Solved

Added VPN functions to the router and it's not working

Posted on 2009-04-10
16
1,799 Views
Last Modified: 2012-05-11
Hello

Thanks to the folks on this site I had 2 2811 routers, one a functioning VPN and one a functioning router working perfectly.  I had to re-purpose one 2811 who'e purpose in life was the VPN to another project.  So now I'm trying to combine the two routers into one and but it's not working.  The router is still functioning properly however the VPN portion is not working.  I've added all the commands that made the VPN a VPN and it is still not working.  According to the error logs it appears to be a isakmp issue.

The error log on the 2811:

000123: *Apr 10 18:00:11.031 EST: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of aggressive mode failed with peer at 192.168.24.54

The error log on the Cisco Client:


22     16:55:19.796  04/10/09  Sev=Warning/2      CVPND/0xA3400011
Error -1 sending packet. Dst Addr: 0xA9FE1AFF, Src Addr: 0xA9FE1A09 (DRVIFACE:1201).

23     16:55:19.812  04/10/09  Sev=Warning/2      IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)

24     16:55:19.812  04/10/09  Sev=Warning/3      IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)

Any ideas?  Thanks






Current configuration : 11845 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname _2811

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 4096 informational

no logging console

logging monitor informational

enable secret "password"

!

aaa new-model

!

!

aaa authentication login local_authen local

aaa authentication login userauthen local

aaa authorization exec local_author local

aaa authorization network groupauthor local

!

aaa session-id common

!

resource policy

!

clock timezone EST -5

clock summer-time EST recurring

ip subnet-zero

no ip source-route

ip tcp synwait-time 10

ip telnet hidden addresses

!

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.24.1 192.168.24.29

ip dhcp excluded-address 192.168.24.61 192.168.24.254

!

ip dhcp pool IPs

   network 192.168.24.0 255.255.255.0

   default-router 192.168.24.254

   dns-server 192.168.4.5

!

!

no ip bootp server

ip host mail.mail.com 192.168.4.12

ip host excmail.mail.com 192.168.4.12

ip name-server 192.168.4.5

ip ssh time-out 60

ip ssh authentication-retries 2

ip port-map smtp port tcp 8025

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

ip inspect name SDM_LOW esmtp

ip ips notify SDEE

ip ips name sdm_ips_rule

ip dhcp-server 192.168.24.119

!

!

voice-card 0

 no dspfarm

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto pki trustpoint tti

 revocation-check crl

 rsakeypair tti

!

!

username ers_admin secret password

username samk password password

username bmills password password

archive

 log config

  hidekeys

!

!

class-map match-any SDM-Transactional-1

 match  dscp af21

 match  dscp af22

 match  dscp af23

class-map match-any SDM-Signaling-1

 match  dscp cs3

 match  dscp af31

class-map match-any SDM-Scavenger-1

 match  dscp cs1

class-map match-any SDM-Routing-1

 match  dscp cs6

class-map match-any SDM-Voice-1

 match  dscp ef

class-map match-any SDM-Streaming-Video-1

 match  dscp cs4

class-map match-any SDM-Management-1

 match  dscp cs2

class-map match-any SDM-Interactive-Video-1

 match  dscp af41

class-map match-any SDM-BulkData-1

 match  dscp af11

 match  dscp af12

 match  dscp af13

!

!

policy-map SDM-QoS-Policy-1

 class SDM-Voice-1

  priority percent 15

  police cir percent 15

    conform-action transmit

    exceed-action drop

    violate-action drop

 class class-default

  fair-queue

!

!

!

crypto isakmp policy 1

 authentication pre-share

crypto isakmp key "Secret Value" address 0.0.0.0 0.0.0.0

crypto isakmp invalid-spi-recovery

!

crypto isakmp client configuration group VPNGroup

 key "Secret Value"

 dns 192.168.4.5

 pool ippool

 acl 100

 netmask 255.255.255.0

!

