Can anyone provide a sample configuration for a Cisco Router as an IPsec tunnel terminator?
What configuration should be set on the Contivity client?
It seems like my Cisco router is not understanding the parameters the Contivity sends.
Below is the config following a debug output...
*Mar 1 01:30:24.563: ISAKMP: local port 500, remote port 500
*Mar 1 01:30:24.563: ISAKMP: insert sa successfully sa = 8141D254
*Mar 1 01:30:24.563: ISAKMP (0:1): processing SA payload. message ID = 0
*Mar 1 01:30:24.563: ISAKMP (0:1): processing ID payload. message ID = 0
*Mar 1 01:30:24.563: ISAKMP (0:1): peer matches *none* of the profiles
*Mar 1 01:30:24.563: ISAKMP (0:1): processing vendor id payload
*Mar 1 01:30:24.567: ISAKMP (0:1): vendor ID seems Unity/DPD but major 42 misma
tch
*Mar 1 01:30:24.567: ISAKMP : Scanning profiles for xauth ... VPNclient
*Mar 1 01:30:24.567: ISAKMP (0:1) Authentication by xauth preshared
*Mar 1 01:30:24.567: ISAKMP (0:1): Checking ISAKMP transform 1 against priority
*Mar 1 01:30:24.567: ISAKMP (0:1): Checking ISAKMP transform 1 against priority
10 policy
*Mar 1 01:30:24.567: ISAKMP: encryption 3DES-CBC
*Mar 1 01:30:24.567: ISAKMP: hash MD5
*Mar 1 01:30:24.567: ISAKMP: auth pre-share
*Mar 1 01:30:24.567: ISAKMP: default group 2
*Mar 1 01:30:24.567: ISAKMP: unknown attribute 32767
*Mar 1 01:30:24.567: ISAKMP (0:1): Encryption algorithm offered does not match
policy!
*Mar 1 01:30:24.567: ISAKMP (0:1): atts are not acceptable. Next payload is 3
*Mar 1 01:30:24.567: ISAKMP (0:1): Checking ISAKMP transform 2 against priority
10 policy
*Mar 1 01:30:24.571: ISAKMP: encryption 3DES-CBC
*Mar 1 01:30:24.571: ISAKMP: hash SHA
*Mar 1 01:30:24.571: ISAKMP: auth pre-share
*Mar 1 01:30:24.571: ISAKMP: default group 2
*Mar 1 01:30:24.571: ISAKMP: unknown attribute 32767
*Mar 1 01:30:24.571: ISAKMP (0:1): Encryption algorithm offered does not match
policy!
*Mar 1 01:30:24.571: ISAKMP (0:1): atts are not acceptable. Next payload is 3
*Mar 1 01:30:24.571: ISAKMP (0:1): Checking ISAKMP transform 3 against priority
10 policy
*Mar 1 01:30:24.571: ISAKMP: encryption... What? 65535?
*Mar 1 01:30:24.571: ISAKMP: hash SHA
*Mar 1 01:30:24.571: ISAKMP: auth pre-share
*Mar 1 01:30:24.571: ISAKMP: default group 2
*Mar 1 01:30:24.571: ISAKMP: unknown attribute 32767
*Mar 1 01:30:24.575: ISAKMP (0:1): Encryption algorithm offered does not match
policy!
*Mar 1 01:30:24.579: ISAKMP (0:1): atts are not acceptable. Next payload is 0
*Mar 1 01:30:24.579: ISAKMP (0:1): no offers accepted!
*Mar 1 01:30:24.583: ISAKMP (0:1): phase 1 SA policy not acceptable!
****************ROUTER CONFIG**************************
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname subtech
!
!
username cmcall password 0 cmcall
aaa new-model
!
!
aaa authentication login clientauth local
aaa authorization network hw-client local
aaa session-id common
ip subnet-zero
no ip domain lookup
ip ssh break-string
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group hw-client
key test1234
pool dynpool
crypto isakmp profile VPNclient
match identity group hw-client
client authentication list clientauth
isakmp authorization list hw-client
client configuration address respond
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto dynamic-map dynamicmap 5
set transform-set myset
set isakmp-profile VPNclient
!
crypto map mymap 10 ipsec-isakmp dynamic dynamicmap
!
!
interface Ethernet0
ip address <suppressed>
!
interface Ethernet1
ip address <suppressed>
crypto map mymap
!
ip local pool dynpool 192.168.141.67 192.168.141.70
ip route 0.0.0.0 0.0.0.0 Ethernet1
!
!
end
subtech#
**********************************************
On the Contivity VPN Client:
++Group Security Credentials field checked++
Group IP --> hw-client
password --> test1234
(Note: even though a Group-ID/password are provided, a username/password is still being asked at the main window(I don't know why; furhtermore, I did not configure any username/password on the Cisco Router. Unless this works when attempting an IPSec tunnel to a Contivity box....)
