255
 permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.15.255.255
ip access-list extended CLIENT_VPN
 permit ip 172.16.0.0 0.0.0.255 192.168.20.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
ip access-list extended PORTS_ALLOWED_IN
 remark List of ports which are allowed IN
 permit gre any any
 permit esp any any
 permit udp any any eq non500-isakmp
 permit udp any any eq isakmp
 permit tcp any any eq 55663
 permit udp any any eq 55663
 permit tcp any any eq 22
 permit tcp any any eq 5723
 permit tcp any any eq 1723
 permit tcp any any eq 443
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit icmp any any port-unreachable
 permit icmp any any time-exceeded
 deny   ip any any
ip access-list extended SUBNETS_AND_PROTOCOLS_ALLOWED_OUT
 deny   tcp object-group INTERNAL_LAN any eq smtp
 deny   ip object-group INTERNAL_LAN object-group CLOUD_SUBNETS
 permit tcp object-group INTERNAL_LAN any
 permit udp object-group INTERNAL_LAN any
 permit icmp object-group INTERNAL_LAN any
 deny   ip any any
!
mac-address-table aging-time 16
no cdp run
ipv6 route ::/0 Dialer1
!
route-map NoNAT permit 10
 match ip address AzureEastUS CLIENT_VPN
!
route-map NoNAT permit 15
!
!
!
banner motd Welcome to Murasaki
!
line con 0
 privilege level 15
 no modem enable
line aux 0
line vty 0
 privilege level 15
 no activation-character
 transport preferred none
 transport input ssh
line vty 1 4
 privilege level 15
 transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 60000 1000
ntp update-calendar
ntp server au.pool.ntp.org
!
end

Any ideas on what I'm doing wrong?

Everyone's tags (1)
10 REPLIES
VIP Green

Change your dynamic crypto

Change your dynamic crypto map to only include the transformset

crypto dynamic-map ClientVPNCryptoMap 1

  set transform-set TRANS_3DES_SHA

Also you are missing the VPN client IPs in the NAT statement to exempt them from being NATed.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Hi Marius,Thanks for your

Hi Marius,

Thanks for your suggestion. I have think I have made the changes you suggested (see config below), but it's still giving me the same output from the earlier debug. Unless I've misunderstood your recommendation?

