Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client Issue

HI Guys

I hope if someone can help me with my issue:

Cisco IOS in use: advipservicesk9-mz.124-20.T

Router: Cisco 2851

I have a few site-to-site VPN running in addition to VPN client. All site-to-site VPN have their own individual pre-shared keys whereas VPN client uses certificates.

I made a change for site-to-site VPN which include the use of a generic pre-shared key (cry isakmp key XXX address 0.0.0.0 0.0.0.0 no-xauth) for all site-to-site tunnels instead of individual keys for each tunnel. After making the change, all site-to-site VPN works perfectly fine where as the VPN client has stopped working and following are the logs on router generated (debug cry isakmp error).

129143: Sep 29 10:16:16.487 BST: ISAKMP:(0):Xauth authentication by RSA offered but does not match policy!

129144: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3

129145: Sep 29 10:16:16.487 BST: ISAKMP:(0):Hash algorithm offered does not match policy!

129146: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3

129147: Sep 29 10:16:16.487 BST: ISAKMP:(0):Diffie-Hellman group offered does not match policy!

129148: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3

129149: Sep 29 10:16:16.487 BST: ISAKMP:(0):Hash algorithm offered does not match policy!

129150: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3

129151: Sep 29 10:16:16.487 BST: ISAKMP:(0):Xauth authentication by RSA offered but does not match policy!

129152: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3

129153: Sep 29 10:16:16.487 BST: ISAKMP:(0):Hash algorithm offered does not match policy!

129154: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3 Unknown Attr: 0x700C

129155: Sep 29 10:16:17.207 BST: ISAKMP:(1249):No IP address pool defined for ISAKMP!

129156: Sep 29 10:16:17.207 BST: ISAKMP:(1249):deleting SA reason "Fail to allocate ip address" state (R) CONF_ADDR     (peer X.X.X.X)

129157: Sep 29 10:16:17.207 BST: ISAKMP (0/1249): Unknown Attr: CONFIG_MODE_UNKNOWN (0x700C)

129158: Sep 29 10:16:17.207 BST: ISAKMP (0/1249): Unknown Attr: MODECFG_HOSTNAME (0x700A)

129159: Sep 29 10:16:17.215 BST: ISAKMP:(1249):deleting SA reason "Fail to allocate ip address" state (R) MM_NO_STATE (peer X.X.X.X)

ate ip address" state (R) CONF_ADDR     (peer 195.200.149.188)

129157: Sep 29 10:16:17.207 BST: ISAKMP (0/1249): Unknown Attr: CONFIG_MODE_UNKNOWN (0x700C)

129158: Sep 29 10:16:17.207 BST: ISAKMP (0/1249): Unknown Attr: MODECFG_HOSTNAME (0x700A)

129159: Sep 29 10:16:17.215 BST: ISAKMP:(1249):deleting SA reason "Fail to allocate ip address" state (R) MM_NO_STATE (peer x.x.x.x)

129162: Sep 29 10:16:32.295 BST: ISAKMP(0:1250): Unable to get our DN from cert, using my FQDN as identity

129163: Sep 29 10:16:32.475 BST: ISAKMP(0:1251): Unable to get our DN from cert, using my FQDN as identity

129164: Sep 29 10:16:48.451 BST: ISAKMP(0:1252): Unable to get our DN from cert, using my FQDN as identity

129169: Sep 29 10:16:58.283 BST: ISAKMP(0:1253): Unable to get our DN from cert, using my FQDN as identity

129170: Sep 29 10:17:01.047 BST: ISAKMP(0:1254): Unable to get our DN from cert, using my FQDN as identity

129174: Sep 29 10:17:05.843 BST: ISAKMP(0:1255): Unable to get our DN from cert, using my FQDN as identity

Removing the generic pre-shared key makes VPN client work again. Any help in this matter will be very helpful. Many thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: VPN Client Issue

Yes, when you use "cry isakmp key XXX address 0.0.0.0 0.0.0.0 no-xauth" with the no-xauth keyword, that breaks the remote access vpn client. While you need that for lan-to-lan vpn tunnel, you can't have that for vpn client.

There are 2 options:

1) Configure "cry isa key" individually for the lan-to-lan vpn tunnel

2) Or alternatively, you can configure isakmp profile for lan-to-lan and a separate profile for vpn client. Here is a sample configuration for your reference:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

Hope that helps.

2 REPLIES
Super Bronze

Re: VPN Client Issue

Yes, when you use "cry isakmp key XXX address 0.0.0.0 0.0.0.0 no-xauth" with the no-xauth keyword, that breaks the remote access vpn client. While you need that for lan-to-lan vpn tunnel, you can't have that for vpn client.

There are 2 options:

1) Configure "cry isa key" individually for the lan-to-lan vpn tunnel

2) Or alternatively, you can configure isakmp profile for lan-to-lan and a separate profile for vpn client. Here is a sample configuration for your reference:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

Hope that helps.

New Member

Re: VPN Client Issue

Thanks Jennifer. That solved the problem.

2512
Views
0
Helpful
2
Replies