Thank you in advance,
What configuration should be set on the Contivity client?
It seems like my Cisco router is not understanding the parameters the Contivity sends.
Below is the config following a debug output...
*Mar 1 01:30:24.563: ISAKMP: local port 500, remote port 500
*Mar 1 01:30:24.563: ISAKMP: insert sa successfully sa = 8141D254
*Mar 1 01:30:24.563: ISAKMP (0:1): processing SA payload. message ID = 0
*Mar 1 01:30:24.563: ISAKMP (0:1): processing ID payload. message ID = 0
*Mar 1 01:30:24.563: ISAKMP (0:1): peer matches *none* of the profiles
*Mar 1 01:30:24.563: ISAKMP (0:1): processing vendor id payload
*Mar 1 01:30:24.567: ISAKMP (0:1): vendor ID seems Unity/DPD but major 42 misma
tch
*Mar 1 01:30:24.567: ISAKMP : Scanning profiles for xauth ... VPNclient
*Mar 1 01:30:24.567: ISAKMP (0:1) Authentication by xauth preshared
*Mar 1 01:30:24.567: ISAKMP (0:1): Checking ISAKMP transform 1 against priority
*Mar 1 01:30:24.567: ISAKMP (0:1): Checking ISAKMP transform 1 against priority
10 policy
*Mar 1 01:30:24.567: ISAKMP: encryption 3DES-CBC
*Mar 1 01:30:24.567: ISAKMP: hash MD5
*Mar 1 01:30:24.567: ISAKMP: auth pre-share
*Mar 1 01:30:24.567: ISAKMP: default group 2
*Mar 1 01:30:24.567: ISAKMP: unknown attribute 32767
*Mar 1 01:30:24.567: ISAKMP (0:1): Encryption algorithm offered does not match
policy!
*Mar 1 01:30:24.567: ISAKMP (0:1): atts are not acceptable. Next payload is 3
*Mar 1 01:30:24.567: ISAKMP (0:1): Checking ISAKMP transform 2 against priority
10 policy
*Mar 1 01:30:24.571: ISAKMP: encryption 3DES-CBC
*Mar 1 01:30:24.571: ISAKMP: hash SHA
*Mar 1 01:30:24.571: ISAKMP: auth pre-share
*Mar 1 01:30:24.571: ISAKMP: default group 2
*Mar 1 01:30:24.571: ISAKMP: unknown attribute 32767
*Mar 1 01:30:24.571: ISAKMP (0:1): Encryption algorithm offered does not match
policy!
*Mar 1 01:30:24.571: ISAKMP (0:1): atts are not acceptable. Next payload is 3
*Mar 1 01:30:24.571: ISAKMP (0:1): Checking ISAKMP transform 3 against priority
10 policy
*Mar 1 01:30:24.571: ISAKMP: encryption... What? 65535?
*Mar 1 01:30:24.571: ISAKMP: hash SHA
*Mar 1 01:30:24.571: ISAKMP: auth pre-share
*Mar 1 01:30:24.571: ISAKMP: default group 2
*Mar 1 01:30:24.571: ISAKMP: unknown attribute 32767
*Mar 1 01:30:24.575: ISAKMP (0:1): Encryption algorithm offered does not match
policy!
*Mar 1 01:30:24.579: ISAKMP (0:1): atts are not acceptable. Next payload is 0
*Mar 1 01:30:24.579: ISAKMP (0:1): no offers accepted!
*Mar 1 01:30:24.583: ISAKMP (0:1): phase 1 SA policy not acceptable!
****************ROUTER CONFIG**************************
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname subtech
!
!
username cmcall password 0 cmcall
aaa new-model
!
!
aaa authentication login clientauth local
aaa authorization network hw-client local
aaa session-id common
ip subnet-zero
no ip domain lookup
ip ssh break-string
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group hw-client
key test1234
pool dynpool
crypto isakmp profile VPNclient
match identity group hw-client
client authentication list clientauth
isakmp authorization list hw-client
client configuration address respond
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto dynamic-map dynamicmap 5
set transform-set myset
set isakmp-profile VPNclient
!
crypto map mymap 10 ipsec-isakmp dynamic dynamicmap
!
!
interface Ethernet0
ip address <suppressed>
!
interface Ethernet1
ip address <suppressed>
crypto map mymap
!
ip local pool dynpool 192.168.141.67 192.168.141.70
ip route 0.0.0.0 0.0.0.0 Ethernet1
!
!
end
subtech#
**********************************************
On the Contivity VPN Client:
++Group Security Credentials field checked++
Group IP --> hw-client
password --> test1234
(Note: even though a Group-ID/password are provided, a username/password is still being asked at the main window(I don't know why; furhtermore, I did not configure any username/password on the Cisco Router. Unless this works when attempting an IPSec tunnel to a Contivity box....)
Thank you in advance,