!
! Last configuration change at 07:55:02 AEDT Mon Oct 6 2014 by timothy
version 15.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
no service dhcp
!
hostname murasaki
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login client_vpn_authentication local
aaa authorization network default local
aaa authorization network client_vpn_authorization local
!
!
!
!
!
aaa session-id common
wan mode dsl
clock timezone AEST 10 0
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
!
!
!
!
!
ip inspect name normal_traffic tcp
ip inspect name normal_traffic udp
ip domain name router.xxx
ip name-server xxx
ip name-server xxx
ip cef
ipv6 unicast-routing
ipv6 cef
!
!
!
!
crypto pki trustpoint TP-self-signed-591984024
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-591984024
 revocation-check none
 rsakeypair TP-self-signed-591984024
!
crypto pki trustpoint TP-self-signed-4045734018
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4045734018
 revocation-check none
 rsakeypair TP-self-signed-4045734018
!
!
crypto pki certificate chain TP-self-signed-591984024
crypto pki certificate chain TP-self-signed-4045734018
!
!
object-group network CLOUD_SUBNETS
 description Azure subnet
 172.16.0.0 255.252.0.0
!
object-group network INTERNAL_LAN
 description All Internal subnets which should be allowed out to the Internet
 192.168.1.0 255.255.255.0
!
object-group network REMOTE_ACCESS_VPN
 192.168.20.0 255.255.255.0
!
username timothy privilege 15 secret 5 xxx
!
!
controller VDSL 0
!
ip ssh version 2
!
!
!
!
no crypto isakmp default policy
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key xxx address xxxx   no-xauth
!
crypto isakmp client configuration group VPN_CLIENTS
 key xxx
 dns 192.168.1.24 192.168.1.20
 domain xxx
 pool Client-VPN-Pool
 acl CLIENT_VPN
crypto isakmp profile Client-VPN
   description Remote Client IPSec VPN
   match identity group VPN_CLIENTS
   client authentication list client_vpn_authentication
   isakmp authorization list client_vpn_authorization
   client configuration address respond
!
!
crypto ipsec transform-set AzureIPSec esp-aes 256 esp-sha-hmac
 mode tunnel
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
 mode tunnel
!
!
!
crypto dynamic-map ClientVPNCryptoMap 1
 set transform-set TRANS_3DES_SHA
!
!
!
crypto map AzureCryptoMap 12 ipsec-isakmp
 set peer xxxx
 set security-association lifetime kilobytes 102400000
 set transform-set AzureIPSec
 match address AzureEastUS
crypto map AzureCryptoMap 65535 ipsec-isakmp dynamic ClientVPNCryptoMap
!
bridge irb
!
!
!
!
interface ATM0
 mtu 1492
 no ip address
 no atm ilmi-keepalive
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Ethernet0
 no ip address
 shutdown
!
interface FastEthernet0
 switchport mode trunk
 no ip address
!
interface FastEthernet1
 no ip address
 spanning-tree portfast
!
interface FastEthernet2
 switchport mode trunk
 no ip address
 spanning-tree portfast
!
interface FastEthernet3
 no ip address
!
interface GigabitEthernet0
 switchport mode trunk
 no ip address
!
interface GigabitEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Vlan1
 description Main LAN
 ip address 192.168.1.97 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Dialer1
 mtu 1492
 ip address negotiated
 ip access-group PORTS_ALLOWED_IN in
 ip flow ingress
 ip inspect normal_traffic out
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1350
 dialer pool 1
 dialer-group 1
 ipv6 address autoconfig
 ipv6 enable
 ppp chap hostname xxx
 ppp chap password 7 xxx
 ppp ipcp route default
 no cdp enable
 crypto map AzureCryptoMap
!
ip local pool Client-VPN-Pool 192.168.20.10 192.168.20.15
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat translation timeout 360
ip nat inside source list SUBNETS_AND_PROTOCOLS_ALLOWED_OUT interface Dialer1 overload
ip nat inside source static tcp 192.168.1.43 55663 interface Dialer1 55663
ip nat inside source static tcp 192.168.1.43 22 interface Dialer1 22
ip nat inside source static udp 192.168.1.43 55663 interface Dialer1 55663
!
ip access-list extended AzureEastUS
 permit ip 192.168.20.0 0.0.0.255 172.16.0.0 0.15.255.255
 permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.15.255.255
ip access-list extended CLIENT_VPN
 permit ip 172.16.0.0 0.0.0.255 192.168.20.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
ip access-list extended PORTS_ALLOWED_IN
 remark List of ports which are allowed IN
 permit gre any any
 permit esp any any
 permit udp any any eq non500-isakmp
 permit udp any any eq isakmp
 permit tcp any any eq 55663
 permit udp any any eq 55663
 permit tcp any any eq 22
 permit tcp any any eq 5723
 permit tcp any any eq 1723
 permit tcp any any eq 443
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit icmp any any port-unreachable
 permit icmp any any time-exceeded
 deny   ip any any
ip access-list extended SUBNETS_AND_PROTOCOLS_ALLOWED_OUT
 deny   tcp object-group INTERNAL_LAN any eq smtp
 deny   ip object-group INTERNAL_LAN object-group CLOUD_SUBNETS
 deny   ip object-group INTERNAL_LAN object-group REMOTE_ACCESS_VPN
 permit tcp object-group INTERNAL_LAN any
 permit udp object-group INTERNAL_LAN any
 permit icmp object-group INTERNAL_LAN any
 deny   ip any any
!
mac-address-table aging-time 16
no cdp run
ipv6 route ::/0 Dialer1
!
route-map NoNAT permit 10
 match ip address AzureEastUS CLIENT_VPN
!
!
!
banner motd Welcome to Murasaki
!
line con 0
 privilege level 15
 no modem enable
line aux 0
line vty 0
 privilege level 15
 no activation-character
 transport preferred none
 transport input ssh
line vty 1 4
 privilege level 15
 transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 60000 1000
ntp update-calendar
ntp server au.pool.ntp.org
!
end
 
VIP Green

What VPN client software are

What VPN client software are you using?

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

I'm trying with both Android

I'm trying with both Android running 4.4 and my Mac running 10.9. It is a requirement to have these devices working with the VPN.

I had thought that maybe the type of encryption was the issue with these devices, so I've tried a range of 3DES AES 128 and AES 256, with both the SHA and MD5 hashes, all without success and leading to the same debug logs :( Clearly I'm doing something else wrong :(

Any ideas? It's a tricky one!

VIP Green

Well, the debug does point to

Well, the debug does point to a mismatch on the encryption which the client is proposing.

Do you by chance have a windows PC with a Cisco VPN client installed on it?  If you do, could you try connecting with that, just for the sake of elimination.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

I will try with a Windows PC

I will try with a Windows PC and the official Cisco client. Unfortunately I don't work on the LAN (thus trying to get the VPN setup!) so it might take a few days.

New Member

Ok, this is kind of

Ok, this is kind of embarrassing, but I was putting the wrong group name in!!!!

The logs didn't seem to give any indication of this to me, but when I googled the 'agressive mode failed' I found https://supportforums.cisco.com/discussion/11859296/client-vpn-failing-connect-processing-aggressive-mode-failed

 

Sure enough, fixing that up got it all working. Doh!

New Member

Hi Marius,I finally managed

Hi Marius,

I finally managed to try with the official Cisco VPN client on Windows. It still fails at phase 1, but now talks about 'aggressive mode', which didn't seem to be mentioned in the previous logs. Any ideas?

 

*Oct  9 20:43:16: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (N) NEW SA
*Oct  9 20:43:16: ISAKMP: Created a peer struct for 192.168.1.201, peer port 49727
*Oct  9 20:43:16: ISAKMP: New peer created peer = 0x878329F0 peer_handle = 0x80000087
*Oct  9 20:43:16: ISAKMP: Locking peer struct 0x878329F0, refcount 1 for crypto_isakmp_process_block
*Oct  9 20:43:16: ISAKMP: local port 500, remote port 49727
*Oct  9 20:43:16: ISAKMP:(0):insert sa successfully sa = 886697E0
*Oct  9 20:43:16: ISAKMP:(0): processing SA payload. message ID = 0
*Oct  9 20:43:16: ISAKMP:(0): processing ID payload. message ID = 0
*Oct  9 20:43:16: ISAKMP (0): ID payload
    next-payload : 13
    type         : 11
    group id     : timothy
    protocol     : 17
    port         : 500
    length       : 15
*Oct  9 20:43:16: ISAKMP:(0):: peer matches *none* of the profiles
*Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct  9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Oct  9 20:43:16: ISAKMP:(0): vendor ID is XAUTH
*Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct  9 20:43:16: ISAKMP:(0): vendor ID is DPD
*Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct  9 20:43:16: ISAKMP:(0): processing IKE frag vendor id payload
*Oct  9 20:43:16: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct  9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct  9 20:43:16: ISAKMP:(0): vendor ID is NAT-T v2
*Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct  9 20:43:16: ISAKMP:(0): vendor ID is Unity
*Oct  9 20:43:16: ISAKMP : Scanning profiles for xauth ... Client-VPN
*Oct  9 20:43:16: ISAKMP:(0): Authentication by xauth preshared
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash SHA
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 256
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 256
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash SHA
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth pre-share
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 256
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth pre-share
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 256
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash SHA
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 128
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 128
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash SHA
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth pre-share
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 128
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth pre-share
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 128
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy
*Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct  9 20:43:16: ISAKMP:      hash SHA
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1 policy
*Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 1 policy
*Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct  9 20:43:16: ISAKMP:      hash SHA
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth pre-share
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 1 policy
*Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth pre-share
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 1 policy
*Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 1 policy
*Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth pre-share
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash SHA
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 256
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 256
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash SHA
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth pre-share
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 256
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth pre-share
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 256
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash SHA
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 128
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 128
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash SHA
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth pre-share
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 128
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth pre-share
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 128
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 2 policy
*Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct  9 20:43:16: ISAKMP:      hash SHA
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 2 policy
*Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 2 policy
*Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct  9 20:43:16: ISAKMP:      hash SHA
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth pre-share
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 2 policy
*Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth pre-share
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 2 policy
*Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 2 policy
*Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth pre-share
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash SHA
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 256
*Oct  9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 256
*Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash SHA
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth pre-share
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 256
*Oct  9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth pre-share
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 256
*Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash SHA
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 128
*Oct  9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 128
*Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash SHA
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth pre-share
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 128
*Oct  9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
*Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth pre-share
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:      keylength of 128
*Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10 policy
*Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct  9 20:43:16: ISAKMP:      hash SHA
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 10 policy
*Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10 policy
*Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct  9 20:43:16: ISAKMP:      hash SHA
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth pre-share
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 10 policy
*Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth pre-share
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 10 policy
*Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 10 policy
*Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
*Oct  9 20:43:16: ISAKMP:      hash MD5
*Oct  9 20:43:16: ISAKMP:      default group 2
*Oct  9 20:43:16: ISAKMP:      auth pre-share
*Oct  9 20:43:16: ISAKMP:      life type in seconds
*Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct  9 20:43:16: ISAKMP:(0):no offers accepted!
*Oct  9 20:43:16: ISAKMP:(0): phase 1 SA policy not acceptable! (local xxxx remote 192.168.1.201)
*Oct  9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Oct  9 20:43:16: ISAKMP:(0): Failed to construct AG informational message.
*Oct  9 20:43:16: ISAKMP:(0): sending packet to 192.168.1.201 my_port 500 peer_port 49727 (R) AG_NO_STATE
*Oct  9 20:43:16: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct  9 20:43:16: ISAKMP:(0):peer does not do paranoid keepalives.

