Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
995
Views
0
Helpful
4
Replies

VPN Client configuration problem in router 2801 ios c2801-advipservicesk9-m

davila_jc
Level 1
Level 1

‎03-14-2006 02:50 PM

When tried connect to office with vpn client 4.8 not connect a logg this error with router debug:

Mar 14 16:21:08 GMT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 13 against priority 1 policy

Mar 14 16:21:08 GMT: ISAKMP: encryption DES-CBC

Mar 14 16:21:08 GMT: ISAKMP: hash MD5

Mar 14 16:21:08 GMT: ISAKMP: default group 2

Mar 14 16:21:08 GMT: ISAKMP: auth XAUTHInitPreShared

Mar 14 16:21:08 GMT: ISAKMP: life type in seconds

Mar 14 16:21:08 GMT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

Mar 14 16:21:08 GMT: ISAKMP:(0:0:N/A:0):Xauth authentication by pre-shared key offered but does not match policy!

Mar 14 16:21:08 GMT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

Mar 14 16:21:08 GMT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 14 against priority 1 policy

Mar 14 16:21:08 GMT: ISAKMP: encryption DES-CBC

Mar 14 16:21:08 GMT: ISAKMP: hash MD5

Mar 14 16:21:08 GMT: ISAKMP: default group 2

Mar 14 16:21:08 GMT: ISAKMP: auth pre-share

Mar 14 16:21:08 GMT: ISAKMP: life type in seconds

Mar 14 16:21:08 GMT: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

Mar 14 16:21:08 GMT: ISAKMP:(0:0:N/A:0):Preshared authentication offered but does not match policy!

Mar 14 16:21:08 GMT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0

Mar 14 16:21:08 GMT: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!

Mar 14 16:21:08 GMT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0

Mar 14 16:21:08 GMT: ISAKMP:(0:0:N/A:0):no offers accepted!

Mar 14 16:21:08 GMT: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable!

This is the partial configuration:

aaa new-model

!

!

aaa authentication password-prompt "Enter the password:"

aaa authentication username-prompt "Enter the user:"

aaa authentication login userauthentication local

aaa authorization network groupauthor local

!

aaa session-id common

!

username xxxx privilege 15 password 7 xxxxxx

!

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxx address 0.0.0.0 0.0.0.0 no-xauth

no crypto isakmp ccm

!

crypto isakmp client configuration group vpnsa

key xxxxx

dns x.x.x.x

domain ms.mnet.com.mx

pool remotas

acl 105

netmask 255.255.255.0

!

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set vpn esp-des esp-md5-hmac

crypto ipsec transform-set vpn2 esp-3des esp-sha-hmac

crypto ipsec transform-set to_vpn esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 3

set transform-set vpn vpn2

reverse-route

!

crypto dynamic-map datos 1

set transform-set vpn

match address 102

!

!

crypto map servicios client authentication list userauthentication

crypto map servicios isakmp authorization list groupauthor

crypto map servicios client configuration address respond

crypto map servicios 1 ipsec-isakmp dynamic datos

crypto map servicios 3 ipsec-isakmp dynamic dynmap

!

!

No problem with nat, the configuration for no nat addresses is righ, the problem is "phase 1" no ike connect

Labels:
0 Helpful
4 Replies 4

jackko
Level 7
Level 7

‎03-15-2006 05:17 AM

according to the log, the negotiation keeps attempting to match the first policy. no doubt it would fail because the vpn client software 4.8 would not prefer des as the encryption.

i guess the isakmp policy 1 should be swapped by policy 3.

0 Helpful

davila_jc
Level 1
Level 1
In response to jackko

‎03-15-2006 07:02 AM

Hi, the isakmp policy is detected, not to where I know specific policy is configured

0 Helpful

jackko
Level 7
Level 7
In response to davila_jc

‎03-15-2006 02:44 PM

according to the posted config,

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

and the posted log suggested that the client was attempting to match policy 1. maybe by swapping the policy 3 to 1 will resolve the issue, as the smaller the number of the policy, the higher the preference is.

potentially, after the policy 3 has become policy 1. the client will attempt to match with 3des (not des from the current policy 1).

0 Helpful

davila_jc
Level 1
Level 1
In response to jackko

‎03-16-2006 07:40 AM

Hi, I have a lab with router 1760 and the same version of ios, my surprise it works without problem... ummm

Maybe the router or ios (2801) have a problem

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents