Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPDN client initiated tunnel. 2

Status
Not open for further replies.

ior

Technical User
Mar 11, 2004
29
NO
Ive been following to setup a VPDN on my 1605R.

When connecting with the Cisco VPN client (4.0.3) I see on the router (debug mode) that ISAKMP complains about "Encryption algorithm offered does not match policy!"

Im trying to be able to dial-in from behind a remote NAT and be a seamless part of the network.

Does this mean that I have to get an older version of the VPN client or something similar? As it looks like the VPN client is trying 3des. Which my router doesnt have.


crypto isakmp policy 1
authentication pre-share
crypto isakmp key naiv address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local ourpool
!
!
crypto ipsec transform-set trans1 esp-des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set trans1
!
!
crypto map intmap client configuration address initiate
crypto map intmap client configuration address respond
crypto map intmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0
ip address 192.168.0.101 255.255.255.0
ip access-group 106 in
ip nat inside
crypto map intmap

!
ip local pool ourpool 10.2.1.1 10.2.1.254
 
this means that the 4.03 client is offering SA attributes/parameters that the IOS router isn't programmed for.


The nitty gritty is that VPN Client v4.03 offers AES encryption and if you are using an IOS image lower than 12.3 than your router will choke. I suggest that you drop back to verion 3.6.3 of the client.

-gC-
 
My router is currently using 12.3 but it is an 1605R so Im quite sure it cant handle AES.

Ill give the older client a try.
 
Ive tried it out with client v. 3.6.6. Same problem.

Can anyone spot any errors in my config? Or have any other suggestions?
 
the problem is probably with your phase 1

do this

authent pre-share
encryption des (or 3des if you have it)
hash sha
group 2
lifetime 86400

(Beside the version of the client i think that Diffie Hellman may also be off: the default is group 1, vpn client only works with group 2)

debug you phase 1 and if you have problems post the output

debug crypto isakmp
 
Thanks for your response, I did as you asked and gave it another try. No luck.
The debugging info I got is quite huge so I put the full thing at

Config:

crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key vainare address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local ourpool
!
!
crypto ipsec transform-set trans1 esp-des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set trans1
!
!
crypto map intmap client configuration address initiate
crypto map intmap client configuration address respond
crypto map intmap 10 ipsec-isakmp dynamic dynmap







Debug Info (part of it):

