Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN software client to 837 problem

Hello,

I am trying to configure remote access VPN with 837 and cisco software client. here is a relevant part of my config:

aaa new-model

!

!

aaa authentication login remote_access local

aaa authorization network remote_auth local

!

aaa session-id common

!

username xxx password 7 xxxxxx

!

!

crypto isakmp policy 5

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key zzzz address xxx.yyy.zzz no-xauth

!

crypto isakmp client configuration group vpn_remote

key xxx

dns xxx.yyy.zzz

domain xxx

pool vpn_pool

acl split_acl

!

!

crypto ipsec transform-set vpn_set esp-3des esp-sha-hmac

!

crypto dynamic-map vpn_dynamic 20

set transform-set vpn_set

!

!

crypto map vpn_map client authentication list remote_access

crypto map vpn_map isakmp authorization list remote_auth

crypto map vpn_map client configuration address respond

crypto map vpn_map 10 ipsec-isakmp

set peer xxx.yyy.zzz

set transform-set vpn_set

set pfs group5

match address crypto_acl

crypto map vpn_map 20 ipsec-isakmp dynamic vpn_dynamic

ip local pool vpn_pool 172.16.1.1 172.16.1.254

...

ip access-list extended nonat

deny ip 192.168.yyy.0 0.0.0.255 193.37.xxx.0 0.0.0.255

deny ip 192.168.yyy.0 0.0.0.255 172.16.1.0 0.0.0.255

permit ip 192.168.yyy.0 0.0.0.255 any

ip access-list extended split_acl

permit ip 192.168.yyy.0 0.0.0.255 172.16.1.0 0.0.0.255

when I try to connect from the vpn client to the router I get the following error

Mar 2 00:39:34.203: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m

atch policy!

*Mar 2 00:39:34.203: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i

s 3

*Mar 2 00:39:34.203: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m

atch policy!

*Mar 2 00:39:34.203: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i

s 3

*Mar 2 00:39:34.207: ISAKMP:(0:0:N/A:0):Encryption algorithm offered

What can be the problem? the config seems OK. The site-site tunnel is working and I have successfully configured many vpn clients on the pix. I have tried changing the policy parameters but did not help. I even installed the newest version of VPN client (IOS 14.4(5a). Any ideas? Has anyone had a simmilar problem?

2 REPLIES

Re: VPN software client to 837 problem

Hi

Can you revert whether you are trying to apply this on any subinterface or any interface configured with secondary ip address ?

regds

New Member

Re: VPN software client to 837 problem

Hello,

Thank you very much for your response. I mentioned in the post that I provided the relevant part of the configuration but it is not true. I omitted the firewall/access-list configuration which turned out to be a problem.

I enabled esp and isakmp from any to the interface but could not connect. Then I disabled the IPsec over UDP and could connect but not access the lan. I kept getting these wrong encryption messages, which really distracted me.

I then opened UDP 4500 and enabled IPsec over UDP again and it worked!! but I also tested that ESP and ISAKMP ports mut also be opened. At least the ESP as, as far as I know, the UDP encapsulates only isakmp messages.

I hope this might be helpful to others.

Thanks again.

Rafal

134
Views
0
Helpful
2
Replies
CreatePlease login to create content