Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN client access to Cisco 876 does not work

Hi,

I have Cisco 876 router (with 12.4(4)T2 IOS) and Cisco VPN client ver. 4.6.02).

I am trying to configure the router as a VPN concentrator for 2 groups, but the tunnel set-up fails already with parameters negotiation. Please find attached config and output from 'debug crypto isakmp'. Ethereal trace is also included (the client has IP: 172.24.4.61, routers interface is 172.24.34.67).

I tried to downgrade IOS and changed the platform to 2821, but with the same result.

Please let me know, if you can see the problem.

Thanks!

Lubomir

C876 config:

yourname#sh run

Building configuration...

Current configuration : 2457 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname yourname

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login Konzola none

aaa authentication login VPN_access local

aaa authorization network VPN_access local

!

aaa session-id common

!

resource policy

!

ip subnet-zero

ip cef

!

!

!

!

no ip domain lookup

!

!

!

username cisco privilege 15 secret xxxx

!

!

!

crypto isakmp client configuration group USERS

key two

pool USERS_pool

!

crypto isakmp client configuration group ADMIN

key one

pool ADMIN_pool

crypto isakmp profile USERS_Profile

match identity group USERS

client authentication list VPN_access

isakmp authorization list VPN_access

client configuration address initiate

client configuration address respond

crypto isakmp profile ADMIN_Profile

match identity group ADMIN

client authentication list VPN_access

isakmp authorization list VPN_access

client configuration address initiate

client configuration address respond

!

!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

!

crypto dynamic-map ADMIN 1

set transform-set ESP-3DES-MD5

set isakmp-profile ADMIN_Profile

reverse-route

!

crypto dynamic-map USERS 1

set transform-set ESP-3DES-MD5

set isakmp-profile USERS_Profile

reverse-route

!

!

crypto map VPN_Pristup 1 ipsec-isakmp dynamic ADMIN

crypto map VPN_Pristup 2 ipsec-isakmp dynamic USERS

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 172.24.34.67 255.255.255.0

ip tcp adjust-mss 1452

crypto map VPN_Pristup

!

ip local pool USERS_pool 10.1.1.10 10.1.1.20 group USERS

ip local pool ADMIN_pool 10.2.1.10 10.2.1.20 group ADMIN

ip classless

ip route 0.0.0.0 0.0.0.0 172.24.34.1

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

!

no cdp run

!

!

control-plane

!

!

line con 0

login authentication Konzola

no modem enable

line aux 0

line vty 0 4

privilege level 15

transport input telnet ssh

line vty 5 15

privilege level 15

transport input telnet ssh

!

scheduler max-task-time 5000

end

yourname#

yourname#

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VPN client access to Cisco 876 does not work

Hello,

where are crypto isakmp policy commands. In short you have not configured phase 1..

*Mar 1 06:07:20.347: ISAKMP:(0):atts are not acceptable. Next payload is 0

*Mar 1 06:07:20.351: ISAKMP:(0):no offers accepted!

*Mar 1 06:07:20.351: ISAKMP:(0): phase 1 SA policy not acceptable! (local 172.24.34.67 remote 172.24.4.61)

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

Vikas

2 REPLIES
Cisco Employee

Re: VPN client access to Cisco 876 does not work

Hello,

where are crypto isakmp policy commands. In short you have not configured phase 1..

*Mar 1 06:07:20.347: ISAKMP:(0):atts are not acceptable. Next payload is 0

*Mar 1 06:07:20.351: ISAKMP:(0):no offers accepted!

*Mar 1 06:07:20.351: ISAKMP:(0): phase 1 SA policy not acceptable! (local 172.24.34.67 remote 172.24.4.61)

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

Vikas

New Member

Re: VPN client access to Cisco 876 does not work

Thank you, SOLVED! I missed this part:

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp identity hostname

293
Views
0
Helpful
2
Replies