Re: vpn mystery from Piotr Matusiak on 2009-10-21 (Ccielab archives 10/2009)

From: Piotr Matusiak <piotr_at_ccie1.com>
Date: Wed, 21 Oct 2009 15:12:59 +0200
Hi,
That's strange. Your VPN Client software does not send IPSec proposal for
3DES/SHA (without LZS compression). What is the version you use?
You can change transform set to include comp-lzs and see if it works:
#crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac comp-lzs
HTH,
--
Piotr Matusiak
CCIE #19860 (R&S, SEC)
Technical Instructor
MicronicsTraining.com
If you can't explain it simply, you don't understand it well enough -
Albert Einstein
2009/10/21 abderrahim sadki <a_sadki1_at_hotmail.com>
> Hi,
>
> Here it is:
>
>
>
>
>
>
>
>
> Router#debug crypto isakmp error
>
> Crypto ISAKMP Error debugging is on
>
> Router#
>
> *Mar  1 20:20:38.374: ISAKMP (0:3): Encryption algorithm offered does not
> match policy!
>
> *Mar  1 20:20:38.374: ISAKMP (0:3): atts are not acceptable. Next payload
> is
> 3
>
> *Mar  1 20:20:38.374: ISAKMP (0:3): Encryption algorithm offered does not
> match policy!
>
> *Mar  1 20:20:38.374: ISAKMP (0:3): atts are not acceptable. Next payload
> is
> 3
>
> *Mar  1 20:20:38.374: ISAKMP (0:3): Encryption algorithm offered does not
> match policy!
>
> *Mar  1 20:20:38.374: ISAKMP (0:3): atts are not acceptable. Next payload
> is
> 3
>
> *Mar  1 20:20:38.374: ISAKMP (0:3): Encryption algorithm offered does not
> match policy!
>
> *Mar  1 20:20:38.374: ISAKMP (0:3): atts are not acceptable. Next payload
> is
> 3
>
> *Mar  1 20:20:38.374: ISAKMP (0:3): Encryption algorithm offered does not
> match policy!
>
> *Mar  1 20:20:38.374: ISAKMP (0:3): atts are not acceptable. Next payload
> is
> 3
>
> *Mar  1 20:20:38.374: ISAKMP (0:3): Encryption algorithm offered does not
> match policy!
>
> *Mar  1 20:20:38.374: ISAKMP (0:3): atts are not acceptable. Next payload
> is
> 3
>
> *Mar  1 20:20:38.374: ISAKMP (0:3): Encryption algorithm offered does not
> match policy!
>
> *Mar  1 20:20:38.374: ISAKMP (0:3): atts are not acceptable. Next payload
> is
> 3
>
> *Mar  1 20:20:38.374: ISAKMP (0:3): Encryption algorithm offered does not
> match policy!
>
> *Mar  1 20:20:38.374: ISAKMP (0:3): atts are not acceptable. Next payload
> is
> 3
>
> *Mar  1 20:20:38.702: ISAKMP (0:3): FSM action returned error: 4
>
> *Mar  1 20:20:41.718: ISAKMP (0:3): FSM action returned error: 4 Unknown
> Attr:
> 0x7000 Unknown Attr: 0x7001 Unknown Attr: 0x7003 Unknown Attr: 0x7007
> Unknown
> Attr: 0x700B Unknown Attr: 0x7009 Unknown Attr: 0x700C Unknown Attr: 0x7008
> Unknown Attr: 0x700A Unknown Attr: 0x7005
>
> *Mar  1 20:20:41.750: ISAKMP (0/3): Unknown Attr: UNKNOWN (0x7000)
>
> *Mar  1 20:20:41.750: ISAKMP (0/3): Unknown Attr: UNKNOWN (0x7001)
>
> *Mar  1 20:20:41.750: ISAKMP (0/3): Unknown Attr: UNKNOWN (0x7003)
>
> *Mar  1 20:20:41.750: ISAKMP (0/3): Unknown Attr: UNKNOWN (0x7007)
>
> *Mar  1 20:20:41.750: ISAKMP (0/3): Unknown Attr: UNKNOWN (0x700B)
>
> *Mar  1 20:20:41.750: ISAKMP (0/3): Unknown Attr: UNKNOWN (0x7009)
>
> *Mar  1 20:20:41.750: ISAKMP (0/3): Unknown Attr: UNKNOWN (0x700C)
>
> *Mar  1 20:20:41.750: ISAKMP (0/3): Unknown Attr: UNKNOWN (0x7008)
>
> *Mar  1 20:20:41.750: ISAKMP (0/3): Unknown Attr: UNKNOWN (0x700A)
>
> *Mar  1 20:20:41.750: ISAKMP (0/3): Unknown Attr: UNKNOWN (0x7005)
>
> *Mar  1 20:20:41.770: ISAKMP (0:3): IPSec policy invalidated proposal
>
> *Mar  1 20:20:41.770: ISAKMP (0:3): IPSec policy invalidated proposal
>
> *Mar  1 20:20:41.774: ISAKMP (0:3): IPSec policy invalidated proposal
>
>