Mar 26 00:04:23: ISAKMP (0:0): received packet from 192.168.0.200 dport 500 sport 500 Global (N) NEW SA
Mar 26 00:04:23: ISAKMP: Created a peer struct for 192.168.0.200, peer port 500
Mar 26 00:04:23: ISAKMP: Locking peer struct 0x313DE08, IKE refcount 1 for crypto_ikmp_config_initialize_sa
Mar 26 00:04:23: ISAKMP (0:0): Setting client config settings 30A9CA4
Mar 26 00:04:23: ISAKMP: local port 500, remote port 500
Mar 26 00:04:23: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 32BF910
Mar 26 00:04:23: ISAKMP (0:3): processing SA payload. message ID = 0
Mar 26 00:04:23: ISAKMP (0:3): processing ID payload. message ID = 0
Mar 26 00:04:23: ISAKMP (0:3): ID payload
next-payload : 13
type : 11
group id : io
protocol : 17
port : 500
length : 10
Mar 26 00:04:23: ISAKMP (0:3): peer matches *none* of the profiles
Mar 26 00:04:23: ISAKMP (0:3): processing vendor id payload
Mar 26 00:04:23: ISAKMP (0:3): vendor ID seems Unity/DPD but major 215 mismatch
Mar 26 00:04:23: ISAKMP (0:3): vendor ID is XAUTH
Mar 26 00:04:23: ISAKMP (0:3): processing vendor id payload
Mar 26 00:04:23: ISAKMP (0:3): vendor ID is DPD
Mar 26 00:04:23: ISAKMP (0:3): processing vendor id payload
Mar 26 00:04:23: ISAKMP (0:3): vendor ID seems Unity/DPD but major 123 mismatch
Mar 26 00:04:23: ISAKMP (0:3): vendor ID is NAT-T v2
Mar 26 00:04:23: ISAKMP (0:3): processing vendor id payload
Mar 26 00:04:23: ISAKMP (0:3): vendor ID seems Unity/DPD but major 194 mismatch
Mar 26 00:04:23: ISAKMP (0:3): processing vendor id payload
Mar 26 00:04:23: ISAKMP (0:3): vendor ID is Unity
Mar 26 00:04:23: ISAKMP : Scanning profiles for xauth ...
Mar 26 00:04:23: ISAKMP (0:3): Checking ISAKMP transform 1 against priority 1 policy
Mar 26 00:04:23: ISAKMP: encryption AES-CBC
Mar 26 00:04:23: ISAKMP: hash SHA
Mar 26 00:04:23: ISAKMP: default group 2
Mar 26 00:04:23: ISAKMP: auth XAUTHInitPreShared
Mar 26 00:04:23: ISAKMP: life type in seconds
Mar 26 00:04:23: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Mar 26 00:04:23: ISAKMP: keylength of 256
Mar 26 00:04:23: ISAKMP (0:3): Encryption algorithm offered does not match policy!
Mar 26 00:04:23: ISAKMP (0:3): atts are not acceptable. Next payload is 3
Mar 26 00:04:23: ISAKMP (0:3): Checking ISAKMP transform 2 against priority 1 policy
Mar 26 00:04:23: ISAKMP: encryption AES-CBC
Mar 26 00:04:23: ISAKMP: hash MD5
Mar 26 00:04:23: ISAKMP: default group 2
Mar 26 00:04:23: ISAKMP: auth XAUTHInitPreShared
Mar 26 00:04:23: ISAKMP: life type in seconds
Mar 26 00:04:23: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Mar 26 00:04:23: ISAKMP: keylength of 256
Mar 26 00:04:23: ISAKMP (0:3): Encryption algorithm offered does not match policy!
Mar 26 00:04:23: ISAKMP (0:3): atts are not acceptable. Next payload is 3
 
i don't see any transform offered for des and sha
the only thing other thing i can suggest is to use md5 instead of sha for the hash algorithm

besides that here is what else i can decipher.....

the SA offers that do have sha look strange: key length "256" (usually 168-bit) probably a 12.3 thing

also, if you want to eliminate XAUTH from the picture (for now while trying to get it working) use:
crypto isakmp key vainare address 0.0.0.0 0.0.0.0 no-xauth

maybe these will help..........

have you tried using it as a ezVPN server?

also, configuring 4.03 for AES
 
I managed to get my hands on the Vpn Client v 3.6.3. It got the same errors.
Im really beginning to get desperate here..

I took a look at the ezVPN examples and configured it:
I got the same / similar errors:

Client:
Initializing the connection...
Contacting the gateway at 192.168.0.101...
Failed to establish a secure connection to the security gateway.

Router Debug output:


Config:


username xx privilege 15 password 7 xxxxxxxxxxxx

aaa authentication login default local
aaa authentication login vpnusers local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network vpngroup local
aaa session-id common

crypto isakmp policy 3
hash md5
authentication pre-share
group 2
crypto isakmp client configuration address-pool local vpn-pool
crypto isakmp xauth timeout 60

!
crypto isakmp client configuration group vpngroup
key xxxxxxxx
dns 212.181.52.2
domain xxxxxxxx
pool vpn-pool
acl 199

!



crypto ipsec transform-set dessha esp-des esp-sha-hmac
!
!
crypto dynamic-map mode 1
set transform-set dessha
!
!
crypto map mode client authentication list vpnusers
crypto map mode isakmp authorization list vpngroup
crypto map mode client configuration address respond
crypto map mode 1 ipsec-isakmp dynamic mode

!

interface Ethernet0
ip address 192.168.0.101 255.255.255.0
ip access-group 106 in
ip nat inside
no cdp enable
crypto map mode


ip local pool vpn-pool 10.0.0.130 10.0.0.254
 
I am so ashamed to admit this, so be gentle.
Apparently I had misunderstood how the authentication works, so I had put in my router username & password in the client when connecting. When in fact I should have entered the name of the group and the pre-shared key. After correcting this mistake it works fine.

Thank you gconnect!
 
hey don't sweat it, you got it working and that's all that matters :^)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top