!

crypto ipsec transform-set trans2 esp-3des esp-md5-hmac

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto ipsec profile vpnprof

 set transform-set trans2

!

!

crypto dynamic-map dynmap 10

 set transform-set myset

 reverse-route

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

interface Tunnel0

 description Tunnel to Miami

 bandwidth 1000

 ip address 10.0.0.2 255.255.255.0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip mtu 1416

 ip nhrp authentication "password"

 ip nhrp map 10.0.0.1 "IP Address"

 ip nhrp map multicast "IP Address"

 ip nhrp network-id 99

 ip nhrp holdtime 300

 ip nhrp nhs 10.0.0.1

 ip virtual-reassembly

 delay 1000

 qos pre-classify

 tunnel source FastEthernet0/0

 tunnel mode gre multipoint

 tunnel key 102030

 tunnel protection ipsec profile vpnprof

!

interface Null0

 no ip unreachables

!

interface Loopback0

 ip address 192.168.60.254 255.255.255.0

!

interface FastEthernet0/0

 description Outside Cable Modem

 ip address "IP" 255.255.255.248

 ip access-group 105 in

 ip verify unicast reverse-path

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat outside

 ip inspect SDM_LOW out

 ip virtual-reassembly

 duplex full

 speed 100

 no mop enabled

 crypto map clientmap

!

interface FastEthernet0/1

 description ETH-LAN$FW_INSIDE$

 ip address 192.168.24.1 255.255.255.0 secondary

 ip address 192.168.24.254 255.255.255.0

 ip helper-address 192.168.24.119

 ip nat inside

 ip virtual-reassembly

 duplex full

 speed 100

!

router eigrp 200

 network 10.0.0.0 0.0.0.255

 network 192.168.4.0

 network 192.168.24.0

 network 192.168.60.0

 auto-summary

!

ip local pool ippool 192.168.24.200 192.168.24.230

ip classless

ip route 0.0.0.0 0.0.0.0 "Cable Gateway"

ip route 192.168.20.0 255.255.255.0 10.0.0.1

ip route 192.168.25.0 255.255.255.0 192.168.24.248

ip route 192.168.30.0 255.255.255.0 10.0.0.1

ip route 192.168.34.0 255.255.255.0 10.0.0.1

ip route 192.168.40.0 255.255.255.0 10.0.0.1

ip route 192.168.47.0 255.255.255.0 10.0.0.1

ip route 192.168.50.0 255.255.255.0 10.0.0.1

!

ip dns server

!

no ip http server

no ip http secure-server

ip nat inside source route-map nonat interface FastEthernet0/0 overload

!

access-list 10 permit any

access-list 100 permit ip 192.168.0.0 0.0.255.255 any

access-list 102 permit ip 10.0.0.0 0.0.0.255 any

access-list 102 permit ip 192.168.0.0 0.0.255.255 any

access-list 105 remark auto generated by SDM firewall configuration

access-list 105 remark SDM_ACL Category=1

access-list 105 permit udp host "DSN IP" eq domain host "f0/0 IP"

access-list 105 permit udp any host "f0/0 IP" eq non500-isakmp

access-list 105 permit udp any host "f0/0 IP" eq isakmp

access-list 105 permit esp any host "f0/0 IP"

access-list 105 permit ahp any host "f0/0 IP"

access-list 105 permit gre any host "f0/0 IP"

access-list 105 deny   ip 192.168.24.0 0.0.0.255 any

access-list 105 permit icmp any host "f0/0 IP" echo-reply

access-list 105 permit icmp any host "f0/0 IP" time-exceeded

access-list 105 permit icmp any host "f0/0 IP" unreachable

access-list 105 deny   ip 10.0.0.0 0.255.255.255 any

access-list 105 deny   ip 172.16.0.0 0.15.255.255 any

access-list 105 deny   ip 192.168.0.0 0.0.255.255 any

access-list 105 deny   ip 127.0.0.0 0.255.255.255 any

access-list 105 deny   ip host 255.255.255.255 any

access-list 105 deny   ip host 0.0.0.0 any

access-list 105 deny   ip any any log

access-list 175 permit ip 192.168.0.0 0.0.255.255 any

no cdp run

!

route-map nonat permit 10

 match ip address 175

!