>
>
> Router#debug crypto ipsec error
>
> Crypto IPSEC Error debugging is on
>
> Router#
>
> *Mar  1 20:18:54.334: IPSEC(validate_transform_proposal): transform
> proposal
> not supported for identity:
>
>    {esp-aes 256 esp-md5-hmac comp-lzs }
>
> *Mar  1 20:18:54.334: IPSEC(validate_transform_proposal): transform
> proposal
> not supported for identity:
>
>    {esp-aes 256 esp-sha-hmac comp-lzs }
>
> *Mar  1 20:18:54.338: IPSEC(validate_transform_proposal): transform
> proposal
> not supported for identity:
>
>    {esp-aes esp-md5-hmac comp-lzs }
>
> *Mar  1 20:18:54.338: IPSEC(validate_transform_proposal): transform
> proposal
> not supported for identity:
>
>    {esp-aes esp-sha-hmac comp-lzs }
>
> *Mar  1 20:18:54.342: IPSEC(validate_transform_proposal): transform
> proposal
> not supported for identity:
>
>    {esp-aes 256 esp-md5-hmac }
>
> *Mar  1 20:18:54.342: IPSEC(validate_transform_proposal): transform
> proposal
> not supported for identity:
>
>    {esp-aes 256 esp-sha-hmac }
>
> *Mar  1 20:18:54.342: IPSEC(validate_transform_proposal): transform
> proposal
> not supported for identity:
>
>    {esp-aes esp-md5-hmac }
>
> *Mar  1 20:18:54.346: IPSEC(validate_transform_proposal): transform
> proposal
> not supported for identity:
>
>    {esp-aes esp-sha-hmac }
>
> *Mar  1 20:18:54.346: IPSEC(validate_transform_proposal): transform
> proposal
> not supported for identity:
>
>    {esp-3des esp-md5-hmac comp-lzs }
>
> *Mar  1 20:18:54.346: IPSEC(validate_transform_proposal): transform
> proposal
> not supported for identity:
>
>    {esp-3des esp-sha-hmac comp-lzs }
>
> *Mar  1 20:18:54.350: IPSEC(validate_transform_proposal): transform
> proposal
> not supported for identity:
>
>    {esp-3des esp-md5-hmac }
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > Date: Tue, 20 Oct 2009 22:55:59 +0200
> > Subject: Re: vpn mystery
> > From: piotr_at_ccie1.com
> > To: a_sadki1_at_hotmail.com
> > CC: ccielab_at_groupstudy.com
> >
> > OK, can you debug whole ISAKMP ("deb crypto isakmp") and paste a few more
> > lines before and after that error message? This is because there might be
> > wrong something different which causes ISAKMP fail and generates that
> > message.
> >
> > --
> > Piotr Matusiak
> > CCIE #19860 (R&S, SEC)
> > Technical Instructor
> > MicronicsTraining.com
> >
> >  If you can't explain it simply, you don't understand it well enough  -
> > Albert Einstein
> >
> >
> > 2009/10/20 abderrahim sadki <a_sadki1_at_hotmail.com>
> >
> > > Hi Piotr,
> > >
> > > i used a cisco vpn client(windoes software).
> > >
> > > Thanks for the netmask tip!
> > >
> > > Abderrahim
> > >
> > > _________________________________________________________________
> > > Windows Live: Make it easier for your friends to see what you re up to
> on
> > > Facebook.
> > >
> > >
> >
>
>
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/soci
> > >
> >
>
>
al-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009<ht
> >
> tp://
> www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/soci%0
> >
>
>
Aal-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009>
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
>
> _________________________________________________________________
> Windows Live: Friends get your Flickr, Yelp, and Digg updates when they
> e-mail
> you.
>
>
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/soci
> al-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Wed Oct 21 2009 - 15:12:59 ART
This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:51:00 ART