Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
498
Views
0
Helpful
2
Replies

VPN client access to Cisco 876 does not work

Go to solution
lliska
Level 1
Level 1

‎05-29-2006 11:07 AM

Hi,

I have Cisco 876 router (with 12.4(4)T2 IOS) and Cisco VPN client ver. 4.6.02).

I am trying to configure the router as a VPN concentrator for 2 groups, but the tunnel set-up fails already with parameters negotiation. Please find attached config and output from 'debug crypto isakmp'. Ethereal trace is also included (the client has IP: 172.24.4.61, routers interface is 172.24.34.67).

I tried to downgrade IOS and changed the platform to 2821, but with the same result.

Please let me know, if you can see the problem.

Thanks!

Lubomir

C876 config:

yourname#sh run

Building configuration...

Current configuration : 2457 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname yourname

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login Konzola none

aaa authentication login VPN_access local

aaa authorization network VPN_access local

!

aaa session-id common

!

resource policy

!

ip subnet-zero

ip cef

!

!

!

!

no ip domain lookup

!

!

!

username cisco privilege 15 secret xxxx

!

!

!

crypto isakmp client configuration group USERS

key two

pool USERS_pool

!

crypto isakmp client configuration group ADMIN

key one

pool ADMIN_pool

crypto isakmp profile USERS_Profile

match identity group USERS

client authentication list VPN_access

isakmp authorization list VPN_access

client configuration address initiate

client configuration address respond

crypto isakmp profile ADMIN_Profile

match identity group ADMIN

client authentication list VPN_access

isakmp authorization list VPN_access

client configuration address initiate

client configuration address respond

!

!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

!

crypto dynamic-map ADMIN 1

set transform-set ESP-3DES-MD5

set isakmp-profile ADMIN_Profile

reverse-route

!

crypto dynamic-map USERS 1

set transform-set ESP-3DES-MD5

set isakmp-profile USERS_Profile

reverse-route

!

!

crypto map VPN_Pristup 1 ipsec-isakmp dynamic ADMIN

crypto map VPN_Pristup 2 ipsec-isakmp dynamic USERS

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 172.24.34.67 255.255.255.0

ip tcp adjust-mss 1452

crypto map VPN_Pristup

!

ip local pool USERS_pool 10.1.1.10 10.1.1.20 group USERS

ip local pool ADMIN_pool 10.2.1.10 10.2.1.20 group ADMIN

ip classless

ip route 0.0.0.0 0.0.0.0 172.24.34.1

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

!

no cdp run

!

!

control-plane

!

!

line con 0

login authentication Konzola

no modem enable

line aux 0

line vty 0 4

privilege level 15

transport input telnet ssh

line vty 5 15

privilege level 15

transport input telnet ssh

!

scheduler max-task-time 5000

end

yourname#

yourname#

Labels:
Preview file
13 KB
27272-vpn
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vikas Saxena
Cisco Employee
Cisco Employee

‎05-31-2006 02:45 AM

Hello,

where are crypto isakmp policy commands. In short you have not configured phase 1..

*Mar 1 06:07:20.347: ISAKMP:(0):atts are not acceptable. Next payload is 0

*Mar 1 06:07:20.351: ISAKMP:(0):no offers accepted!

*Mar 1 06:07:20.351: ISAKMP:(0): phase 1 SA policy not acceptable! (local 172.24.34.67 remote 172.24.4.61)

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

Vikas

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Vikas Saxena
Cisco Employee
Cisco Employee

‎05-31-2006 02:45 AM

Hello,

where are crypto isakmp policy commands. In short you have not configured phase 1..

*Mar 1 06:07:20.347: ISAKMP:(0):atts are not acceptable. Next payload is 0

*Mar 1 06:07:20.351: ISAKMP:(0):no offers accepted!

*Mar 1 06:07:20.351: ISAKMP:(0): phase 1 SA policy not acceptable! (local 172.24.34.67 remote 172.24.4.61)

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

Vikas

0 Helpful

Go to solution
lliska
Level 1
Level 1
In response to Vikas Saxena

‎05-31-2006 03:29 AM

Thank you, SOLVED! I missed this part:

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp identity hostname

0 Helpful
Customers Also Viewed These Support Documents