RE : HELP with IPSEC VPN

From: Richard Dumoulin (Richard.Dumoulin@vanco.fr)
Date: Tue Nov 30 2004 - 05:22:19 GMT-3

• Next message: Georg Pauwen: "Brussels December 13"
• Previous message: Barman, Partha: "Etherchannel Traffic Distribution Question"
• Next in thread: David: "Re: RE : HELP with IPSEC VPN"
• Maybe reply: David: "Re: RE : HELP with IPSEC VPN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You are having problems with your phase 1 policy which does not match with
the one on the VPN client:

"algorithm offered does not match policy!"

Your vpn client is asking for:

Nov 29 14:44:32.527: ISAKMP: encryption AES-CBC
Nov 29 14:44:32.527: ISAKMP: hash SHA
Nov 29 14:44:32.527: ISAKMP: default group 2
Nov 29 14:44:32.531: ISAKMP: auth

But you have this configured on the router:

crypto isakmp policy 10
 hash md5
 authentication pre-share

Not sure your 1600 router will support AES,

-- Richard

-----Message d'origine-----
De : Jamie Sanbower [mailto:ccie13637@yahoo.com]
Envoyi : Monday, November 29, 2004 8:59 PM
@ : ccielab@groupstudy.com; security@groupstudy.com
Objet : HELP with IPSEC VPN

I am having problems establishing a vpn. I have a 1605
with 12.3.10 FW/IPSEC 56. I not sure why the tunnel is
not coming up.

Here is the config:
username jamie privilege 15 password xxxxxxxxxxxx
aaa new-model
!
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
ip subnet-zero
ip dhcp excluded-address 172.16.28.1 172.16.28.99
!
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http timeout 3600
ip inspect name myfw smtp timeout 3600
!
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key cisco1234 address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local
ourpool
!
crypto isakmp client configuration group jamie
 key cisco1234
 pool ourpool
!
crypto ipsec transform-set mypolicy esp-des
esp-md5-hmac
!
!
crypto dynamic-map dyna 10
 set transform-set mypolicy
!
!
crypto map test client configuration address initiate
crypto map test client configuration address respond
crypto map test 5 ipsec-isakmp dynamic dyna
!
interface Ethernet0
 ip address dhcp hostname FW
 ip access-group inbound in
 no ip unreachables
 ip nat outside
 ip inspect myfw out
 no cdp enable
 crypto map test
!
interface Ethernet1
 ip address 172.16.28.1 255.255.255.0
 ip nat inside
 no keepalive
 no cdp enable
!
ip local pool ourpool 172.17.28.200 172.17.28.201
ip nat inside source route-map nonat interface
Ethernet0 overload
!
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip access-list extended inbound
 permit udp any any eq isakmp log
 permit esp any any log
 permit udp any eq bootps any eq bootpc log
 deny ip any any log
access-list 110 deny ip 172.16.28.0 0.0.0.255
172.17.28.0 0.0.0.255
access-list 110 permit ip 172.16.28.0 0.0.0.255 any
!
route-map nonat permit 10
 match ip address 110

here is the debug output of "debug crypto isakmp" when
i try to establish a vpn(i replaced all of my outside
IP to 2.2.2.2 and the source ip to 1.1.1.1:

Nov 29 14:44:32.468: ISAKMP (0:0): received packet
from 1.1.1.1 dport 500 sport 500 Global (N) NEW SA
Nov 29 14:44:32.476: ISAKMP: Created a peer struct for
1.1.1.1, peer port 500
Nov 29 14:44:32.476: ISAKMP: Locking peer struct
0x3361D08, IKE refcount 1 for
crypto_ikmp_config_initialize_sa
Nov 29 14:44:32.480: ISAKMP (0:0): Setting client
config settings 33AB430
Nov 29 14:44:32.480: ISAKMP: local port 500, remote
port 500
Nov 29 14:44:32.491: ISAKMP: insert sa successfully sa
= 33B2628
Nov 29 14:44:32.491: ISAKMP (0:1): processing SA
payload. message ID = 0
Nov 29 14:44:32.491: ISAKMP (0:1): processing ID
payload. message ID = 0
Nov 29 14:44:32.495: ISAKMP (0:1): ID payload
        next-payload : 13
        type : 11
        group id : jamie
        protocol : 17
        port : 500
        length : 13
Nov 29 14:44:32.499: ISAKMP (0:1): peer matches *none*
of the profiles
Nov 29 14:44:32.499: ISAKMP (0:1): processing vendor
id payload
Nov 29 14:44:32.503: ISAKMP (0:1): vendor ID seems
Unity/DPD but major 215 mismatch
Nov 29 14:44:32.503: ISAKMP (0:1): vendor ID is XAUTH
Nov 29 14:44:32.507: ISAKMP (0:1): processing vendor
id payload
Nov 29 14:44:32.507: ISAKMP (0:1): vendor ID is DPD
Nov 29 14:44:32.511: ISAKMP (0:1): processing vendor
id payload
Nov 29 14:44:32.511: ISAKMP (0:1): vendor ID seems
Unity/DPD but major 123 mismatch
Nov 29 14:44:32.515: ISAKMP (0:1): vendor ID is NAT-T
v2
Nov 29 14:44:32.515: ISAKMP (0:1): processing vendor
id payload
Nov 29 14:44:32.515: ISAKMP (0:1): vendor ID seems
Unity/DPD but major 194 mismatch
Nov 29 14:44:32.519: ISAKMP (0:1): processing vendor
id payload
Nov 29 14:44:32.519: ISAKMP (0:1): vendor ID is Unity
Nov 29 14:44:32.523: ISAKMP : Scanning profiles for
xauth ...
Nov 29 14:44:32.523: ISAKMP (0:1): Checking ISAKMP
transform 1 against priority 10 policy
Nov 29 14:44:32.527: ISAKMP: encryption AES-CBC
Nov 29 14:44:32.527: ISAKMP: hash SHA
Nov 29 14:44:32.527: ISAKMP: default group 2
Nov 29 14:44:32.531: ISAKMP: auth
XAUTHInitPreShared
Nov 29 14:44:32.531: ISAKMP: life type in seconds
Nov 29 14:44:32.531: ISAKMP: life duration (VPI)
of 0x0 0x20 0xC4 0x9B
Nov 29 14:44:32.535: ISAKMP: keylength of 256
Nov 29 14:44:32.535: ISAKMP (0:1): Encryption
algorithm offered does not match policy!
Nov 29 14:44:32.539: ISAKMP (0:1): atts are not
acceptable. Next payload is 3

....more debug

Nov 29 14:44:33.099: ISAKMP (0:1): no offers accepted!
Nov 29 14:44:33.099: ISAKMP (0:1): phase 1 SA policy
not acceptable! (local 2.2.2.2 remote 1.1.1.1)
Nov 29 14:44:33.103: ISAKMP (0:1): incrementing error
counter on sa: construct_fail_ag_init
Nov 29 14:44:33.107: ISAKMP (0:1): Unknown Input
IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY
Nov 29 14:44:33.107: ISAKMP (0:1): Input =
IKE_MESG_FROM_PEER, IKE_AM_EXCH
Nov 29 14:44:33.110: ISAKMP (0:1): Old State =
IKE_READY New State = IKE_READY

Nov 29 14:44:33.110: %CRYPTO-6-IKMP_MODE_FAILURE:
Processing of Aggressive mode failed with peer at
1.1.1.1
Nov 29 14:44:37.507: ISAKMP (0:1): received packet
from 1.1.1.1 dport 500 sport 500 Global (R)
AG_NO_STATE
Nov 29 14:44:37.515: ISAKMP (0:1): phase 1 packet is a
duplicate of a previous packet.
Nov 29 14:44:37.515: ISAKMP (0:1): retransmitting due
to retransmit phase 1
Nov 29 14:44:37.519: ISAKMP (0:1): retransmitting
phase 1 AG_NO_STATE...
Nov 29 14:44:37.650: %SEC-6-IPACCESSLOGP: list inbound
permitted udp 1.1.1.1(500) -> 2.2.2.2(500), 2 packets
Nov 29 14:44:37.654: %SEC-6-IPACCESSLOGP: list inbound
permitted tcp 1.1.1.1(1430) -> 2.2.2.2(3389), 91
packets
Nov 29 14:44:38.015: ISAKMP (0:1): retransmitting
phase 1 AG_NO_STATE...
Nov 29 14:44:38.015: ISAKMP (0:1): incrementing error
counter on sa: retransmit phase 1
Nov 29 14:44:38.019: ISAKMP (0:1): retransmitting
phase 1 AG_NO_STATE
Nov 29 14:44:38.019: ISAKMP (0:1): sending packet to
1.1.1.1 my_port 500 peer_port 500 (R) AG_NO_STATE

Please help!!!

Jamie

__________________________________
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail

• Next message: Georg Pauwen: "Brussels December 13"
• Previous message: Barman, Partha: "Etherchannel Traffic Distribution Question"
• Next in thread: David: "Re: RE : HELP with IPSEC VPN"
• Maybe reply: David: "Re: RE : HELP with IPSEC VPN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:51 GMT-3