[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1332
  • Last Modified:

cisco 881w router cannot vpn

I had to resetup my cisco router and I cannot vpn in from an outside network.   On the cisco vpn client I do not even get prompted for a username nad password.  Please let me know if there is an issue with my code.  
User Access Verification

Username: mercxi
Password:

mercrouter>en
Password:
mercrouter#sh conf
Using 3483 out of 262136 bytes
!
! Last configuration change at 17:56:27 UTC Tue Jan 5 2010 by mercxi
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname mercrouter
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $1$3IVE$Buf6q0hpsbncIOq56OcYs1
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
service-module wlan-ap 0 bootimage autonomous
!
!
ip source-route
!
!
!
ip dhcp pool DATA
   network 50.0.0.0 255.255.255.0
   dns-server 50.0.0.1 4.2.2.2
   default-router 50.0.0.1
!
!
ip cef
ip name-server 4.2.2.2
ip name-server 4.2.2.1
ip ddns update method DynDNS
 HTTP
  add http://xxxxxi:xxxx<s>/nic/update?system=dyndns&hostname=<h>&myip=<a>
 interval maximum 10 0 0 0
 interval minimum 2 0 0 0
!
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881W-GN-A-K9 sn FTX1251Z0GX
license boot module c880-data level advipservices
!
!
username mercxi privilege 15 secret 5 $1$59zx$jW/LjS4Vmt12CO0NKlbdo1
!
!
!
!
crypto isakmp policy 3
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group mercdecember
 key merc84
 pool ippool
 acl 108
!
!
crypto ipsec transform-set mytransformset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set mytransformset
 reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap client authorization list groupauthor
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface FastEthernet0
 switchport access vlan 50
 !
!
interface FastEthernet1
 switchport access vlan 50
 !
!
interface FastEthernet2
 !
!
interface FastEthernet3
 !
!
interface FastEthernet4
 ip ddns update hostname XXXX.kicks-ass.net
 ip ddns update DynDNS host members.dyndns.org
 ip address dhcp
 ip access-group 103 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map clientmap
 !
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip address 55.0.0.1 255.255.255.0
 arp timeout 0
 !
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport access vlan 50
 !
!
interface Vlan1
 no ip address
 !
!
interface Vlan50
 ip address 50.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
ip local pool ippool 60.0.0.1 60.0.0.10
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source static tcp 50.0.0.100 3074 interface FastEthernet4 3074
ip nat inside source static udp 50.0.0.100 3074 interface FastEthernet4 3074
ip nat inside source static udp 50.0.0.100 88 interface FastEthernet4 88
ip nat inside source route-map DATA interface FastEthernet4 overload
!
access-list 10 permit 50.0.0.0 0.0.0.255
access-list 101 permit ip 50.0.0.0 0.0.0.255 any
access-list 102 permit tcp host 204.13.248.112 eq www any log
access-list 108 permit ip 50.0.0.0 0.0.0.255 60.0.0.0 0.0.0.255
!
!
!
!
route-map DATA permit 10
 match ip address 101
!
!
control-plane
 !
!
!
line con 0
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
line vty 0 4
 password merc84
!
scheduler max-task-time 5000
end

mercrouter#

Open in new window

0
mmercaldi
Asked:
mmercaldi
  • 7
  • 5
1 Solution
 
JDLoanerCommented:
I don't see an access-list 103 that's specified in FaEth4 allowing incoming traffic.
0
 
mmercaldiAuthor Commented:
I just performed the change, and it took down my router lol.  I have to go on site real quick.  Ill be there in an hour
0
 
JDLoanerCommented:
Ha, what did you put in?!
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
mmercaldiAuthor Commented:
i had to adjust the access-list 102 to include access-list 102 permit ip any any

also i adjusted the secuirty to something stronger
hash sha

esp-aes esp-sha-hmac

Also my vpn is still not working
apparently it is failing at phase1, any ideas?
0
 
JDLoanerCommented:
Run debug and paste the output as you try to connect.  What VPN Client are you trying to use?
0
 
mmercaldiAuthor Commented:


User Access Verification

Username: mercxi
Password:

mercrouter>en
Password:
mercrouter#term mon
mercrouter#debug isakmp
                  ^
% Invalid input detected at '^' marker.

mercrouter#
*Jan  6 01:09:48.583: ISAKMP (0): received packet from 65.51.119.2 dport 500 spo
rt 19949 Global (N) NEW SA
*Jan  6 01:09:48.583: ISAKMP: Created a peer struct for 65.51.119.2, peer port 1
9949
*Jan  6 01:09:48.583: ISAKMP: New peer created peer = 0x864CA72C peer_handle = 0
x80000006
*Jan  6 01:09:48.583: ISAKMP: Locking peer struct 0x864CA72C, refcount 1 for cry
pto_isakmp_process_block
*Jan  6 01:09:48.583: ISAKMP:(0):Setting client config settings 84B9D4C8
*Jan  6 01:09:48.583: ISAKMP:(0):(Re)Setting client xauth list  and state
*Jan  6 01:09:48.583: ISAKMP/xauth: initializing AAA request
*Jan  6 01:09:48.583: ISAKMP: local port 500, remote port 19949
*Jan  6 01:09:48.583: ISAKMP:(0):insert sa successfully sa = 85D0C458
*Jan  6 01:09:48.583: ISAKMP:(0): processing SA payload. message ID = 0
*Jan  6 01:09:48.583: ISAKMP:(0): processing ID payload. message ID = 0
*Jan  6 01:09:48.583: ISAKMP (0): ID payload
        next-payload : 13
        type         : 11
        group id     : mercdecember
        protocol     : 17
        port         : 500
        length       : 20
*Jan  6 01:09:48.583: ISAKMP:(0):: peer matches *none* of the profiles
*Jan  6 01:09:48.583: ISAKMP:(0): processing vendor id payload
*Jan  6 01:09:48.583: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismat
ch
*Jan  6 01:09:48.583: ISAKMP:(0): vendor ID is XAUTH
*Jan  6 01:09:48.583: ISAKMP:(0): processing vendor id payload
*Jan  6 01:09:48.583: ISAKMP:(0): vendor ID is DPD
*Jan  6 01:09:48.583: ISAKMP:(0): processing vendor id payload
*Jan  6 01:09:48.583: ISAKMP:(0): processing IKE frag vendor id payload
*Jan  6 01:09:48.583: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Jan  6 01:09:48.583: ISAKMP:(0): processing vendor id payload
*Jan  6 01:09:48.583: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismat
ch
*Jan  6 01:09:48.587: ISAKMP:(0): vendor ID is NAT-T v2
*Jan  6 01:09:48.587: ISAKMP:(0): processing vendor id payload
*Jan  6 01:09:48.587: ISAKMP:(0): vendor ID is Unity
*Jan  6 01:09:48.587: ISAKMP:(0): Authentication by xauth preshared
*Jan  6 01:09:48.587: ISAKMP:(0):Checking ISAKMP transform 1 against priority 3
policy
*Jan  6 01:09:48.587: ISAKMP:      encryption AES-CBC
*Jan  6 01:09:48.587: ISAKMP:      hash SHA
*Jan  6 01:09:48.587: ISAKMP:      default group 2
*Jan  6 01:09:48.587: ISAKMP:      auth XAUTHInitPreShared
*Jan  6 01:09:48.587: ISAKMP:      life type in seconds
*Jan  6 01:09:48.587: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  6 01:09:48.587: ISAKMP:      keylength of 256
*Jan  6 01:09:48.587: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
*Jan  6 01:09:48.587: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan  6 01:09:48.587: ISAKMP:(0):Checking ISAKMP transform 2 against priority 3
policy
*Jan  6 01:09:48.587: ISAKMP:      encryption AES-CBC
*Jan  6 01:09:48.587: ISAKMP:      hash MD5
*Jan  6 01:09:48.587: ISAKMP:      default group 2
*Jan  6 01:09:48.587: ISAKMP:      auth XAUTHInitPreShared
*Jan  6 01:09:48.587: ISAKMP:      life type in seconds
*Jan  6 01:09:48.587: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  6 01:09:48.587: ISAKMP:      keylength of 256
*Jan  6 01:09:48.587: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
*Jan  6 01:09:48.587: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan  6 01:09:48.587: ISAKMP:(0):Checking ISAKMP transform 3 against priority 3
policy
*Jan  6 01:09:48.587: ISAKMP:      encryption AES-CBC
*Jan  6 01:09:48.587: ISAKMP:      hash SHA
*Jan  6 01:09:48.587: ISAKMP:      default group 2
*Jan  6 01:09:48.587: ISAKMP:      auth pre-share
*Jan  6 01:09:48.587: ISAKMP:      life type in seconds
*Jan  6 01:09:48.587: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  6 01:09:48.587: ISAKMP:      keylength of 256
*Jan  6 01:09:48.587: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
*Jan  6 01:09:48.587: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan  6 01:09:48.587: ISAKMP:(0):Checking ISAKMP transform 4 against priority 3
policy
*Jan  6 01:09:48.587: ISAKMP:      encryption AES-CBC
*Jan  6 01:09:48.587: ISAKMP:      hash MD5
*Jan  6 01:09:48.587: ISAKMP:      default group 2
*Jan  6 01:09:48.587: ISAKMP:      auth pre-share
*Jan  6 01:09:48.587: ISAKMP:      life type in seconds
*Jan  6 01:09:48.587: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  6 01:09:48.587: ISAKMP:      keylength of 256
*Jan  6 01:09:48.587: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
*Jan  6 01:09:48.587: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan  6 01:09:48.587: ISAKMP:(0):Checking ISAKMP transform 5 against priority 3
policy
*Jan  6 01:09:48.587: ISAKMP:      encryption AES-CBC
*Jan  6 01:09:48.587: ISAKMP:      hash SHA
*Jan  6 01:09:48.587: ISAKMP:      default group 2
*Jan  6 01:09:48.587: ISAKMP:      auth XAUTHInitPreShared
*Jan  6 01:09:48.587: ISAKMP:      life type in seconds
*Jan  6 01:09:48.587: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  6 01:09:48.587: ISAKMP:      keylength of 128
*Jan  6 01:09:48.587: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
*Jan  6 01:09:48.587: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan  6 01:09:48.587: ISAKMP:(0):Checking ISAKMP transform 6 against priority 3
policy
*Jan  6 01:09:48.587: ISAKMP:      encryption AES-CBC
*Jan  6 01:09:48.587: ISAKMP:      hash MD5
*Jan  6 01:09:48.587: ISAKMP:      default group 2
*Jan  6 01:09:48.587: ISAKMP:      auth XAUTHInitPreShared
*Jan  6 01:09:48.587: ISAKMP:      life type in seconds
*Jan  6 01:09:48.587: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  6 01:09:48.587: ISAKMP:      keylength of 128
*Jan  6 01:09:48.587: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
*Jan  6 01:09:48.587: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan  6 01:09:48.587: ISAKMP:(0):Checking ISAKMP transform 7 against priority 3
policy
*Jan  6 01:09:48.587: ISAKMP:      encryption AES-CBC
*Jan  6 01:09:48.587: ISAKMP:      hash SHA
*Jan  6 01:09:48.587: ISAKMP:      default group 2
*Jan  6 01:09:48.587: ISAKMP:      auth pre-share
*Jan  6 01:09:48.587: ISAKMP:      life type in seconds
*Jan  6 01:09:48.587: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  6 01:09:48.591: ISAKMP:      keylength of 128
*Jan  6 01:09:48.591: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
*Jan  6 01:09:48.591: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan  6 01:09:48.591: ISAKMP:(0):Checking ISAKMP transform 8 against priority 3
policy
*Jan  6 01:09:48.591: ISAKMP:      encryption AES-CBC
*Jan  6 01:09:48.591: ISAKMP:      hash MD5
*Jan  6 01:09:48.591: ISAKMP:      default group 2
*Jan  6 01:09:48.591: ISAKMP:      auth pre-share
*Jan  6 01:09:48.591: ISAKMP:      life type in seconds
*Jan  6 01:09:48.591: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  6 01:09:48.591: ISAKMP:      keylength of 128
*Jan  6 01:09:48.591: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
*Jan  6 01:09:48.591: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan  6 01:09:48.591: ISAKMP:(0):Checking ISAKMP transform 9 against priority 3
policy
*Jan  6 01:09:48.591: ISAKMP:      encryption 3DES-CBC
*Jan  6 01:09:48.591: ISAKMP:      hash SHA
*Jan  6 01:09:48.591: ISAKMP:      default group 2
*Jan  6 01:09:48.591: ISAKMP:      auth XAUTHInitPreShared
*Jan  6 01:09:48.591: ISAKMP:      life type in seconds
*Jan  6 01:09:48.591: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  6 01:09:48.591: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
*Jan  6 01:09:48.591: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan  6 01:09:48.591: ISAKMP:(0):Checking ISAKMP transform 10 against priority 3
 policy
*Jan  6 01:09:48.591: ISAKMP:      encryption 3DES-CBC
*Jan  6 01:09:48.591: ISAKMP:      hash MD5
*Jan  6 01:09:48.591: ISAKMP:      default group 2
*Jan  6 01:09:48.591: ISAKMP:      auth XAUTHInitPreShared
*Jan  6 01:09:48.591: ISAKMP:      life type in seconds
*Jan  6 01:09:48.591: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  6 01:09:48.591: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
*Jan  6 01:09:48.591: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan  6 01:09:48.591: ISAKMP:(0):Checking ISAKMP transform 11 against priority 3
 policy
*Jan  6 01:09:48.591: ISAKMP:      encryption 3DES-CBC
*Jan  6 01:09:48.591: ISAKMP:      hash SHA
*Jan  6 01:09:48.591: ISAKMP:      default group 2
*Jan  6 01:09:48.591: ISAKMP:      auth pre-share
*Jan  6 01:09:48.591: ISAKMP:      life type in seconds
*Jan  6 01:09:48.591: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  6 01:09:48.591: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
*Jan  6 01:09:48.591: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan  6 01:09:48.591: ISAKMP:(0):Checking ISAKMP transform 12 against priority 3
 policy
*Jan  6 01:09:48.591: ISAKMP:      encryption 3DES-CBC
*Jan  6 01:09:48.591: ISAKMP:      hash MD5
*Jan  6 01:09:48.591: ISAKMP:      default group 2
*Jan  6 01:09:48.591: ISAKMP:      auth pre-share
*Jan  6 01:09:48.591: ISAKMP:      life type in seconds
*Jan  6 01:09:48.591: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  6 01:09:48.591: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
*Jan  6 01:09:48.591: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan  6 01:09:48.591: ISAKMP:(0):Checking ISAKMP transform 13 against priority 3
 policy
*Jan  6 01:09:48.591: ISAKMP:      encryption DES-CBC
*Jan  6 01:09:48.591: ISAKMP:      hash MD5
*Jan  6 01:09:48.591: ISAKMP:      default group 2
*Jan  6 01:09:48.591: ISAKMP:      auth XAUTHInitPreShared
*Jan  6 01:09:48.591: ISAKMP:      life type in seconds
*Jan  6 01:09:48.591: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  6 01:09:48.591: ISAKMP:(0):Hash algorithm offered does not match policy!
*Jan  6 01:09:48.591: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan  6 01:09:48.591: ISAKMP:(0):Checking ISAKMP transform 14 against priority 3
 policy
*Jan  6 01:09:48.591: ISAKMP:      encryption DES-CBC
*Jan  6 01:09:48.591: ISAKMP:      hash MD5
*Jan  6 01:09:48.591: ISAKMP:      default group 2
*Jan  6 01:09:48.591: ISAKMP:      auth pre-share
*Jan  6 01:09:48.591: ISAKMP:      life type in seconds
*Jan  6 01:09:48.591: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  6 01:09:48.591: ISAKMP:(0):Hash algorithm offered does not match policy!
*Jan  6 01:09:48.591: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Jan  6 01:09:48.591: ISAKMP:(0):no offers accepted!
*Jan  6 01:09:48.591: ISAKMP:(0): phase 1 SA policy not acceptable! (local 71.18
3.105.239 remote 65.51.119.2)
*Jan  6 01:09:48.591: ISAKMP (0): incrementing error counter on sa, attempt 1 of
 5: construct_fail_ag_init
*Jan  6 01:09:48.591: ISAKMP:(0): Failed to construct AG informational message.
*Jan  6 01:09:48.591: ISAKMP:(0): sending packet to 65.51.119.2 my_port 500 peer
_port 19949 (R) AG_NO_STATE
*Jan  6 01:09:48.591: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan  6 01:09:48.591: ISAKMP:(0):peer does not do paranoid keepalives.