*Oct  9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
*Oct  9 20:43:16: ISAKMP:(0): processing KE payload. message ID = 0
*Oct  9 20:43:16: ISAKMP:(0): group size changed! Should be 0, is 128
*Oct  9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
*Oct  9 20:43:16: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY
*Oct  9 20:43:16: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Oct  9 20:43:16: ISAKMP:(0):Old State = IKE_READY  New State = IKE_READY

*Oct  9 20:43:16: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.1.201
*Oct  9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
*Oct  9 20:43:16: ISAKMP: Unlocking peer struct 0x878329F0 for isadb_mark_sa_deleted(), count 0
*Oct  9 20:43:16: ISAKMP: Deleting peer node by peer_reap for 192.168.1.201: 878329F0
*Oct  9 20:43:16: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct  9 20:43:16: ISAKMP:(0):Old State = IKE_READY  New State = IKE_DEST_SA

*Oct  9 20:43:16: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct  9 20:43:21: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE
*Oct  9 20:43:26: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE

VIP Green

I am wondering if this ACL

I am wondering if this ACL could be the problem:

ip access-list extended PORTS_ALLOWED_IN
 remark List of ports which are allowed IN
 permit gre any any
 permit esp any any
 permit udp any any eq non500-isakmp
 permit udp any any eq isakmp
 permit tcp any any eq 55663
 permit udp any any eq 55663
 permit tcp any any eq 22
 permit tcp any any eq 5723
 permit tcp any any eq 1723
 permit tcp any any eq 443
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit icmp any any port-unreachable
 permit icmp any any time-exceeded
 deny   ip any any

try adding tudp 500 and 4500 to the ACL

permit udp any any eq 500

permit udp any any eq 4500

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
VIP Green

ah ok just noticed you had

ah ok just noticed you had isakmp in there...anyway, perhaps try to exchange the isakmp entry with udp port 500 and 4500.

Or just for the sake of testing, try adding a permit IP any any at the top of the list and see if you are able to connect then.  If you are then we know for sure that it is the ACL that is the issue.

--

Please remember to rate and select a correct answer
342
Views
0
Helpful
10
Replies
CreatePlease to create content