!

!

!

control-plane

!

!

!

voice-port 0/0/0

 no comfort-noise

 timeouts call-disconnect 0

!

voice-port 0/0/1

 no comfort-noise

 timeouts call-disconnect 0
 

!

dial-peer voice 1 pots

 destination-pattern 60

 port 0/0/0

!

dial-peer voice 2 pots

 destination-pattern 60

 port 0/0/1

!

dial-peer voice 7 voip

 description to London

 destination-pattern 1.

 session target ipv4:192.168.34.254

 dtmf-relay h245-alphanumeric

!

dial-peer voice 8 voip

 description to Minot

 destination-pattern 2.

 session target ipv4:192.168.20.254

 dtmf-relay h245-alphanumeric

!

dial-peer voice 9 voip

 description to Jamica

 destination-pattern 4.

 session target ipv4:192.168.40.254

 dtmf-relay h245-alphanumeric

!

dial-peer voice 10 voip

 description to Boston

 destination-pattern 5.

 session target ipv4:192.168.50.254

 dtmf-relay h245-alphanumeric

!

dial-peer voice 11 voip

 description to LA

 destination-pattern 3.

 session target ipv4:192.168.30.254

 dtmf-relay h245-alphanumeric

!

dial-peer voice 12 voip

 description to uc500

 destination-pattern 27..

 session target ipv4:192.168.48.254

 dtmf-relay h245-alphanumeric

!

!

telephony-service

 load 7910 P00403020214

 load 7960-7940 P0030702T023

 max-ephones 5

 max-dn 5

 ip source-address 192.168.60.254 port 2000

 auto assign 1 to 5

 system message xxxxx

 time-zone 12

 create cnf-files version-stamp 7960 May 09 2008 09:54:27

 max-conferences 8 gain -6

 call-forward pattern .T

 transfer-system full-consult

 secondary-dialtone 9

!

!

ephone-dn  1

 number 6101

!

!

ephone-dn  2

 number 6102

 description Sam Johnson

 call-forward busy number

 call-forward noan number timeout 10

!

!

ephone-dn  3

 number 6103

!

!

ephone-dn  4

 number 6104

!

!

ephone-dn  5

 number 6105

!

!

ephone  1

 username "curt" password 1234

 mac-address 00xx.B9xx.5xx6

 speed-dial 1 6102 label "Sam"

 type CIPC

 button  1:1

!

!

ephone  2

 username "sam" password 1234

 mac-address 00xx.B9xx.5xx6

 speed-dial 1 6101 label "Curt"

 speed-dial 2 10 label "LIG"

 type CIPC

 button  1:2

!

!

ephone  3

 username "cory" password 1234

 mac-address 00xx.B9xx.5xx6

 type CIPC

 button  1:3

!

!

ephone  4

!

!

!

ephone  5

!

!

banner login ^CCCC***********************************************************

   WARNING TO UNAUTHORIZED USERS: This system is for the

use of authorized users only. Individuals using this

computer system without authority, or in excess of their

authority, are subject to having all of their activities

on this system monitored and recorded by system personnel.

In the course of monitoring individuals improperly using

this system, or in the course of system maintenance, the

activities of authorized users may be monitored.  Anyone

using this system expressly consents to such monitoring

and is advised that if such monitoring reveals possible

evidence of criminal activity, system personnel may provide

evidence of such monitoring to law enforecement officials.

***********************************************************

                   

^C

!

line con 0

 login authentication local_authen

 transport output telnet

line aux 0

 login authentication local_authen

 modem InOut

 transport output all

line vty 0 4

 access-class 102 in

 exec-timeout 20 0

 authorization exec local_author

 login authentication local_authen

 transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

Open in new window

0
Comment
Question by:millsusaf
  • 9
  • 7
16 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 24120578
Run "debug crypto isakmp" on the router and provide the output.
0
 
LVL 28

Expert Comment

by:asavener
ID: 24120586
0
 

Author Comment

by:millsusaf
ID: 24129351
Here is the output.  It looks like it is getting the wrong policy and trying to use the VPN tunnels policy.  I'm just not sure how to fix it.

Thanks


2811#sho log

Syslog logging: enabled (11 messages dropped, 2 messages rate-limited,

                0 flushes, 0 overruns, xml disabled, filtering disabled)

    Console logging: disabled

    Monitor logging: level informational, 0 messages logged, xml disabled,

                     filtering disabled

    Buffer logging: level debugging, 428 messages logged, xml disabled,

                    filtering disabled

    Logging Exception size (4096 bytes)

    Count and timestamp logging messages: disabled
 

No active filter modules.
 

    Trap logging: level informational, 814 message lines logged
 

Log Buffer (4096 bytes):

AKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

001402: *Apr 13 09:45:59.163 EST: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!

001403: *Apr 13 09:45:59.163 EST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

001404: *Apr 13 09:45:59.163 EST: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 13 against priority 65535 policy

001405: *Apr 13 09:45:59.163 EST: ISAKMP:      encryption DES-CBC

001406: *Apr 13 09:45:59.163 EST: ISAKMP:      hash MD5

001407: *Apr 13 09:45:59.167 EST: ISAKMP:      default group 2

001408: *Apr 13 09:45:59.167 EST: ISAKMP:      auth XAUTHInitPreShared

001409: *Apr 13 09:45:59.167 EST: ISAKMP:      life type in seconds

001410: *Apr 13 09:45:59.167 EST: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

001411: *Apr 13 09:45:59.167 EST: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!

001412: *Apr 13 09:45:59.167 EST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

001413: *Apr 13 09:45:59.167 EST: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 14 against priority 65535 policy

001414: *Apr 13 09:45:59.167 EST: ISAKMP:      encryption DES-CBC

001415: *Apr 13 09:45:59.167 EST: ISAKMP:      hash MD5

001416: *Apr 13 09:45:59.167 EST: ISAKMP:      default group 2

001417: *Apr 13 09:45:59.167 EST: ISAKMP:      auth pre-share

001418: *Apr 13 09:45:59.167 EST: ISAKMP:      life type in seconds

001419: *Apr 13 09:45:59.167 EST: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

001420: *Apr 13 09:45:59.167 EST: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!

001421: *Apr 13 09:45:59.171 EST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0

001422: *Apr 13 09:45:59.171 EST: ISAKMP:(0:0:N/A:0):no offers accepted!

001423: *Apr 13 09:45:59.171 EST: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local 75.150.250.249 remote 192.168.24.59)

001424: *Apr 13 09:45:59.171 EST: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init

001425: *Apr 13 09:45:59.171 EST: ISAKMP:(0:0:N/A:0): sending packet to 192.168.24.59 my_port 500 peer_port 2153 (R) AG_NO_STATE

001426: *Apr 13 09:45:59.171 EST: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.
 

001427: *Apr 13 09:45:59.171 EST: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.24.59)

001428: *Apr 13 09:45:59.171 EST: ISAKMP:(0:0:N/A:0): processing KE payload. message ID = 0

001429: *Apr 13 09:45:59.171 EST: ISAKMP:(0:0:N/A:0): group size changed! Should be 0, is 128

001430: *Apr 13 09:45:59.171 EST: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY

001431: *Apr 13 09:45:59.171 EST: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

001432: *Apr 13 09:45:59.171 EST: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_READY
 

001433: *Apr 13 09:45:59.171 EST: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.24.59

001434: *Apr 13 09:45:59.175 EST: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.24.59)

001435: *Apr 13 09:45:59.175 EST: ISAKMP: Unlocking IKE struct 0x47041BE8 for isadb_mark_sa_deleted(), count 0

001436: *Apr 13 09:45:59.175 EST: ISAKMP: Deleting peer node by peer_reap for 192.168.24.59: 47041BE8

001437: *Apr 13 09:45:59.175 EST: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

001438: *Apr 13 09:45:59.175 EST: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_DEST_SA
 

001439: *Apr 13 09:46:04.115 EST: ISAKMP (0:0): received packet from 192.168.24.59 dport 500 sport 2153 Global (R) MM_NO_STATE

001440: *Apr 13 09:46:04.807 EST: %SEC-6-IPACCESSLOGP: list 105 denied udp 209.211.201.167(5004) -> 75.150.250.249(1668), 2 packets

001441: *Apr 13 09:46:09.119 EST: ISAKMP (0:0): received packet from 192.168.24.59 dport 500 sport 2153 Global (R) MM_NO_STATE

001442: *Apr 13 09:46:14.119 EST: ISAKMP (0:0): received packet from 192.168.24.59 dport 500 sport 2153 Global (R) MM_NO_STATE

Open in new window

0
 
LVL 28

Expert Comment

by:asavener
ID: 24129590
crypto isakmp policy 2
 authentication pre-share
hash md5
group 2



0
 

Author Comment

by:millsusaf
ID: 24130006
I implemented that code you suggested however the VPN client will still not connect.

I have attached the current debug from an attempt post code add.

Thanks

show run snip....

crypto isakmp policy 1
 authentication pre-share
!
crypto isakmp policy 2
 hash md5
 authentication pre-share
 group 2
crypto isakmp key "KEY" address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
!
crypto isakmp client configuration group "Name"
 key "KEY"
 dns 192.168.4.5
 pool ippool
 acl 100
 netmask 255.255.255.0
!
!
crypto ipsec transform-set trans2 esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto ipsec profile vpnprof
 set transform-set trans2
!
!
crypto dynamic-map dynmap 10
 set transform-set myset
 reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap





2811#sho logging

Syslog logging: enabled (11 messages dropped, 4 messages rate-limited,

                0 flushes, 0 overruns, xml disabled, filtering disabled)

    Console logging: disabled

    Monitor logging: level informational, 0 messages logged, xml disabled,

                     filtering disabled

    Buffer logging: level debugging, 617 messages logged, xml disabled,

                    filtering disabled

    Logging Exception size (4096 bytes)

    Count and timestamp logging messages: disabled
 

No active filter modules.
 

    Trap logging: level informational, 968 message lines logged
 

Log Buffer (4096 bytes):

 ISAKMP:      auth pre-share

004068: *Apr 13 11:18:00.651 EST: ISAKMP:      life type in seconds

004069: *Apr 13 11:18:00.651 EST: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

004070: *Apr 13 11:18:00.651 EST: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!

004071: *Apr 13 11:18:00.651 EST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

004072: *Apr 13 11:18:00.651 EST: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 13 against priority 65535 policy

004073: *Apr 13 11:18:00.651 EST: ISAKMP:      encryption DES-CBC

004074: *Apr 13 11:18:00.651 EST: ISAKMP:      hash MD5

004075: *Apr 13 11:18:00.651 EST: ISAKMP:      default group 2

004076: *Apr 13 11:18:00.651 EST: ISAKMP:      auth XAUTHInitPreShared

004077: *Apr 13 11:18:00.651 EST: ISAKMP:      life type in seconds

004078: *Apr 13 11:18:00.651 EST: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

004079: *Apr 13 11:18:00.651 EST: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!

