05-29-2006 11:07 AM
Hi,
I have Cisco 876 router (with 12.4(4)T2 IOS) and Cisco VPN client ver. 4.6.02).
I am trying to configure the router as a VPN concentrator for 2 groups, but the tunnel set-up fails already with parameters negotiation. Please find attached config and output from 'debug crypto isakmp'. Ethereal trace is also included (the client has IP: 172.24.4.61, routers interface is 172.24.34.67).
I tried to downgrade IOS and changed the platform to 2821, but with the same result.
Please let me know, if you can see the problem.
Thanks!
Lubomir
C876 config:
yourname#sh run
Building configuration...
Current configuration : 2457 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login Konzola none
aaa authentication login VPN_access local
aaa authorization network VPN_access local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
!
!
!
!
no ip domain lookup
!
!
!
username cisco privilege 15 secret xxxx
!
!
!
crypto isakmp client configuration group USERS
key two
pool USERS_pool
!
crypto isakmp client configuration group ADMIN
key one
pool ADMIN_pool
crypto isakmp profile USERS_Profile
match identity group USERS
client authentication list VPN_access
isakmp authorization list VPN_access
client configuration address initiate
client configuration address respond
crypto isakmp profile ADMIN_Profile
match identity group ADMIN
client authentication list VPN_access
isakmp authorization list VPN_access
client configuration address initiate
client configuration address respond
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!
crypto dynamic-map ADMIN 1
set transform-set ESP-3DES-MD5
set isakmp-profile ADMIN_Profile
reverse-route
!
crypto dynamic-map USERS 1
set transform-set ESP-3DES-MD5
set isakmp-profile USERS_Profile
reverse-route
!
!
crypto map VPN_Pristup 1 ipsec-isakmp dynamic ADMIN
crypto map VPN_Pristup 2 ipsec-isakmp dynamic USERS
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 172.24.34.67 255.255.255.0
ip tcp adjust-mss 1452
crypto map VPN_Pristup
!
ip local pool USERS_pool 10.1.1.10 10.1.1.20 group USERS
ip local pool ADMIN_pool 10.2.1.10 10.2.1.20 group ADMIN
ip classless
ip route 0.0.0.0 0.0.0.0 172.24.34.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
no cdp run
!
!
control-plane
!
!
line con 0
login authentication Konzola
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end
yourname#
yourname#
Solved! Go to Solution.
05-31-2006 02:45 AM
Hello,
where are crypto isakmp policy commands. In short you have not configured phase 1..
*Mar 1 06:07:20.347: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 06:07:20.351: ISAKMP:(0):no offers accepted!
*Mar 1 06:07:20.351: ISAKMP:(0): phase 1 SA policy not acceptable! (local 172.24.34.67 remote 172.24.4.61)
Vikas
05-31-2006 02:45 AM
Hello,
where are crypto isakmp policy commands. In short you have not configured phase 1..
*Mar 1 06:07:20.347: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 06:07:20.351: ISAKMP:(0):no offers accepted!
*Mar 1 06:07:20.351: ISAKMP:(0): phase 1 SA policy not acceptable! (local 172.24.34.67 remote 172.24.4.61)
Vikas
05-31-2006 03:29 AM
Thank you, SOLVED! I missed this part:
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp identity hostname
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide