Solved

Added VPN functions to the router and it's not working

Posted on 2009-04-10
16
1,810 Views
Last Modified: 2012-05-11
Hello

Thanks to the folks on this site I had 2 2811 routers, one a functioning VPN and one a functioning router working perfectly.  I had to re-purpose one 2811 who'e purpose in life was the VPN to another project.  So now I'm trying to combine the two routers into one and but it's not working.  The router is still functioning properly however the VPN portion is not working.  I've added all the commands that made the VPN a VPN and it is still not working.  According to the error logs it appears to be a isakmp issue.

The error log on the 2811:

000123: *Apr 10 18:00:11.031 EST: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of aggressive mode failed with peer at 192.168.24.54

The error log on the Cisco Client:


22     16:55:19.796  04/10/09  Sev=Warning/2      CVPND/0xA3400011
Error -1 sending packet. Dst Addr: 0xA9FE1AFF, Src Addr: 0xA9FE1A09 (DRVIFACE:1201).

23     16:55:19.812  04/10/09  Sev=Warning/2      IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)

24     16:55:19.812  04/10/09  Sev=Warning/3      IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)

Any ideas?  Thanks






Current configuration : 11845 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname _2811
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 informational
no logging console
logging monitor informational
enable secret "password"
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login userauthen local
aaa authorization exec local_author local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time EST recurring
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip telnet hidden addresses
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.24.1 192.168.24.29
ip dhcp excluded-address 192.168.24.61 192.168.24.254
!
ip dhcp pool IPs
   network 192.168.24.0 255.255.255.0
   default-router 192.168.24.254
   dns-server 192.168.4.5
!
!
no ip bootp server
ip host mail.mail.com 192.168.4.12
ip host excmail.mail.com 192.168.4.12
ip name-server 192.168.4.5
ip ssh time-out 60
ip ssh authentication-retries 2
ip port-map smtp port tcp 8025
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW esmtp
ip ips notify SDEE
ip ips name sdm_ips_rule
ip dhcp-server 192.168.24.119
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint tti
 revocation-check crl
 rsakeypair tti
!
!
username ers_admin secret password
username samk password password
username bmills password password
archive
 log config
  hidekeys
!
!
class-map match-any SDM-Transactional-1
 match  dscp af21
 match  dscp af22
 match  dscp af23
class-map match-any SDM-Signaling-1
 match  dscp cs3
 match  dscp af31
class-map match-any SDM-Scavenger-1
 match  dscp cs1
class-map match-any SDM-Routing-1
 match  dscp cs6
class-map match-any SDM-Voice-1
 match  dscp ef
class-map match-any SDM-Streaming-Video-1
 match  dscp cs4
class-map match-any SDM-Management-1
 match  dscp cs2
class-map match-any SDM-Interactive-Video-1
 match  dscp af41
class-map match-any SDM-BulkData-1
 match  dscp af11
 match  dscp af12
 match  dscp af13
!
!
policy-map SDM-QoS-Policy-1
 class SDM-Voice-1
  priority percent 15
  police cir percent 15
    conform-action transmit
    exceed-action drop
    violate-action drop
 class class-default
  fair-queue
!
!
