Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cisco VPN Crypto Map

Posted on 2011-02-22
27
2,186 Views
Last Modified: 2012-05-11
I am having trouble adding a new IPSec VPN to a Cisco 1712 router.  There is currently a site-to-site VPN with an existing crypto map assigned to the external interface f0.  Below is the configuration information needed for this.  The problem I am having is I can not get past Phase 1 negotiation.  Here is a small snip of the output from a debug on isakmp:  
--
Jul 25 01:48:53.071: ISAKMP : Scanning profiles for xauth ...
*Jul 25 01:48:53.071: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy
*Jul 25 01:48:53.071: ISAKMP:      life type in seconds
*Jul 25 01:48:53.071: ISAKMP:      life duration (basic) of 3600
*Jul 25 01:48:53.075: ISAKMP:      encryption AES-CBC
*Jul 25 01:48:53.075: ISAKMP:      keylength of 256
*Jul 25 01:48:53.075: ISAKMP:      auth XAUTHInitPreShared
*Jul 25 01:48:53.075: ISAKMP:      hash SHA
*Jul 25 01:48:53.075: ISAKMP:      default group 2
*Jul 25 01:48:53.075: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
*Jul 25 01:48:53.075: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
----------




aaa authentication login 2Phase local-case
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip cef
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL ftp
ip ids po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 100
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key A$Cs2sK3y address 65.x.x.x
crypto isakmp key A$Cs2sK3y address 12.x.x.x no-xauth
crypto isakmp keepalive 30 10
!
crypto isakmp client configuration group clientvpn
 key p@ssw0rd
 dns 192.168.40.10 192.168.40.1
 domain xxxx.local
 pool clientvpnpool
 acl 140
!
!
crypto ipsec transform-set s2stunnel esp-3des esp-sha-hmac
crypto ipsec transform-set clientvpn esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set clientvpn
!
!
crypto map ascs2s 10 ipsec-isakmp
 set peer 65.x.x.x
 set transform-set s2stunnel
 match address 120
crypto map ascs2s 140 ipsec-isakmp
 set peer 12.x.x.x
 set security-association lifetime seconds 86400
 set transform-set s2stunnel
 match address Nueterra-KC1
crypto map ascs2s 210 ipsec-isakmp dynamic dynmap
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Tunnel140
 ip address 10.248.40.2 255.255.255.0
 ip tcp adjust-mss 1400
 keepalive 10 3
 tunnel source 10.250.40.1
 tunnel destination 10.250.248.1
!
interface Loopback140
 ip address 10.250.40.1 255.255.255.255
!
interface BRI0
 no ip address
 shutdown
 no cdp enable
!
interface FastEthernet0
 description ***xxxxxxxxx***
 ip address 216.x.x.x  255.255.255.248
 ip access-group out-in in
 ip nat outside
 ip inspect FIREWALL out
 ip virtual-reassembly
 speed auto
 full-duplex
 no cdp enable
 crypto map ascs2s
!
!
!
!
!
ip local pool clientvpnpool 10.16.20.1 10.16.20.200
!
!
!
ip nat inside source route-map nonatvpn interface FastEthernet0 overload
!
!
!
!access-list 140 permit ip 192.168.40.0 0.0.0.255 10.16.20.0 0.0.0.255
0
Comment
Question by:mcstechguru1978
  • 15
  • 11
27 Comments
 
LVL 24

Expert Comment

by:rfc1180
ID: 34958249
your logging:

*Jul 25 01:48:53.075: ISAKMP:      encryption AES-CBC
*Jul 25 01:48:53.075: ISAKMP:      keylength of 256

indicates that the other side is sending AES 256, but none of your policies have AES 256

You need to ensure that all phase 1 and phase 2 information matches on both ends.

Billy
0
 
LVL 28

Expert Comment

by:asavener
ID: 34958648
Either you need to add a new isakmp policy using AES 256, or they need to add an isakmp policy that matches one that you have defined.

Try adding these lines:

crypto isakmp policy 5
 encr aes 256
 authentication pre-share
 group 2
0
 

Author Comment

by:mcstechguru1978
ID: 34962012
I don't think  it is the policy, I believe it is on having a dynamic crypto as another line on the existing crypto for site to site.  I did had the above policy, no go.  I have attached a complete debug on isakmp when attempting to connect.
 Isakmp-Debug.txt
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:mcstechguru1978
ID: 34962105
I should add, I am using 2 clients to test this connection, Mac OS 10.6.6 using the built in Cisco IPSec client and Win 7 Ultimate using the Cisco IPSec client version 5.0.07.0410.
0
 
LVL 28

Expert Comment

by:asavener
ID: 34962833
*Jul 25 15:07:37.168: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 5 against priority 10 policy
*Jul 25 15:07:37.168: ISAKMP:      life type in seconds
*Jul 25 15:07:37.168: ISAKMP:      life duration (basic) of 3600
*Jul 25 15:07:37.168: ISAKMP:      encryption 3DES-CBC
*Jul 25 15:07:37.168: ISAKMP:      auth XAUTHInitPreShared
*Jul 25 15:07:37.168: ISAKMP:      hash SHA
*Jul 25 15:07:37.168: ISAKMP:      default group 2
*Jul 25 15:07:37.168: ISAKMP:(0:0:N/A:0):Xauth authentication by pre-shared key offered but does not match policy!
It's actually finding a matching policy, but it's failing when it sends the pre-shared key.
0
 
LVL 28

Expert Comment

by:asavener
ID: 34962856
Here's a nice runthrough:  http://www.ciscoblog.com/archives/2006/12/configuring_a_c.html

If you continue having difficulty, I'd suggest that you create a new crypto map with just the dynamic VPN, then you can avoid any interference from the site-to-site VPN configuration.
0
 

Author Comment

by:mcstechguru1978
ID: 34964397
I have been over this several ways trying different transform sets, etc.  I will have to get this to work within the existing crypto map when just had the site to site originally.  As far as the pre-shared key, I have checked multiple times and created a new one, still the same outcome.  With the pre-shared key failing, that has me going back to the existing crypto map, the dynamic I need applied, I do not think is getting used.
0
 
LVL 28

Expert Comment

by:asavener
ID: 34965376
Yes, that is why you need to eliminate confounding variables.  If it works without the rest of the crypto map, then that tells you something.  If it still doesn't work without the rest of the crypto map, then that tells you something different.
0
 

Author Comment

by:mcstechguru1978
ID: 34965403
I will try that tonight.  Will need to wait until that facility is closed to take down that tunnel to test with a new map.
0
 

Author Comment

by:mcstechguru1978
ID: 34966734
I applied the clientmap crypto directly to the outside interface and get the exact same policy match errors.
0
 

Author Comment

by:mcstechguru1978
ID: 34979645
Well, no go on this way  configuring.  What about a crypto isakmp profile and a virtual template to get this going?  What would be a configuration guide for that?
0
 

Author Comment

by:mcstechguru1978
ID: 34984172
Well I tried going down the profile router, but when I went to configure a virtual template, not all the commands where available to create a tunnel.  Any suggestions?
0
 
LVL 28

Expert Comment

by:asavener
ID: 34986152
If you're getting an error with the pre-share key, then there's a problem with your pre-share key..

Make sure you don't have a trailing space; I've seen that mess up a lot of Cisco passwords.  A space is not a valid character for the leading character, but it's a valid character thereafter.
0
 

Author Comment

by:mcstechguru1978
ID: 34987262
I have tried multiple different keys with the same results.
0
 
LVL 28

Expert Comment

by:asavener
ID: 34991342
What IOS version are you running?
0
 

Author Comment

by:mcstechguru1978
ID: 35060852
Sorry for the delay.  Version 12.2(7t)XM4

flash:c1700-k9o3sy7-mz.123-7.XR.bin
0
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 35061864
Yikes!  That version's ancient... I can't even see it on the list of versions for download.

I've seen IOS upgrades solve a lot of IPSec issues, especially key exchange issues.

I suggest 12.3 at a minimum, preferably 12.4.
0
 
LVL 28

Expert Comment

by:asavener
ID: 35061873
LOL.  12.2(15) is from October of 2003....
0
 

Assisted Solution

by:mcstechguru1978
mcstechguru1978 earned 0 total points
ID: 35061931
Will do.  That was the next step, waiting on smart net renewal.
0
 

Author Comment

by:mcstechguru1978
ID: 35061932
Will do.  That was the next step, waiting on smart net renewal.
0
 
LVL 28

Expert Comment

by:asavener
ID: 35158601
Any update?
0
 

Author Comment

by:mcstechguru1978
ID: 35161770
Yes. Sorry. IOS upgrade fixed the problem.  I have am ACL problem now.  When connected from the client, ICMP traffic to the allowed inside network returns a reply from the outside interface.  Thoughts?
0
 
LVL 28

Expert Comment

by:asavener
ID: 35166502
What reply does it receive?

I've seen where the access list on the outside interface need an entry for the decrypted traffic.

Try inserting the line "permit ip 10.16.20.0 0.0.0.255 any" into your out-in access-list.
0
 

Author Comment

by:mcstechguru1978
ID: 35166518
I will give that a go.
0
 
LVL 28

Expert Comment

by:asavener
ID: 35167185
Rereading, i'm unclear on whether the issue is with the LAN-to-LAN tunnel, or the dynamic connections.

If it's the LAN-to-LAN, you may need "permit GRE any any"
0
 

Author Comment

by:mcstechguru1978
ID: 35167420
This is for the remote-access VPN.  The GRE tunnel works fine.
0
 

Author Closing Comment

by:mcstechguru1978
ID: 35360958
Agreed and worked.  IOS fixed the issue. Along with a few ACL adjustments.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
eigrp in site-to-site vpn 4 53
Mapping drives cross domain via logon script 2 37
ACL deny / Permit 10 22
IPSec Site to Site VPN Topology 6 43
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question