004080: *Apr 13 11:18:00.651 EST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

004081: *Apr 13 11:18:00.655 EST: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 14 against priority 65535 policy

004082: *Apr 13 11:18:00.655 EST: ISAKMP:      encryption DES-CBC

004083: *Apr 13 11:18:00.655 EST: ISAKMP:      hash MD5

004084: *Apr 13 11:18:00.655 EST: ISAKMP:      default group 2

004085: *Apr 13 11:18:00.655 EST: ISAKMP:      auth pre-share

004086: *Apr 13 11:18:00.655 EST: ISAKMP:      life type in seconds

004087: *Apr 13 11:18:00.655 EST: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

004088: *Apr 13 11:18:00.655 EST: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!

004089: *Apr 13 11:18:00.655 EST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0

004090: *Apr 13 11:18:00.655 EST: ISAKMP:(0:0:N/A:0):no offers accepted!

004091: *Apr 13 11:18:00.655 EST: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local "IP" remote 192.168.24.59)

004092: *Apr 13 11:18:00.655 EST: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init

004093: *Apr 13 11:18:00.655 EST: ISAKMP:(0:0:N/A:0): sending packet to 192.168.24.59 my_port 500 peer_port 1733 (R) AG_NO_STATE

004094: *Apr 13 11:18:00.659 EST: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.
 

004095: *Apr 13 11:18:00.659 EST: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.24.59)

004096: *Apr 13 11:18:00.659 EST: ISAKMP:(0:0:N/A:0): processing KE payload. message ID = 0

004097: *Apr 13 11:18:00.659 EST: ISAKMP:(0:0:N/A:0): group size changed! Should be 0, is 128

004098: *Apr 13 11:18:00.659 EST: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY

004099: *Apr 13 11:18:00.659 EST: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

004100: *Apr 13 11:18:00.659 EST: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_READY
 

004101: *Apr 13 11:18:00.659 EST: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.24.59

004102: *Apr 13 11:18:00.663 EST: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.24.59)

004103: *Apr 13 11:18:00.663 EST: ISAKMP: Unlocking IKE struct 0x471A87CC for isadb_mark_sa_deleted(), count 0

004104: *Apr 13 11:18:00.663 EST: ISAKMP: Deleting peer node by peer_reap for 192.168.24.59: 471A87CC

004105: *Apr 13 11:18:00.663 EST: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

004106: *Apr 13 11:18:00.663 EST: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_DEST_SA
 

004107: *Apr 13 11:18:05.923 EST: ISAKMP (0:0): received packet from 192.168.24.59 dport 500 sport 1733 Global (R) MM_NO_STATE

004108: *Apr 13 11:18:10.923 EST: ISAKMP (0:0): received packet from 192.168.24.59 dport 500 sport 1733 Global (R) MM_NO_STATE

004109: *Apr 13 11:18:15.923 EST: ISAKMP (0:0): received packet from 192.168.24.59 dport 500 sport 1733 Global (R) MM_NO_STATE

Open in new window

0
 
LVL 28

Expert Comment

by:asavener
ID: 24134793
OK, lets try adding this:

crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2

crypto isakmp policy 4
 encr 3des
 hash md5
 authentication pre-share
 group 2
0
 

Author Comment

by:millsusaf
ID: 24137528
Same issue.



2811#sho log

Syslog logging: enabled (11 messages dropped, 7 messages rate-limited,

                0 flushes, 0 overruns, xml disabled, filtering disabled)

    Console logging: disabled

    Monitor logging: level informational, 0 messages logged, xml disabled,

                     filtering disabled

    Buffer logging: level debugging, 2412 messages logged, xml disabled,

                    filtering disabled

    Logging Exception size (4096 bytes)

    Count and timestamp logging messages: disabled
 

No active filter modules.
 

    Trap logging: level informational, 1767 message lines logged
 

Log Buffer (4096 bytes):

2

005579: *Apr 14 09:29:27.269 EST: ISAKMP:      auth pre-share

005580: *Apr 14 09:29:27.269 EST: ISAKMP:      life type in seconds

005581: *Apr 14 09:29:27.269 EST: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

005582: *Apr 14 09:29:27.269 EST: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!

005583: *Apr 14 09:29:27.273 EST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

005584: *Apr 14 09:29:27.273 EST: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 13 against priority 65535 policy

005585: *Apr 14 09:29:27.273 EST: ISAKMP:      encryption DES-CBC

005586: *Apr 14 09:29:27.273 EST: ISAKMP:      hash MD5

005587: *Apr 14 09:29:27.273 EST: ISAKMP:      default group 2

005588: *Apr 14 09:29:27.273 EST: ISAKMP:      auth XAUTHInitPreShared

005589: *Apr 14 09:29:27.273 EST: ISAKMP:      life type in seconds

005590: *Apr 14 09:29:27.273 EST: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

005591: *Apr 14 09:29:27.273 EST: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!

005592: *Apr 14 09:29:27.273 EST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

005593: *Apr 14 09:29:27.273 EST: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 14 against priority 65535 policy

005594: *Apr 14 09:29:27.273 EST: ISAKMP:      encryption DES-CBC

005595: *Apr 14 09:29:27.277 EST: ISAKMP:      hash MD5

005596: *Apr 14 09:29:27.277 EST: ISAKMP:      default group 2

005597: *Apr 14 09:29:27.277 EST: ISAKMP:      auth pre-share

005598: *Apr 14 09:29:27.277 EST: ISAKMP:      life type in seconds

005599: *Apr 14 09:29:27.277 EST: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

005600: *Apr 14 09:29:27.277 EST: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!

005601: *Apr 14 09:29:27.277 EST: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0

005602: *Apr 14 09:29:27.277 EST: ISAKMP:(0:0:N/A:0):no offers accepted!

005603: *Apr 14 09:29:27.277 EST: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local "IP" remote 192.168.24.59)

005604: *Apr 14 09:29:27.281 EST: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init

005605: *Apr 14 09:29:27.281 EST: ISAKMP:(0:0:N/A:0): sending packet to 192.168.24.59 my_port 500 peer_port 1981 (R) AG_NO_STATE

005606: *Apr 14 09:29:27.281 EST: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.
 

005607: *Apr 14 09:29:27.281 EST: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.24.59)

005608: *Apr 14 09:29:27.281 EST: ISAKMP:(0:0:N/A:0): processing KE payload. message ID = 0

005609: *Apr 14 09:29:27.281 EST: ISAKMP:(0:0:N/A:0): group size changed! Should be 0, is 128

005610: *Apr 14 09:29:27.281 EST: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY

005611: *Apr 14 09:29:27.281 EST: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

005612: *Apr 14 09:29:27.285 EST: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_READY
 

005613: *Apr 14 09:29:27.285 EST: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.24.59)

005614: *Apr 14 09:29:27.285 EST: ISAKMP: Unlocking IKE struct 0x472712F4 for isadb_mark_sa_deleted(), count 0

005615: *Apr 14 09:29:27.285 EST: ISAKMP: Deleting peer node by peer_reap for 192.168.24.59: 472712F4

005616: *Apr 14 09:29:27.285 EST: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

005617: *Apr 14 09:29:27.285 EST: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_DEST_SA
 

005618: *Apr 14 09:29:32.209 EST: ISAKMP (0:0): received packet from 192.168.24.59 dport 500 sport 1981 Global (R) MM_NO_STATE

005619: *Apr 14 09:29:37.213 EST: ISAKMP (0:0): received packet from 192.168.24.59 dport 500 sport 1981 Global (R) MM_NO_STATE

005620: *Apr 14 09:29:41.737 EST: ISAKMP:(0:0:N/A:0):purging SA., sa=4720ABD0, delme=4720ABD0

005621: *Apr 14 09:29:42.213 EST: ISAKMP (0:0): received packet from 192.168.24.59 dport 500 sport 1981 Global (R) MM_NO_STATE

Open in new window

0
 
LVL 28

Expert Comment

by:asavener
ID: 24138163
You're using the Cisco VPN client?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:millsusaf
ID: 24138205
Yes, IPSec/UDP Transport version 5.0.05.0290.  It worked with the dedicated VPN but isn't with the combined edge router/VPN config.


0
 
LVL 28

Expert Comment

by:asavener
ID: 24138360
Do you have the same IOS version installed that was on the original VPN router?
0
 

Author Comment

by:millsusaf
ID: 24138472
I know for a fact they are both running on 12.4 but since the other 2811 isn't here anymore I don't know what exact version it is on.
0
 
LVL 28

Expert Comment

by:asavener
ID: 24138588
The other router had both the multipoint GRE tunnel and the remote access VPN?
0
 

Author Comment

by:millsusaf
ID: 24138704
No, just an external only VPN config.

code attached from the original VPN.

Thanks


!

version 12.4

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname VPN

!

boot-start-marker

boot-end-marker

!

no logging console

enable secret "Password"

!

aaa new-model

!

!

aaa authentication login userauthen local

aaa authentication login local_authen local

aaa authorization exec local_author local 

aaa authorization network groupauthor local 

!

!

aaa session-id common

clock timezone EST -5

clock summer-time EST recurring

dot11 syslog

!

!

ip cef

!

!

ip host mail.mail.com 192.168.4.12

ip host exc1.mail.com 192.168.4.12

ip name-server 192.168.4.5

!

multilink bundle-name authenticated

!

!

voice-card 0

 no dspfarm

!

!

username admin secret "Password"

username samk password "Password"

username bills password "Password"

archive

 log config

  hidekeys

! 

!

crypto isakmp policy 3

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp client configuration group "Name"

 key "Key"

 dns 192.168.4.5

 pool ippool

 acl 100

 netmask 255.255.255.0

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac 

!

crypto dynamic-map dynmap 10

 set transform-set myset 

 reverse-route

!

! 

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap 

!

!

interface FastEthernet0/0

 ip address "IP" 255.255.255.248

 duplex full

 speed 100

 crypto map clientmap

!

interface FastEthernet0/1

 ip address 192.168.24.251 255.255.255.0

 duplex full

 speed 100

!

router eigrp 200

 network 192.168.4.0

 network 192.168.24.0

 auto-summary

!

ip local pool ippool 192.168.24.200 192.168.24.230

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 "F0/0 IP"

!

!

no ip http server

no ip http secure-server

!

access-list 100 permit ip 192.168.0.0 0.0.255.255 any

!

!

control-plane

!

!

banner login ^CC***********************************************************

   WARNING TO UNAUTHORIZED USERS: This system is for the

use of authorized users only. Individuals using this

computer system without authority, or in excess of their

authority, are subject to having all of their activities

on this system monitored and recorded by system personnel.

In the course of monitoring individuals improperly using

this system, or in the course of system maintenance, the

activities of authorized users may be monitored.  Anyone

using this system expressly consents to such monitoring

and is advised that if such monitoring reveals possible

evidence of criminal activity, system personnel may provide

evidence of such monitoring to law enforecement officials.

***********************************************************

                    

^C

!

line con 0

 login authentication local_authen

 transport output telnet

line aux 0

 login authentication local_authen

 modem InOut

 transport output all

line vty 0 4

 exec-timeout 20 0

 authorization exec local_author

 login authentication local_authen

 transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

Open in new window

0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 500 total points
ID: 24141186
OK, I think the configurations for the remote access VPN and dynamic multipoint GRE tunnel are interfering with each other.

I would suggest opening a technical assistance case with Cisco.
0
 

Accepted Solution

by:
millsusaf earned 0 total points
ID: 24175127
I worked the issue out with Cisco TAC.

Thanks
0
 
LVL 28

Expert Comment

by:asavener
ID: 24175385
Can you post your final configuration?
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now