Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2502
Views
0
Helpful
10
Replies

VPN tunnel issue

ittechk4u1
Level 4
Level 4

‎04-05-2018 04:20 AM - edited ‎03-05-2019 10:13 AM

Hello Experts,

Maybe anyone can help to bring UP my VPN tunnel.

 

SPOKE#sh cry isa policy

Global IKE policy
Protection suite of priority 20
        encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume Limit

HUB.

Global IKE policy
Protection suite of priority 20
        encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume Limit

 

Both are same still i am getting this error:

 

.Apr  5 11:14:15.475: ISAKMP-ERROR: (0):Diffie-Hellman group offered does not match policy!
.Apr  5 11:14:15.475: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
.Apr  5 11:14:15.475: ISAKMP-ERROR: (0):no offers accepted!
.Apr  5 11:14:15.479: ISAKMP-ERROR: (0):phase 1 SA policy not acceptable! (local 106.120.64.62 remote 195.243.205.120)
.Apr  5 11:14:15.479: ISAKMP-ERROR: (0):deleting SA reason "Phase1 SA policy proposal not accepted" state (I) MM_NO_STATE (peer 195.243.205.120)
.Apr  5 11:14:15.479: ISAKMP-ERROR: (0):(0): FSM action returned error: 2
.Apr  5 11:14:15.479: ISAKMP-ERROR: (0):deleting SA reason "Phase1 SA policy proposal not accepted" state (I) MM_NO_STATE (peer 195.243.205.120)
.Apr  5 11:14:17.027: ISAKMP-ERROR: (0):Diffie-Hellman group offered does not match policy!
.Apr  5 11:14:17.027: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
.Apr  5 11:14:17.027: ISAKMP-ERROR: (0):no offers accepted!
.Apr  5 11:14:25.475: ISAKMP-ERROR: (0):Diffie-Hellman group offered does not match policy!
.Apr  5 11:14:25.475: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
.Apr  5 11:14:25.475: ISAKMP-ERROR: (0):no offers accepted!

 

Pre shared key is exactly same...

 

Thanks

Labels:
0 Helpful
10 Replies 10

Julio E. Moisa
VIP Alumni
VIP Alumni

‎04-05-2018 04:58 AM

Hi

Have you verified the configuration of: crypto isakmp key AAAA address x.x.x.x.

 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

ittechk4u1
Level 4
Level 4
In response to Julio E. Moisa

‎04-05-2018 05:46 AM

yes its corerct on both side.

 

0 Helpful

Georg Pauwen
VIP
VIP

‎04-05-2018 05:33 AM

Hello,

 

in addition to Julio's post, make sure your 'crypto isakmp key' statement has 'no-xauth' added at the end...

0 Helpful

ittechk4u1
Level 4
Level 4
In response to Georg Pauwen

‎04-05-2018 05:48 AM

normally all other tunnels which are up and working using "no-xauth"

 

 

I removed the no-xauth for specific Location and still tunnels are not coming UP.

 

Thanks

0 Helpful

Georg Pauwen
VIP
VIP
In response to ittechk4u1

‎04-05-2018 06:42 AM

Hello,

 

sorry for the misunderstanding, the idea was to check if no-xauth' was there. By all means don't remove it.

Can you post the output of 'sh crypto isakmp default policy' ?

0 Helpful

ittechk4u1
Level 4
Level 4
In response to Georg Pauwen

‎04-05-2018 06:56 AM

here is the Output from Spoke:

 

Default IKE policy
Default protection suite of priority 65507
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite of priority 65508
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite of priority 65509
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
        hash algorithm:         Message Digest 5
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite of priority 65510
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
        hash algorithm:         Message Digest 5
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite of priority 65511
        encryption algorithm:   Three key triple DES
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite of priority 65512
        encryption algorithm:   Three key triple DES
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite of priority 65513
        encryption algorithm:   Three key triple DES
        hash algorithm:         Message Digest 5
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite of priority 65514
        encryption algorithm:   Three key triple DES
        hash algorithm:         Message Digest 5
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume Limit

 

Thanks

0 Helpful

Julio E. Moisa
VIP Alumni
VIP Alumni
In response to ittechk4u1

‎04-05-2018 07:48 AM

Hi

Is possible to share the configuration removing the sensitive information. 

Thank you in advance. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

ittechk4u1
Level 4
Level 4
In response to Julio E. Moisa

‎04-06-2018 02:49 AM

please find attached config of spoke:

 

Info: we have 6 Location connected from HQ (HUB)...all works excpet this spoke.

 

Thanks

 

Preview file
6 KB
0 Helpful

paul driver
VIP
VIP
In response to ittechk4u1

‎04-06-2018 09:11 AM - edited ‎04-06-2018 09:15 AM

Hello

 

a couple of your profiles are using group 5 and pre-share key my understanding only group 1- 2 and not group 5 supports psk

 

hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)

 

res

Paul 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

ittechk4u1
Level 4
Level 4
In response to paul driver

‎04-12-2018 12:19 AM - edited ‎04-12-2018 12:20 AM

I tried to change the policy and now state change from MM_NO to MM_SA but still tunnel is not coming UP. New policy: crypto isakmp policy 30 encr aes 256 authentication pre-share group 14 lifetime 2880 please find the attached logs:
Preview file
7 KB
0 Helpful
Customers Also Viewed These Support Documents