*Jan  6 01:09:48.591: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal n
ot accepted" state (R) AG_NO_STATE (peer 65.51.119.2)
*Jan  6 01:09:48.591: ISAKMP:(0): processing KE payload. message ID = 0
*Jan  6 01:09:48.591: ISAKMP:(0): group size changed! Should be 0, is 128
*Jan  6 01:09:48.591: ISAKMP (0): incrementing error counter on sa, attempt 2 of
 5: reset_retransmission
*Jan  6 01:09:48.591: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:
  state = IKE_READY
*Jan  6 01:09:48.591: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Jan  6 01:09:48.591: ISAKMP:(0):Old State = IKE_READY  New State = IKE_READY

*Jan  6 01:09:48.591: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode
 failed with peer at 65.51.119.2
*Jan  6 01:09:48.591: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal n
ot accepted" state (R) AG_NO_STATE (peer 65.51.119.2)
*Jan  6 01:09:48.591: ISAKMP: Unlocking peer struct 0x864CA72C for isadb_mark_sa
_deleted(), count 0
*Jan  6 01:09:48.595: ISAKMP: Deleting peer node by peer_reap for 65.51.119.2: 8
64CA72C
*Jan  6 01:09:48.595: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jan  6 01:09:48.595: ISAKMP:(0):Old State = IKE_READY  New State = IKE_DEST_SA

*Jan  6 01:09:53.683: ISAKMP (0): received packet from 65.51.119.2 dport 500 spo
rt 19949 Global (R) MM_NO_STATE
*Jan  6 01:09:58.767: ISAKMP (0): received packet from 65.51.119.2 dport 500 spo
rt 19949 Global (R) MM_NO_STATE
*Jan  6 01:10:03.835: ISAKMP (0): received packet from 65.51.119.2 dport 500 spo
rt 19949 Global (R) MM_NO_STATE
*Jan  6 01:10:48.595: ISAKMP:(0):purging SA., sa=85D0C458, delme=85D0C458
0
 
JDLoanerCommented:
Hmmm.. well it's clearly a policy mismatch with your client.  What client are you using to connect with?

Please paste the settings of the client as well as the newest copy of your running config.

Thanks.
0
 
mmercaldiAuthor Commented:
cisco vpn client 5.0

group name mercdecember
password merc84
confirm password
I also tried the lowest and the highest encryption just to be sure
User Access Verification

Username: mercxi
Password:

mercrouter>en
Password:
mercrouter#sh run
Building configuration...

Current configuration : 3594 bytes
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname mercrouter
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $1$3IVE$Buf6q0hpsbncIOq56OcYs1
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
service-module wlan-ap 0 bootimage autonomous
!
!
ip source-route
!
!
!
ip dhcp pool DATA
   network 50.0.0.0 255.255.255.0
   dns-server 50.0.0.1 4.2.2.2
   default-router 50.0.0.1
!
!
ip cef
ip name-server 4.2.2.2
ip name-server 4.2.2.1
ip ddns update method DynDNS
 HTTP
  add http://mercxi:merc84<s>/nic/update?system=dyndns&hostname=<h>&myip=<a>
 interval maximum 10 0 0 0
 interval minimum 2 0 0 0
!
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881W-GN-A-K9 sn FTX1251Z0GX
license boot module c880-data level advipservices
!
!
username mercxi privilege 15 secret 5 $1$59zx$jW/LjS4Vmt12CO0NKlbdo1
!
!
!
!
crypto isakmp policy 3
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group mercdecember
 key merc84
 pool ippool
 acl 108
!
!
crypto ipsec transform-set mytransformset esp-aes esp-sha-hmac
crypto ipsec transform-set myset esp-aes esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
 reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap client authorization list groupauthor
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface FastEthernet0
 switchport access vlan 50
 !
!
interface FastEthernet1
 switchport access vlan 50
 !
!
interface FastEthernet2
 !
!
interface FastEthernet3
 !
!
interface FastEthernet4
 ip ddns update hostname mercxi.kicks-ass.net
 ip ddns update DynDNS host members.dyndns.org
 ip address dhcp
 ip access-group 102 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map clientmap
 !
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip address 55.0.0.1 255.255.255.0
 arp timeout 0
 !
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport access vlan 50
 !
!
interface Vlan1
 no ip address
 !
!
interface Vlan50
 ip address 50.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
ip local pool ippool 60.0.0.1 60.0.0.10
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source static tcp 50.0.0.100 3074 interface FastEthernet4 3074
ip nat inside source static udp 50.0.0.100 3074 interface FastEthernet4 3074
ip nat inside source static udp 50.0.0.100 88 interface FastEthernet4 88
ip nat inside source route-map DATA interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
access-list 10 permit 50.0.0.0 0.0.0.255
access-list 101 deny   ip 50.0.0.0 0.0.0.255 60.0.0.0 0.0.0.255
access-list 101 permit ip 50.0.0.0 0.0.0.255 any
access-list 102 permit tcp host 204.13.248.112 eq www any log
access-list 102 permit ip any any
access-list 108 permit ip 50.0.0.0 0.0.0.255 60.0.0.0 0.0.0.255
!
!
!
!
route-map DATA permit 10
 match ip address 101
!
!
control-plane
 !
!
!
line con 0
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
line vty 0 4
 password merc84
!
scheduler max-task-time 5000
end

mercrouter#

Open in new window

0
 
mmercaldiAuthor Commented:
anyone have any ideas?
0
 
JDLoanerCommented:
Not sure exactly what part is causing this, I think I see a crypto-map missing and I'm not sure you have your Encryption/Hash defined correctly in the ISAKMP policy to the Transform Set.. maybe try clearing them out and use this, I think I got it all in there.

--------------------
crypto isakmp policy 1
encryption 3des
authentication pre-share
group 2
lifetime 600

crypto isakmp client configuration group remoteAC
key **KEY**
dns 192.x.x.x
pool DATA

crypto ipsec transform-set RAvpn esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400

crypto dynamic-map dynmap 1
set transform-set RAvpn
reverse-route

crypto map clientmap 1 ipsec-isakmp dynamic dynmap
crypto map dynmap isakmp authorization list remoteAC
crypto map dynmap client configuration address respond


0
 
mmercaldiAuthor Commented:
I basically reconfigured my router and I got the same error until I put in the encryption method
Below is my new config and my new error that I am gettign when I debug:
mercrouter(config)#
*Jan  7 14:38:31.636: ISAKMP:(0):purging SA., sa=8723F254, delme=8723F254
*Jan  7 14:39:39.908: ISAKMP (0): received packet from XXX.XXX.XXX.XXX dport 500 sport 26603 Global (N) NEW SA
*Jan  7 14:39:39.908: ISAKMP: Created a peer struct for XXX.XXX.XXX.XXX, peer port 26603
*Jan  7 14:39:39.908: ISAKMP: New peer created peer = 0x8604BC8C peer_handle = 0x80000007
*Jan  7 14:39:39.908: ISAKMP: Locking peer struct 0x8604BC8C, refcount 1 for crypto_isakmp_process_block
*Jan  7 14:39:39.908: ISAKMP:(0):Setting client config settings 84D436C8
*Jan  7 14:39:39.908: ISAKMP:(0):(Re)Setting client xauth list  and state
*Jan  7 14:39:39.908: ISAKMP/xauth: initializing AAA request
*Jan  7 14:39:39.908: ISAKMP: local port 500, remote port 26603
*Jan  7 14:39:39.908: ISAKMP:(0):insert sa successfully sa = 8606EB4C
*Jan  7 14:39:39.908: ISAKMP:(0): processing SA payload. message ID = 0
*Jan  7 14:39:39.908: ISAKMP:(0): processing ID payload. message ID = 0
*Jan  7 14:39:39.908: ISAKMP (0): ID payload
        next-payload : 13
        type         : 11
        group id     : mercdecember
        protocol     : 17
        port         : 500
        length       : 20
*Jan  7 14:39:39.908: ISAKMP:(0):: peer matches *none* of the profiles
*Jan  7 14:39:39.908: ISAKMP:(0): processing vendor id payload
*Jan  7 14:39:39.908: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Jan  7 14:39:39.908: ISAKMP:(0): vendor ID is XAUTH
*Jan  7 14:39:39.908: ISAKMP:(0): processing vendor id payload
*Jan  7 14:39:39.908: ISAKMP:(0): vendor ID is DPD
*Jan  7 14:39:39.908: ISAKMP:(0): processing vendor id payload
*Jan  7 14:39:39.908: ISAKMP:(0): processing IKE frag vendor id payload
*Jan  7 14:39:39.908: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Jan  7 14:39:39.908: ISAKMP:(0): processing vendor id payload
*Jan  7 14:39:39.908: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan  7 14:39:39.908: ISAKMP:(0): vendor ID is NAT-T v2
*Jan  7 14:39:39.908: ISAKMP:(0): processing vendor id payload
*Jan  7 14:39:39.908: ISAKMP:(0): vendor ID is Unity
*Jan  7 14:39:39.908: ISAKMP:(0): Authentication by xauth preshared
*Jan  7 14:39:39.908: ISAKMP:(0):Checking ISAKMP transform 1 against priority 3 policy
*Jan  7 14:39:39.908: ISAKMP:      encryption AES-CBC
*Jan  7 14:39:39.908: ISAKMP:      hash SHA
*Jan  7 14:39:39.908: ISAKMP:      default group 2
*Jan  7 14:39:39.908: ISAKMP:      auth XAUTHInitPreShared
*Jan  7 14:39:39.908: ISAKMP:      life type in seconds
*Jan  7 14:39:39.908: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  7 14:39:39.908: ISAKMP:      keylength of 256
*Jan  7 14:39:39.908: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jan  7 14:39:39.908: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan  7 14:39:39.912: ISAKMP:(0):Checking ISAKMP transform 2 against priority 3 policy
*Jan  7 14:39:39.912: ISAKMP:      encryption AES-CBC
*Jan  7 14:39:39.912: ISAKMP:      hash MD5
*Jan  7 14:39:39.912: ISAKMP:      default group 2
*Jan  7 14:39:39.912: ISAKMP:      auth XAUTHInitPreShared
*Jan  7 14:39:39.912: ISAKMP:      life type in seconds
*Jan  7 14:39:39.912: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  7 14:39:39.912: ISAKMP:      keylength of 256
*Jan  7 14:39:39.912: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jan  7 14:39:39.912: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan  7 14:39:39.912: ISAKMP:(0):Checking ISAKMP transform 3 against priority 3 policy
*Jan  7 14:39:39.912: ISAKMP:      encryption AES-CBC
*Jan  7 14:39:39.912: ISAKMP:      hash SHA
*Jan  7 14:39:39.912: ISAKMP:      default group 2
*Jan  7 14:39:39.912: ISAKMP:      auth pre-share
*Jan  7 14:39:39.912: ISAKMP:      life type in seconds
*Jan  7 14:39:39.912: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  7 14:39:39.912: ISAKMP:      keylength of 256
*Jan  7 14:39:39.912: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jan  7 14:39:39.912: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan  7 14:39:39.912: ISAKMP:(0):Checking ISAKMP transform 4 against priority 3 policy
*Jan  7 14:39:39.912: ISAKMP:      encryption AES-CBC
*Jan  7 14:39:39.912: ISAKMP:      hash MD5
*Jan  7 14:39:39.912: ISAKMP:      default group 2
*Jan  7 14:39:39.912: ISAKMP:      auth pre-share
*Jan  7 14:39:39.912: ISAKMP:      life type in seconds
*Jan  7 14:39:39.912: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  7 14:39:39.912: ISAKMP:      keylength of 256
*Jan  7 14:39:39.912: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jan  7 14:39:39.912: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan  7 14:39:39.912: ISAKMP:(0):Checking ISAKMP transform 5 against priority 3 policy
*Jan  7 14:39:39.912: ISAKMP:      encryption AES-CBC
*Jan  7 14:39:39.912: ISAKMP:      hash SHA
*Jan  7 14:39:39.912: ISAKMP:      default group 2
*Jan  7 14:39:39.912: ISAKMP:      auth XAUTHInitPreShared
*Jan  7 14:39:39.912: ISAKMP:      life type in seconds
*Jan  7 14:39:39.912: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  7 14:39:39.912: ISAKMP:      keylength of 128
*Jan  7 14:39:39.912: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jan  7 14:39:39.912: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan  7 14:39:39.912: ISAKMP:(0):Checking ISAKMP transform 6 against priority 3 policy
*Jan  7 14:39:39.912: ISAKMP:      encryption AES-CBC
*Jan  7 14:39:39.912: ISAKMP:      hash MD5
*Jan  7 14:39:39.912: ISAKMP:      default group 2
*Jan  7 14:39:39.912: ISAKMP:      auth XAUTHInitPreShared
*Jan  7 14:39:39.912: ISAKMP:      life type in seconds
*Jan  7 14:39:39.912: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  7 14:39:39.912: ISAKMP:      keylength of 128
*Jan  7 14:39:39.912: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jan  7 14:39:39.912: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan  7 14:39:39.912: ISAKMP:(0):Checking ISAKMP transform 7 against priority 3 policy
*Jan  7 14:39:39.912: ISAKMP:      encryption AES-CBC
*Jan  7 14:39:39.912: ISAKMP:      hash SHA
*Jan  7 14:39:39.912: ISAKMP:      default group 2
*Jan  7 14:39:39.912: ISAKMP:      auth pre-share
*Jan  7 14:39:39.912: ISAKMP:      life type in seconds
*Jan  7 14:39:39.912: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  7 14:39:39.912: ISAKMP:      keylength of 128
*Jan  7 14:39:39.912: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jan  7 14:39:39.912: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan  7 14:39:39.912: ISAKMP:(0):Checking ISAKMP transform 8 against priority 3 policy
*Jan  7 14:39:39.912: ISAKMP:      encryption AES-CBC
*Jan  7 14:39:39.912: ISAKMP:      hash MD5
*Jan  7 14:39:39.912: ISAKMP:      default group 2
*Jan  7 14:39:39.912: ISAKMP:      auth pre-share
*Jan  7 14:39:39.912: ISAKMP:      life type in seconds
*Jan  7 14:39:39.912: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  7 14:39:39.912: ISAKMP:      keylength of 128
*Jan  7 14:39:39.912: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jan  7 14:39:39.912: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan  7 14:39:39.912: ISAKMP:(0):Checking ISAKMP transform 9 against priority 3 policy
*Jan  7 14:39:39.912: ISAKMP:      encryption 3DES-CBC
*Jan  7 14:39:39.912: ISAKMP:      hash SHA
*Jan  7 14:39:39.912: ISAKMP:      default group 2
*Jan  7 14:39:39.912: ISAKMP:      auth XAUTHInitPreShared
*Jan  7 14:39:39.912: ISAKMP:      life type in seconds
*Jan  7 14:39:39.912: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  7 14:39:39.912: ISAKMP:(0):Hash algorithm offered does not match policy!
*Jan  7 14:39:39.912: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan  7 14:39:39.912: ISAKMP:(0):Checking ISAKMP transform 10 against priority 3 policy
*Jan  7 14:39:39.912: ISAKMP:      encryption 3DES-CBC
*Jan  7 14:39:39.912: ISAKMP:      hash MD5
*Jan  7 14:39:39.912: ISAKMP:      default group 2
*Jan  7 14:39:39.912: ISAKMP:      auth XAUTHInitPreShared
*Jan  7 14:39:39.912: ISAKMP:      life type in seconds
*Jan  7 14:39:39.912: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan  7 14:39:39.912: ISAKMP:(0):atts are acceptable. Next payload is 3
*Jan  7 14:39:39.912: ISAKMP:(0):Acceptable atts:actual life: 86400
*Jan  7 14:39:39.912: ISAKMP:(0):Acceptable atts:life: 0
*Jan  7 14:39:39.912: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jan  7 14:39:39.912: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
*Jan  7 14:39:39.912: ISAKMP:(0):Returning Actual lifetime: 86400
*Jan  7 14:39:39.912: ISAKMP:(0)::Started lifetime timer: 86400.

*Jan  7 14:39:39.912: ISAKMP:(0): processing KE payload. message ID = 0
*Jan  7 14:39:39.944: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jan  7 14:39:39.944: ISAKMP:(0): vendor ID is NAT-T v2
*Jan  7 14:39:39.944: ISAKMP:(0):peer does not do paranoid keepalives.

*Jan  7 14:39:39.944: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer XXX.XXX.XXX.XXX)
*Jan  7 14:39:39.944: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY
*Jan  7 14:39:39.944: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Jan  7 14:39:39.944: ISAKMP:(0):Old State = IKE_READY  New State = IKE_READY

*Jan  7 14:39:39.944: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at XXX.XXX.XXX.XXX
*Jan  7 14:39:39.944: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer XXX.XXX.XXX.XXX)
*Jan  7 14:39:39.944: ISAKMP: Unlocking peer struct 0x8604BC8C for isadb_mark_sa_deleted(), count 0
*Jan  7 14:39:39.944: ISAKMP: Deleting peer node by peer_reap for XXX.XXX.XXX.XXX: 8604BC8C
*Jan  7 14:39:39.944: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jan  7 14:39:39.944: ISAKMP:(0):Old State = IKE_READY  New State = IKE_DEST_SA

*Jan  7 14:39:45.336: ISAKMP (0): received packet from XXX.XXX.XXX.XXX dport 500 sport 26603 Global (R) MM_NO_STATE
*Jan  7 14:39:50.408: ISAKMP (0): received packet from XXX.XXX.XXX.XXX dport 500 sport 26603 Global (R) MM_NO_STATE
*Jan  7 14:39:55.476: ISAKMP (0): received packet from XXX.XXX.XXX.XXX dport 500 sport 26603 Global (R) MM_NO_STATE
*Jan  7 14:40:39.944: ISAKMP:(0):purging SA., sa=8606EB4C, delme=8606EB4C

mercrouter(config)#do sh run
Building configuration...

Current configuration : 3198 bytes
!
! Last configuration change at 14:33:22 UTC Thu Jan 7 2010 by mercxi
!
version 15.0
service config
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname mercrouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$5dw1$U5uMfnkpX1oU2Ksz5GvWB0
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
service-module wlan-ap 0 bootimage autonomous
!
!
ip source-route
!
!
!
ip dhcp pool DATA
   network 50.0.0.0 255.255.255.0
   dns-server 50.0.0.1 4.2.2.2
   default-router 50.0.0.1
!
!
ip cef
ip name-server 4.2.2.1
ip name-server 4.2.2.2
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881W-GN-A-K9 sn FTX1251Z0GX
license boot module c880-data level advipservices
!
!
username mercxi privilege 15 secret 5 $1$oc/Z$ifBjqktNFq7dZCxP3Jq9Z.
!
!
!
!
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group mercdecember
 key merc84
 pool ippool
 acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
 reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthen
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface FastEthernet0
 switchport access vlan 50
 !
!
interface FastEthernet1
 switchport access vlan 50
 !
!
interface FastEthernet2
 !
!
interface FastEthernet3
 !
!
interface FastEthernet4
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map clientmap
 !
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip address 55.0.0.1 255.255.255.0
 arp timeout 0
 !
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport access vlan 50
 !
!
interface Vlan1
 no ip address
 shutdown
 !
!
interface Vlan50
 ip address 50.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
ip local pool ippool 60.0.0.5 60.0.0.10
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source static udp 50.0.0.100 88 interface FastEthernet4 88
ip nat inside source static udp 50.0.0.100 3074 interface FastEthernet4 3074
ip nat inside source static tcp 50.0.0.100 3074 interface FastEthernet4 3074
ip nat inside source route-map DATA interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
access-list 101 deny   ip 50.0.0.0 0.0.0.255 60.0.0.0 0.0.0.255
access-list 101 permit ip 50.0.0.0 0.0.0.255 any
access-list 108 permit ip 50.0.0.0 0.0.0.255 60.0.0.0 0.0.0.255
!
!
!
!
route-map DATA permit 10
 match ip address 101
!
!
control-plane
 !
!
!
line con 0
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
line vty 0 4
 password merc84
!
scheduler max-task-time 5000
end

Open in new window

0
 
mmercaldiAuthor Commented:
nevermind it works I misspelled my network authorization lol
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now