02-22-2006 03:34 AM
Hello,
I am trying to configure remote access VPN with 837 and cisco software client. here is a relevant part of my config:
aaa new-model
!
!
aaa authentication login remote_access local
aaa authorization network remote_auth local
!
aaa session-id common
!
username xxx password 7 xxxxxx
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key zzzz address xxx.yyy.zzz no-xauth
!
crypto isakmp client configuration group vpn_remote
key xxx
dns xxx.yyy.zzz
domain xxx
pool vpn_pool
acl split_acl
!
!
crypto ipsec transform-set vpn_set esp-3des esp-sha-hmac
!
crypto dynamic-map vpn_dynamic 20
set transform-set vpn_set
!
!
crypto map vpn_map client authentication list remote_access
crypto map vpn_map isakmp authorization list remote_auth
crypto map vpn_map client configuration address respond
crypto map vpn_map 10 ipsec-isakmp
set peer xxx.yyy.zzz
set transform-set vpn_set
set pfs group5
match address crypto_acl
crypto map vpn_map 20 ipsec-isakmp dynamic vpn_dynamic
ip local pool vpn_pool 172.16.1.1 172.16.1.254
...
ip access-list extended nonat
deny ip 192.168.yyy.0 0.0.0.255 193.37.xxx.0 0.0.0.255
deny ip 192.168.yyy.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 192.168.yyy.0 0.0.0.255 any
ip access-list extended split_acl
permit ip 192.168.yyy.0 0.0.0.255 172.16.1.0 0.0.0.255
when I try to connect from the vpn client to the router I get the following error
Mar 2 00:39:34.203: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Mar 2 00:39:34.203: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Mar 2 00:39:34.203: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Mar 2 00:39:34.203: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Mar 2 00:39:34.207: ISAKMP:(0:0:N/A:0):Encryption algorithm offered
What can be the problem? the config seems OK. The site-site tunnel is working and I have successfully configured many vpn clients on the pix. I have tried changing the policy parameters but did not help. I even installed the newest version of VPN client (IOS 14.4(5a). Any ideas? Has anyone had a simmilar problem?
02-24-2006 03:04 AM
Hi
Can you revert whether you are trying to apply this on any subinterface or any interface configured with secondary ip address ?
regds
02-24-2006 08:14 AM
Hello,
Thank you very much for your response. I mentioned in the post that I provided the relevant part of the configuration but it is not true. I omitted the firewall/access-list configuration which turned out to be a problem.
I enabled esp and isakmp from any to the interface but could not connect. Then I disabled the IPsec over UDP and could connect but not access the lan. I kept getting these wrong encryption messages, which really distracted me.
I then opened UDP 4500 and enabled IPsec over UDP again and it worked!! but I also tested that ESP and ISAKMP ports mut also be opened. At least the ESP as, as far as I know, the UDP encapsulates only isakmp messages.
I hope this might be helpful to others.
Thanks again.
Rafal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide