From: David (ccie_99@yahoo.com)
Date: Tue Nov 30 2004 - 10:32:25 GMT-3
Hi
Use group 2 in your ISAKMP policy. VPN client 3.X only
support group 2.
Richard, I think the AES is just one of the proposals
the client sent out. DES should be one of them also,
but he did not copy/paste the full debug output.
Cheers
--- Richard Dumoulin <Richard.Dumoulin@vanco.fr>
wrote:
> You are having problems with your phase 1 policy
> which does not match with
> the one on the VPN client:
>
> "algorithm offered does not match policy!"
>
> Your vpn client is asking for:
>
> Nov 29 14:44:32.527: ISAKMP: encryption AES-CBC
> Nov 29 14:44:32.527: ISAKMP: hash SHA
> Nov 29 14:44:32.527: ISAKMP: default group 2
> Nov 29 14:44:32.531: ISAKMP: auth
>
> But you have this configured on the router:
>
> crypto isakmp policy 10
> hash md5
> authentication pre-share
>
> Not sure your 1600 router will support AES,
>
> -- Richard
>
>
>
> -----Message d'origine-----
> De : Jamie Sanbower [mailto:ccie13637@yahoo.com]
> Envoyi : Monday, November 29, 2004 8:59 PM
> @ : ccielab@groupstudy.com; security@groupstudy.com
> Objet : HELP with IPSEC VPN
>
> I am having problems establishing a vpn. I have a
> 1605
> with 12.3.10 FW/IPSEC 56. I not sure why the tunnel
> is
> not coming up.
>
> Here is the config:
> username jamie privilege 15 password xxxxxxxxxxxx
> aaa new-model
> !
> aaa authentication login default local
> aaa authorization exec default local
> aaa session-id common
> ip subnet-zero
> ip dhcp excluded-address 172.16.28.1 172.16.28.99
> !
> ip inspect name myfw udp timeout 15
> ip inspect name myfw tcp timeout 3600
> ip inspect name myfw ftp timeout 3600
> ip inspect name myfw http timeout 3600
> ip inspect name myfw smtp timeout 3600
> !
> !
> !
> !
> crypto isakmp policy 10
> hash md5
> authentication pre-share
> crypto isakmp key cisco1234 address 0.0.0.0 0.0.0.0
> crypto isakmp client configuration address-pool
> local
> ourpool
> !
> crypto isakmp client configuration group jamie
> key cisco1234
> pool ourpool
> !
> crypto ipsec transform-set mypolicy esp-des
> esp-md5-hmac
> !
> !
> crypto dynamic-map dyna 10
> set transform-set mypolicy
> !
> !
> crypto map test client configuration address
> initiate
> crypto map test client configuration address respond
> crypto map test 5 ipsec-isakmp dynamic dyna
> !
> interface Ethernet0
> ip address dhcp hostname FW
> ip access-group inbound in
> no ip unreachables
> ip nat outside
> ip inspect myfw out
> no cdp enable
> crypto map test
> !
> interface Ethernet1
> ip address 172.16.28.1 255.255.255.0
> ip nat inside
> no keepalive
> no cdp enable
> !
> ip local pool ourpool 172.17.28.200 172.17.28.201
> ip nat inside source route-map nonat interface
> Ethernet0 overload
> !
> ip route 0.0.0.0 0.0.0.0 dhcp
> !
> ip access-list extended inbound
> permit udp any any eq isakmp log
> permit esp any any log
> permit udp any eq bootps any eq bootpc log
> deny ip any any log
> access-list 110 deny ip 172.16.28.0 0.0.0.255
> 172.17.28.0 0.0.0.255
> access-list 110 permit ip 172.16.28.0 0.0.0.255 any
> !
> route-map nonat permit 10
> match ip address 110
>
> here is the debug output of "debug crypto isakmp"
> when
> i try to establish a vpn(i replaced all of my
> outside
> IP to 2.2.2.2 and the source ip to 1.1.1.1:
>
> Nov 29 14:44:32.468: ISAKMP (0:0): received packet
> from 1.1.1.1 dport 500 sport 500 Global (N) NEW SA
> Nov 29 14:44:32.476: ISAKMP: Created a peer struct
> for
> 1.1.1.1, peer port 500
> Nov 29 14:44:32.476: ISAKMP: Locking peer struct
> 0x3361D08, IKE refcount 1 for
> crypto_ikmp_config_initialize_sa
> Nov 29 14:44:32.480: ISAKMP (0:0): Setting client
> config settings 33AB430
> Nov 29 14:44:32.480: ISAKMP: local port 500, remote
> port 500
> Nov 29 14:44:32.491: ISAKMP: insert sa successfully
> sa
> = 33B2628
> Nov 29 14:44:32.491: ISAKMP (0:1): processing SA
> payload. message ID = 0
> Nov 29 14:44:32.491: ISAKMP (0:1): processing ID
> payload. message ID = 0
> Nov 29 14:44:32.495: ISAKMP (0:1): ID payload
> next-payload : 13
> type : 11
> group id : jamie
> protocol : 17
> port : 500
> length : 13
> Nov 29 14:44:32.499: ISAKMP (0:1): peer matches
> *none*
> of the profiles
> Nov 29 14:44:32.499: ISAKMP (0:1): processing vendor
> id payload
> Nov 29 14:44:32.503: ISAKMP (0:1): vendor ID seems
> Unity/DPD but major 215 mismatch
> Nov 29 14:44:32.503: ISAKMP (0:1): vendor ID is
> XAUTH
> Nov 29 14:44:32.507: ISAKMP (0:1): processing vendor
> id payload
> Nov 29 14:44:32.507: ISAKMP (0:1): vendor ID is DPD
> Nov 29 14:44:32.511: ISAKMP (0:1): processing vendor
> id payload
> Nov 29 14:44:32.511: ISAKMP (0:1): vendor ID seems
> Unity/DPD but major 123 mismatch
> Nov 29 14:44:32.515: ISAKMP (0:1): vendor ID is
> NAT-T
> v2
> Nov 29 14:44:32.515: ISAKMP (0:1): processing vendor
> id payload
> Nov 29 14:44:32.515: ISAKMP (0:1): vendor ID seems
> Unity/DPD but major 194 mismatch
> Nov 29 14:44:32.519: ISAKMP (0:1): processing vendor
> id payload
> Nov 29 14:44:32.519: ISAKMP (0:1): vendor ID is
> Unity
> Nov 29 14:44:32.523: ISAKMP : Scanning profiles for
> xauth ...
> Nov 29 14:44:32.523: ISAKMP (0:1): Checking ISAKMP
> transform 1 against priority 10 policy
> Nov 29 14:44:32.527: ISAKMP: encryption AES-CBC
> Nov 29 14:44:32.527: ISAKMP: hash SHA
> Nov 29 14:44:32.527: ISAKMP: default group 2
> Nov 29 14:44:32.531: ISAKMP: auth
> XAUTHInitPreShared
> Nov 29 14:44:32.531: ISAKMP: life type in
> seconds
> Nov 29 14:44:32.531: ISAKMP: life duration
> (VPI)
> of 0x0 0x20 0xC4 0x9B
> Nov 29 14:44:32.535: ISAKMP: keylength of 256
> Nov 29 14:44:32.535: ISAKMP (0:1): Encryption
> algorithm offered does not match policy!
> Nov 29 14:44:32.539: ISAKMP (0:1): atts are not
> acceptable. Next payload is 3
>
> ....more debug
>
> Nov 29 14:44:33.099: ISAKMP (0:1): no offers
> accepted!
> Nov 29 14:44:33.099: ISAKMP (0:1): phase 1 SA policy
> not acceptable! (local 2.2.2.2 remote 1.1.1.1)
> Nov 29 14:44:33.103: ISAKMP (0:1): incrementing
> error
>
=== message truncated ===