Cisco VPN client fails Phase 2 negotiation

I've trying to connect a Cisco VPN client (ver 5) to a Cisco 880 router running IOS 15.3

The client successfully passes initiate Phase 1 negotiation, the group username and password and then prompts for the local username and password.  At this point, the client drops due to what appears to be a lack of Phase 2 negotiation.  I can't figure out what I'm missing in my router IOS configuration that is preventing the Phase 2 negotiation from occurring.

Any help would be appreciated.

Thanks - Ryan

VPN Client Log:

1561   12:55:57.753  07/30/15  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 66.x.y.z

1562   12:55:57.754  07/30/15  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 66.x.y.z

1563   12:55:57.754  07/30/15  Sev=Info/4      IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=25D8B0A6

1564   12:55:57.754  07/30/15  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=DF9849184EA83085 R_Cookie=C2035F5E1F72F335) reason = DEL_REASON_IKE_NEG_FAILED

1565   12:55:57.975  07/30/15  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

Router Configuration:

aaa new-model
aaa authentication login userauthen local
aaa authorization network foo local

crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group vpnclient
 key XXXXXXXXX
 dns 8.8.8.8 8.8.4.4
 pool vpnpool
 acl 100

ip local pool vpnpool 192.168.250.10 192.168.250.20


crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
 mode tunnel
!
!
!
crypto dynamic-map dynmap 1
 set transform-set vpnset
 match address 101
 reverse-route
!
!
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list foo
crypto map vpnmap client configuration address initiate
crypto map vpnmap client configuration address respond
crypto map vpnmap 20 ipsec-isakmp dynamic dynmap


interface FastEthernet4
 description ** OUTSIDE **
 ip address 66.X.Y.Z 255.255.255.248
 ip access-group SECURE-IN in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
 crypto map vpnmap

ip nat inside source list OUTBOUND_NAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 66.X.Y.Z
!
ip access-list extended SECURE-IN
 permit udp any host 66.X.Y.Z eq non500-isakmp
 permit tcp any host 66.X.Y.Z eq 10000
 permit tcp any host 66.X.Y.Z eq 4500
 permit udp any host 66.X.Y.Z eq isakmp
 permit esp any host 66.X.Y.Z
 permit ahp any host 66.X.Y.Z
 permit tcp any host 66.X.Y.Z eq 22
 permit tcp any host 66.X.Y.Z eq telnet
 deny   ip any any
ip access-list extended OUTBOUND_NAT
 deny   ip 10.14.4.0 0.0.0.255 192.168.250.0 0.0.0.255
 permit ip 10.14.4.0 0.0.0.255 any

access-list 100 permit ip 10.14.4.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 101 permit ip 10.14.4.0 0.0.0.255 192.168.250.0 0.0.0.255
dboughjrAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Benjamin Van DitmarsCommented:
Does the client to authenticate for the second time ?
i looking for an old config file i used a while ago. because i miss something. i will check this.
because i have seen this problem before.
0
dboughjrAuthor Commented:
Yes, when I initiate the connection - the Phase 1 negotiation is successful and the group username and password is accepted.  I then get the prompt for the local user account credentials.

If I enter the wrong password for either authentication step, the log throws a different error so I know the local username and vpn group account is being referenced properly by the router configuration.

I get the IKE NO PROPOSAL CHOSEN error as soon as the local username is authenticated and the client proceeds to the next step.
0
Benjamin Van DitmarsCommented:
can you send the log of the client, and the router. i have the feeling you did not bound any ipsec policy to youre profile correctly
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

dboughjrAuthor Commented:
Ben,

Here is output from >debug crypto ipsec

As soon as I hit return on the local username and password pop-up:

000562: *Jul 30 13:34:45.370 eastern: IPSEC(validate_proposal_request): proposal part #2,
  (key eng. msg.) INBOUND local= 66.X.Y.Z:0, remote= 12.X.Y.Z:0,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 192.168.250.16/255.255.255.255/256/0,
    protocol= PCP, transform= NONE  (Tunnel-UDP),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
000563: *Jul 30 13:34:45.374 eastern: Crypto mapdb : proxy_match
        src addr     : 0.0.0.0
        dst addr     : 192.168.250.16
        protocol     : 0
        src port     : 0
        dst port     : 0
000564: *Jul 30 13:34:45.374 eastern: Crypto mapdb : proxy_match
        src addr     : 0.0.0.0
        dst addr     : 192.168.250.16
        protocol     : 0
        src port     : 0
        dst port     : 0
000565: *Jul 30 13:34:45.374 eastern: map_db_find_best did not find matching map
000566: *Jul 30 13:34:45.374 eastern: Cannot find crypto swsb : in ipsec_process_proposal (), 1590
000567: *Jul 30 13:34:45.374 eastern: IPSEC(ipsec_process_proposal): proxy identities not supported
0
dboughjrAuthor Commented:
sorry - the first post has everything related to Crypto/VPN on the router so if I'm missing anything, it's not in that list.
0
dboughjrAuthor Commented:
Ok - I have it fixed.  I changed the crypto map profile to include the iskamp profile.  Awarding Ben the points since he put me on the right track.

New configuration:

crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group vpnclient
 key XXXXXXXXXX
 dns 8.8.8.8 8.8.4.4
 pool vpnpool
 acl 100
crypto isakmp profile vpnprof1
   match identity group vpnclient
   client authentication list userauthen
   isakmp authorization list foo
   client configuration address respond
!
!
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
 mode tunnel
!
!
!
crypto dynamic-map dynmap 1
 set transform-set vpnset
 set isakmp-profile vpnprof1
 reverse-route
!
!
crypto map vpnmap 20 ipsec-isakmp dynamic dynmap
0
Benjamin Van DitmarsCommented:
My feeling was good. it's been along time ago i made this kinda vpn's. enjoy :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.