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key "Secret Value" address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
!
crypto isakmp client configuration group VPNGroup
 key "Secret Value"
 dns 192.168.4.5
 pool ippool
 acl 100
 netmask 255.255.255.0
!
!
crypto ipsec transform-set trans2 esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto ipsec profile vpnprof
 set transform-set trans2
!
!
crypto dynamic-map dynmap 10
 set transform-set myset
 reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Tunnel0
 description Tunnel to Miami
 bandwidth 1000
 ip address 10.0.0.2 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1416
 ip nhrp authentication "password"
 ip nhrp map 10.0.0.1 "IP Address"
 ip nhrp map multicast "IP Address"
 ip nhrp network-id 99
 ip nhrp holdtime 300
 ip nhrp nhs 10.0.0.1
 ip virtual-reassembly
 delay 1000
 qos pre-classify
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 102030
 tunnel protection ipsec profile vpnprof
!
interface Null0
 no ip unreachables
!
interface Loopback0
 ip address 192.168.60.254 255.255.255.0
!
interface FastEthernet0/0
 description Outside Cable Modem
 ip address "IP" 255.255.255.248
 ip access-group 105 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 duplex full
 speed 100
 no mop enabled
 crypto map clientmap
!
interface FastEthernet0/1
 description ETH-LAN$FW_INSIDE$
 ip address 192.168.24.1 255.255.255.0 secondary
 ip address 192.168.24.254 255.255.255.0
 ip helper-address 192.168.24.119
 ip nat inside
 ip virtual-reassembly
 duplex full
 speed 100
!
router eigrp 200
 network 10.0.0.0 0.0.0.255
 network 192.168.4.0
 network 192.168.24.0
 network 192.168.60.0
 auto-summary
!
ip local pool ippool 192.168.24.200 192.168.24.230
ip classless
ip route 0.0.0.0 0.0.0.0 "Cable Gateway"
ip route 192.168.20.0 255.255.255.0 10.0.0.1
ip route 192.168.25.0 255.255.255.0 192.168.24.248
ip route 192.168.30.0 255.255.255.0 10.0.0.1
ip route 192.168.34.0 255.255.255.0 10.0.0.1
ip route 192.168.40.0 255.255.255.0 10.0.0.1
ip route 192.168.47.0 255.255.255.0 10.0.0.1
ip route 192.168.50.0 255.255.255.0 10.0.0.1
!
ip dns server
!
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0/0 overload
!
access-list 10 permit any
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 permit udp host "DSN IP" eq domain host "f0/0 IP"
access-list 105 permit udp any host "f0/0 IP" eq non500-isakmp
access-list 105 permit udp any host "f0/0 IP" eq isakmp
access-list 105 permit esp any host "f0/0 IP"
access-list 105 permit ahp any host "f0/0 IP"
access-list 105 permit gre any host "f0/0 IP"
access-list 105 deny   ip 192.168.24.0 0.0.0.255 any
access-list 105 permit icmp any host "f0/0 IP" echo-reply
access-list 105 permit icmp any host "f0/0 IP" time-exceeded
access-list 105 permit icmp any host "f0/0 IP" unreachable
access-list 105 deny   ip 10.0.0.0 0.255.255.255 any
access-list 105 deny   ip 172.16.0.0 0.15.255.255 any
access-list 105 deny   ip 192.168.0.0 0.0.255.255 any
access-list 105 deny   ip 127.0.0.0 0.255.255.255 any
access-list 105 deny   ip host 255.255.255.255 any
access-list 105 deny   ip host 0.0.0.0 any
access-list 105 deny   ip any any log
access-list 175 permit ip 192.168.0.0 0.0.255.255 any
no cdp run
!
route-map nonat permit 10
 match ip address 175
!
!
!
!
control-plane
!
!
!
voice-port 0/0/0
 no comfort-noise
 timeouts call-disconnect 0
!
voice-port 0/0/1
 no comfort-noise
 timeouts call-disconnect 0
 
!
dial-peer voice 1 pots
 destination-pattern 60
 port 0/0/0
!
dial-peer voice 2 pots
 destination-pattern 60
 port 0/0/1
!
dial-peer voice 7 voip
 description to London
 destination-pattern 1.
 session target ipv4:192.168.34.254
 dtmf-relay h245-alphanumeric
!
dial-peer voice 8 voip
 description to Minot
 destination-pattern 2.
 session target ipv4:192.168.20.254
 dtmf-relay h245-alphanumeric
!
dial-peer voice 9 voip
 description to Jamica
 destination-pattern 4.
 session target ipv4:192.168.40.254
 dtmf-relay h245-alphanumeric
!
dial-peer voice 10 voip
 description to Boston
 destination-pattern 5.
 session target ipv4:192.168.50.254
 dtmf-relay h245-alphanumeric
!
dial-peer voice 11 voip
 description to LA
 destination-pattern 3.
 session target ipv4:192.168.30.254
 dtmf-relay h245-alphanumeric
!
dial-peer voice 12 voip
 description to uc500
 destination-pattern 27..
 session target ipv4:192.168.48.254
 dtmf-relay h245-alphanumeric
!
!
telephony-service
 load 7910 P00403020214
 load 7960-7940 P0030702T023
 max-ephones 5
 max-dn 5
 ip source-address 192.168.60.254 port 2000
 auto assign 1 to 5
 system message xxxxx
 time-zone 12
 create cnf-files version-stamp 7960 May 09 2008 09:54:27
 max-conferences 8 gain -6
 call-forward pattern .T
 transfer-system full-consult
 secondary-dialtone 9
!
!
ephone-dn  1
 number 6101
!
!
ephone-dn  2
 number 6102
 description Sam Johnson
 call-forward busy number
 call-forward noan number timeout 10
!
!
ephone-dn  3
 number 6103
!
!
ephone-dn  4
 number 6104
!
!
ephone-dn  5
 number 6105
!
!
ephone  1
 username "curt" password 1234
 mac-address 00xx.B9xx.5xx6
 speed-dial 1 6102 label "Sam"
 type CIPC
 button  1:1
!
!
ephone  2
 username "sam" password 1234
 mac-address 00xx.B9xx.5xx6
 speed-dial 1 6101 label "Curt"
 speed-dial 2 10 label "LIG"
 type CIPC
 button  1:2
!
!
ephone  3
 username "cory" password 1234
 mac-address 00xx.B9xx.5xx6
 type CIPC
 button  1:3
!
!
ephone  4
!
!
!
ephone  5
!
!
banner login ^CCCC***********************************************************
   WARNING TO UNAUTHORIZED USERS: This system is for the
use of authorized users only. Individuals using this
computer system without authority, or in excess of their
authority, are subject to having all of their activities
on this system monitored and recorded by system personnel.
In the course of monitoring individuals improperly using
this system, or in the course of system maintenance, the
activities of authorized users may be monitored.  Anyone
using this system expressly consents to such monitoring
and is advised that if such monitoring reveals possible
evidence of criminal activity, system personnel may provide
evidence of such monitoring to law enforecement officials.
***********************************************************
                   
^C
!
line con 0
 login authentication local_authen
 transport output telnet
line aux 0
 login authentication local_authen
 modem InOut
 transport output all
line vty 0 4
 access-class 102 in
 exec-timeout 20 0
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Open in new window

0
Comment
Question by:millsusaf
  • 9
  • 7
16 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 24120578
Run "debug crypto isakmp" on the router and provide the output.
0
 
LVL 28

Expert Comment

by:asavener
ID: 24120586
0
 

Author Comment

by:millsusaf
ID: 24129351
Here is the output.  It looks like it is getting the wrong policy and trying to use the VPN tunnels policy.  I'm just not sure how to fix it.

Thanks


2811#sho log
Syslog logging: enabled (11 messages dropped, 2 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)
    Console logging: disabled
    Monitor logging: level informational, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 428 messages logged, xml disabled,
                    filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
 
No active filter modules.
 
    Trap logging: level informational, 814 message lines logged
 
Log Buffer (4096 bytes):
AKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
001402: *Apr 13 09:45:59.163 EST: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
001403: *Apr 13 09:45:59.163 EST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
001404: *Apr 13 09:45:59.163 EST: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 13 against priority 65535 policy
001405: *Apr 13 09:45:59.163 EST: ISAKMP:      encryption DES-CBC
001406: *Apr 13 09:45:59.163 EST: ISAKMP:      hash MD5
001407: *Apr 13 09:45:59.167 EST: ISAKMP:      default group 2
001408: *Apr 13 09:45:59.167 EST: ISAKMP:      auth XAUTHInitPreShared
001409: *Apr 13 09:45:59.167 EST: ISAKMP:      life type in seconds
001410: *Apr 13 09:45:59.167 EST: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
001411: *Apr 13 09:45:59.167 EST: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!
001412: *Apr 13 09:45:59.167 EST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
001413: *Apr 13 09:45:59.167 EST: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 14 against priority 65535 policy
001414: *Apr 13 09:45:59.167 EST: ISAKMP:      encryption DES-CBC
001415: *Apr 13 09:45:59.167 EST: ISAKMP:      hash MD5
001416: *Apr 13 09:45:59.167 EST: ISAKMP:      default group 2
001417: *Apr 13 09:45:59.167 EST: ISAKMP:      auth pre-share
001418: *Apr 13 09:45:59.167 EST: ISAKMP:      life type in seconds
001419: *Apr 13 09:45:59.167 EST: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
001420: *Apr 13 09:45:59.167 EST: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!
001421: *Apr 13 09:45:59.171 EST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
001422: *Apr 13 09:45:59.171 EST: ISAKMP:(0:0:N/A:0):no offers accepted!
001423: *Apr 13 09:45:59.171 EST: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local 75.150.250.249 remote 192.168.24.59)
001424: *Apr 13 09:45:59.171 EST: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
001425: *Apr 13 09:45:59.171 EST: ISAKMP:(0:0:N/A:0): sending packet to 192.168.24.59 my_port 500 peer_port 2153 (R) AG_NO_STATE
001426: *Apr 13 09:45:59.171 EST: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.
 
001427: *Apr 13 09:45:59.171 EST: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.24.59)
001428: *Apr 13 09:45:59.171 EST: ISAKMP:(0:0:N/A:0): processing KE payload. message ID = 0
001429: *Apr 13 09:45:59.171 EST: ISAKMP:(0:0:N/A:0): group size changed! Should be 0, is 128
001430: *Apr 13 09:45:59.171 EST: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY
001431: *Apr 13 09:45:59.171 EST: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
001432: *Apr 13 09:45:59.171 EST: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_READY
 
001433: *Apr 13 09:45:59.171 EST: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.24.59
001434: *Apr 13 09:45:59.175 EST: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.24.59)
001435: *Apr 13 09:45:59.175 EST: ISAKMP: Unlocking IKE struct 0x47041BE8 for isadb_mark_sa_deleted(), count 0
001436: *Apr 13 09:45:59.175 EST: ISAKMP: Deleting peer node by peer_reap for 192.168.24.59: 47041BE8
001437: *Apr 13 09:45:59.175 EST: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
001438: *Apr 13 09:45:59.175 EST: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_DEST_SA
 
001439: *Apr 13 09:46:04.115 EST: ISAKMP (0:0): received packet from 192.168.24.59 dport 500 sport 2153 Global (R) MM_NO_STATE
001440: *Apr 13 09:46:04.807 EST: %SEC-6-IPACCESSLOGP: list 105 denied udp 209.211.201.167(5004) -> 75.150.250.249(1668), 2 packets
001441: *Apr 13 09:46:09.119 EST: ISAKMP (0:0): received packet from 192.168.24.59 dport 500 sport 2153 Global (R) MM_NO_STATE
001442: *Apr 13 09:46:14.119 EST: ISAKMP (0:0): received packet from 192.168.24.59 dport 500 sport 2153 Global (R) MM_NO_STATE

Open in new window

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 28

Expert Comment

by:asavener
ID: 24129590
crypto isakmp policy 2
 authentication pre-share
hash md5
group 2



0
 

Author Comment

by:millsusaf
ID: 24130006
I implemented that code you suggested however the VPN client will still not connect.

I have attached the current debug from an attempt post code add.

Thanks

show run snip....

crypto isakmp policy 1
 authentication pre-share
!
crypto isakmp policy 2
 hash md5
 authentication pre-share
 group 2
crypto isakmp key "KEY" address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
!
crypto isakmp client configuration group "Name"
 key "KEY"
 dns 192.168.4.5
 pool ippool
 acl 100
 netmask 255.255.255.0
!
!
crypto ipsec transform-set trans2 esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto ipsec profile vpnprof
 set transform-set trans2
!
!
crypto dynamic-map dynmap 10
 set transform-set myset
 reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap





2811#sho logging
Syslog logging: enabled (11 messages dropped, 4 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)
    Console logging: disabled
    Monitor logging: level informational, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 617 messages logged, xml disabled,
                    filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
 
No active filter modules.
 
    Trap logging: level informational, 968 message lines logged
 
Log Buffer (4096 bytes):
 ISAKMP:      auth pre-share
004068: *Apr 13 11:18:00.651 EST: ISAKMP:      life type in seconds
004069: *Apr 13 11:18:00.651 EST: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
004070: *Apr 13 11:18:00.651 EST: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
004071: *Apr 13 11:18:00.651 EST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
004072: *Apr 13 11:18:00.651 EST: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 13 against priority 65535 policy
004073: *Apr 13 11:18:00.651 EST: ISAKMP:      encryption DES-CBC
004074: *Apr 13 11:18:00.651 EST: ISAKMP:      hash MD5
004075: *Apr 13 11:18:00.651 EST: ISAKMP:      default group 2
004076: *Apr 13 11:18:00.651 EST: ISAKMP:      auth XAUTHInitPreShared
004077: *Apr 13 11:18:00.651 EST: ISAKMP:      life type in seconds
004078: *Apr 13 11:18:00.651 EST: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
004079: *Apr 13 11:18:00.651 EST: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!
004080: *Apr 13 11:18:00.651 EST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
004081: *Apr 13 11:18:00.655 EST: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 14 against priority 65535 policy
004082: *Apr 13 11:18:00.655 EST: ISAKMP:      encryption DES-CBC
004083: *Apr 13 11:18:00.655 EST: ISAKMP:      hash MD5
004084: *Apr 13 11:18:00.655 EST: ISAKMP:      default group 2
004085: *Apr 13 11:18:00.655 EST: ISAKMP:      auth pre-share
004086: *Apr 13 11:18:00.655 EST: ISAKMP:      life type in seconds
004087: *Apr 13 11:18:00.655 EST: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
004088: *Apr 13 11:18:00.655 EST: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!
004089: *Apr 13 11:18:00.655 EST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
004090: *Apr 13 11:18:00.655 EST: ISAKMP:(0:0:N/A:0):no offers accepted!
004091: *Apr 13 11:18:00.655 EST: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local "IP" remote 192.168.24.59)
004092: *Apr 13 11:18:00.655 EST: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
004093: *Apr 13 11:18:00.655 EST: ISAKMP:(0:0:N/A:0): sending packet to 192.168.24.59 my_port 500 peer_port 1733 (R) AG_NO_STATE
004094: *Apr 13 11:18:00.659 EST: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.
 
004095: *Apr 13 11:18:00.659 EST: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.24.59)
004096: *Apr 13 11:18:00.659 EST: ISAKMP:(0:0:N/A:0): processing KE payload. message ID = 0
004097: *Apr 13 11:18:00.659 EST: ISAKMP:(0:0:N/A:0): group size changed! Should be 0, is 128
004098: *Apr 13 11:18:00.659 EST: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY
004099: *Apr 13 11:18:00.659 EST: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
004100: *Apr 13 11:18:00.659 EST: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_READY
 
004101: *Apr 13 11:18:00.659 EST: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.24.59
004102: *Apr 13 11:18:00.663 EST: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.24.59)
004103: *Apr 13 11:18:00.663 EST: ISAKMP: Unlocking IKE struct 0x471A87CC for isadb_mark_sa_deleted(), count 0
004104: *Apr 13 11:18:00.663 EST: ISAKMP: Deleting peer node by peer_reap for 192.168.24.59: 471A87CC
004105: *Apr 13 11:18:00.663 EST: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
004106: *Apr 13 11:18:00.663 EST: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_DEST_SA
 
004107: *Apr 13 11:18:05.923 EST: ISAKMP (0:0): received packet from 192.168.24.59 dport 500 sport 1733 Global (R) MM_NO_STATE
004108: *Apr 13 11:18:10.923 EST: ISAKMP (0:0): received packet from 192.168.24.59 dport 500 sport 1733 Global (R) MM_NO_STATE
004109: *Apr 13 11:18:15.923 EST: ISAKMP (0:0): received packet from 192.168.24.59 dport 500 sport 1733 Global (R) MM_NO_STATE

Open in new window

0
 
LVL 28

Expert Comment

by:asavener
ID: 24134793
OK, lets try adding this:

crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2

crypto isakmp policy 4
 encr 3des
 hash md5
 authentication pre-share
 group 2
0
 

Author Comment

by:millsusaf
ID: 24137528
Same issue.



2811#sho log
Syslog logging: enabled (11 messages dropped, 7 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)
    Console logging: disabled
    Monitor logging: level informational, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 2412 messages logged, xml disabled,
                    filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
 
No active filter modules.
 
    Trap logging: level informational, 1767 message lines logged
 
Log Buffer (4096 bytes):
2
005579: *Apr 14 09:29:27.269 EST: ISAKMP:      auth pre-share
005580: *Apr 14 09:29:27.269 EST: ISAKMP:      life type in seconds
005581: *Apr 14 09:29:27.269 EST: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
005582: *Apr 14 09:29:27.269 EST: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
005583: *Apr 14 09:29:27.273 EST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
005584: *Apr 14 09:29:27.273 EST: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 13 against priority 65535 policy
005585: *Apr 14 09:29:27.273 EST: ISAKMP:      encryption DES-CBC
005586: *Apr 14 09:29:27.273 EST: ISAKMP:      hash MD5
005587: *Apr 14 09:29:27.273 EST: ISAKMP:      default group 2
005588: *Apr 14 09:29:27.273 EST: ISAKMP:      auth XAUTHInitPreShared
005589: *Apr 14 09:29:27.273 EST: ISAKMP:      life type in seconds
005590: *Apr 14 09:29:27.273 EST: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
005591: *Apr 14 09:29:27.273 EST: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!
005592: *Apr 14 09:29:27.273 EST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
005593: *Apr 14 09:29:27.273 EST: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 14 against priority 65535 policy
005594: *Apr 14 09:29:27.273 EST: ISAKMP:      encryption DES-CBC
005595: *Apr 14 09:29:27.277 EST: ISAKMP:      hash MD5
005596: *Apr 14 09:29:27.277 EST: ISAKMP:      default group 2
005597: *Apr 14 09:29:27.277 EST: ISAKMP:      auth pre-share
005598: *Apr 14 09:29:27.277 EST: ISAKMP:      life type in seconds
005599: *Apr 14 09:29:27.277 EST: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
005600: *Apr 14 09:29:27.277 EST: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!
005601: *Apr 14 09:29:27.277 EST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
005602: *Apr 14 09:29:27.277 EST: ISAKMP:(0:0:N/A:0):no offers accepted!
005603: *Apr 14 09:29:27.277 EST: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local "IP" remote 192.168.24.59)
005604: *Apr 14 09:29:27.281 EST: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
005605: *Apr 14 09:29:27.281 EST: ISAKMP:(0:0:N/A:0): sending packet to 192.168.24.59 my_port 500 peer_port 1981 (R) AG_NO_STATE
005606: *Apr 14 09:29:27.281 EST: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.
 
005607: *Apr 14 09:29:27.281 EST: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.24.59)
005608: *Apr 14 09:29:27.281 EST: ISAKMP:(0:0:N/A:0): processing KE payload. message ID = 0
005609: *Apr 14 09:29:27.281 EST: ISAKMP:(0:0:N/A:0): group size changed! Should be 0, is 128
005610: *Apr 14 09:29:27.281 EST: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY
005611: *Apr 14 09:29:27.281 EST: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
005612: *Apr 14 09:29:27.285 EST: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_READY
 
005613: *Apr 14 09:29:27.285 EST: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.24.59)
005614: *Apr 14 09:29:27.285 EST: ISAKMP: Unlocking IKE struct 0x472712F4 for isadb_mark_sa_deleted(), count 0
005615: *Apr 14 09:29:27.285 EST: ISAKMP: Deleting peer node by peer_reap for 192.168.24.59: 472712F4
005616: *Apr 14 09:29:27.285 EST: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
005617: *Apr 14 09:29:27.285 EST: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_DEST_SA
 
005618: *Apr 14 09:29:32.209 EST: ISAKMP (0:0): received packet from 192.168.24.59 dport 500 sport 1981 Global (R) MM_NO_STATE
005619: *Apr 14 09:29:37.213 EST: ISAKMP (0:0): received packet from 192.168.24.59 dport 500 sport 1981 Global (R) MM_NO_STATE
005620: *Apr 14 09:29:41.737 EST: ISAKMP:(0:0:N/A:0):purging SA., sa=4720ABD0, delme=4720ABD0
005621: *Apr 14 09:29:42.213 EST: ISAKMP (0:0): received packet from 192.168.24.59 dport 500 sport 1981 Global (R) MM_NO_STATE

Open in new window

0
 
LVL 28

Expert Comment

by:asavener
ID: 24138163
You're using the Cisco VPN client?
0
 

Author Comment

by:millsusaf
ID: 24138205
Yes, IPSec/UDP Transport version 5.0.05.0290.  It worked with the dedicated VPN but isn't with the combined edge router/VPN config.


0
 
LVL 28

Expert Comment

by:asavener
ID: 24138360
Do you have the same IOS version installed that was on the original VPN router?
0
 

Author Comment

by:millsusaf
ID: 24138472
I know for a fact they are both running on 12.4 but since the other 2811 isn't here anymore I don't know what exact version it is on.
0
 
LVL 28

Expert Comment

by:asavener
ID: 24138588
The other router had both the multipoint GRE tunnel and the remote access VPN?
0
 

Author Comment

by:millsusaf
ID: 24138704
No, just an external only VPN config.

code attached from the original VPN.

Thanks

!
version 12.4
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname VPN
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret "Password"
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authentication login local_authen local
aaa authorization exec local_author local 
aaa authorization network groupauthor local 
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EST recurring
dot11 syslog
!
!
ip cef
!
!
ip host mail.mail.com 192.168.4.12
ip host exc1.mail.com 192.168.4.12
ip name-server 192.168.4.5
!
multilink bundle-name authenticated
!
!
voice-card 0
 no dspfarm
!
!
username admin secret "Password"
username samk password "Password"
username bills password "Password"
archive
 log config
  hidekeys
! 
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group "Name"
 key "Key"
 dns 192.168.4.5
 pool ippool
 acl 100
 netmask 255.255.255.0
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac 
!
crypto dynamic-map dynmap 10
 set transform-set myset 
 reverse-route
!
! 
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap 
!
!
interface FastEthernet0/0
 ip address "IP" 255.255.255.248
 duplex full
 speed 100
 crypto map clientmap
!
interface FastEthernet0/1
 ip address 192.168.24.251 255.255.255.0
 duplex full
 speed 100
!
router eigrp 200
 network 192.168.4.0
 network 192.168.24.0
 auto-summary
!
ip local pool ippool 192.168.24.200 192.168.24.230
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 "F0/0 IP"
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
!
!
control-plane
!
!
banner login ^CC***********************************************************
   WARNING TO UNAUTHORIZED USERS: This system is for the
use of authorized users only. Individuals using this
computer system without authority, or in excess of their
authority, are subject to having all of their activities
on this system monitored and recorded by system personnel.
In the course of monitoring individuals improperly using
this system, or in the course of system maintenance, the
activities of authorized users may be monitored.  Anyone
using this system expressly consents to such monitoring
and is advised that if such monitoring reveals possible
evidence of criminal activity, system personnel may provide
evidence of such monitoring to law enforecement officials.
***********************************************************
                    
^C
!
line con 0
 login authentication local_authen
 transport output telnet
line aux 0
 login authentication local_authen
 modem InOut
 transport output all
line vty 0 4
 exec-timeout 20 0
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Open in new window

0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 500 total points
ID: 24141186
OK, I think the configurations for the remote access VPN and dynamic multipoint GRE tunnel are interfering with each other.

I would suggest opening a technical assistance case with Cisco.
0
 

Accepted Solution

by:
millsusaf earned 0 total points
ID: 24175127
I worked the issue out with Cisco TAC.

Thanks
0
 
LVL 28

Expert Comment

by:asavener
ID: 24175385
Can you post your final configuration?
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question