cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6100
Views
25
Helpful
28
Replies

Easy VPN Assistance

geoff.r.hill
Level 1
Level 1

Good Morning all.

I am trying to set up an Easy VPN connection between an 2811, and an 887 router. I am getting some errors which I cannot resolve. Your assistance in this would be greatly appreciated

They are set up in the following manner, with the intention that the 887 can be put in a users home, and connected into their generic DSL router, and provide connectivity into the enteprise. In this set up, it is a 877, but the intention is that the config of this device should not be adjusted.  

The Firewall NATs an external IP address to the 10.228.156.33 address present on R3

R1 attempts a connection to R3, but returns the error

Oct 11 08:48:42.905: %CRYPTO-4-EZVPN_FAILED_TO_CONNECT: EZVPN(Remote) Ezvpn is in state READY, previous state was CONNECT_REQUIRED and event is CONN_UP. Session is not up after 180 seconds of initiating session, resetting the connection

Oct 11 08:48:42.905: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=groupname  Client_public_addr=172.17.4.43  Server_public_addr=1.2.3.4

                

and a sh crypto isakmp sa, shows a connection to R3, however this times out after 180 seconds

R3 then shows a route to 10.153.100.0/24 via f0/1, but no SA fo R1

Usernames, passwords and keys are correct, but have been removed from the configs below

Thanks for your assistance

irl.jpg

R1 config


hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret xxxx

!
no aaa new-model
crypto pki token default removal timeout 0
!
!
ip source-route
ip cef
!
!
!
!
ip dhcp pool client
network 10.153.100.0 255.255.255.0
default-router 10.153.100.1
dns-server 10.203.2.10
!
!
no ipv6 cef
!
!
license udi pid C887VA-W-E-K9 sn xxxxx!
!
username xxxx privilege 15 password 0 xxxxx
!
!
!
!
controller VDSL 0
!
!
!
!
!
crypto ipsec client ezvpn Remote
connect auto
group groupname key xxxxxx
mode network-extension
peer 1.2.3.4 xauth userid mode interactive
!
!
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
switchport access vlan 2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address

!
interface Vlan1
ip address dhcp
crypto ipsec client ezvpn Remote
!
interface Vlan2
ip address 10.153.100.1 255.255.255.0
crypto ipsec client ezvpn Remote inside
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
ip pim bidir-enable
ip route xxxxx 255.255.255.255 Vlan1
!
no cdp run
!
!
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end

R3#

no service password-encryption

!

hostname R3

!

boot-start-marker

boot-end-marker

!

enable secret xxxxx

!

aaa new-model

!

!

aaa authentication login VPN_xauth local

aaa authorization network VPN_group local

!

aaa session-id common

!

!

ip cef

!

!

voice-card 0

no dspfarm

!

username xxxx privilege 15 password xxxx

archive

log config

  hidekeys

!

!

!

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group groupname

key xxxxx

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto ipsec profile remote-access

!

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list VPN_xauth

crypto map clientmap isakmp authorization list VPN_group

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

interface FastEthernet0/0

ip address 10.203.4.33 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.228.156.33 255.255.255.0

duplex full

speed 100

crypto map clientmap

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.228.156.254

ip route 10.0.0.0 255.0.0.0 10.203.4.254

!

!

ip http server

no ip http secure-server

!

!

line con 0

line aux 0

line vty 0 4

exec-timeout 360 0

password xxxx

!

scheduler allocate 20000 1000

!

end

2 Accepted Solutions

Accepted Solutions

Hello geoff,

Found something..

on R1, the peer is configured as 193.128.190.33 but that IP is not configured in R3 is it natted on firewall ? if yes, did we allow udp port 4500 towards that ip ?

regards

Harish

View solution in original post

Thats fine.. but when the traffic is being generated from vlan 2 of R1,  R3 should reply back to 10.153.100.1..as per the current route R3  it takes 10.203.4.254 as the gateway because of the prefix match ( 10.0.0.0/8),,so  create a routes on R3 as follows

ip route 10.153.100.0 255.255.255.0 10.228.156.254

this should solve your issue

regards

Harish

View solution in original post

28 Replies 28

Hello Geoff,

It looks like the configuration is fine as I could replicate it in my lab and it worked fine for me..

As you have confirmed the username & password and the keys are correct, could you also confirm the 'groupname' on both server and client are same ?

example

server:

--------

crypto isakmp client configuration group VPNTESTGROUP

Client:

--------

crypto ipsec client ezvpn Remote

group VPNTESTGROUP key xxxxxx

I hope you are able to ping the VPN peer 1.2..3.4 from R1.. and also do you have any nat configured for R1 IP address on R2?

If all the above things are good, I dont see any issue as it had worked fine for me

regards

Harish.

I can confirm that the group names are identical, as are the keys.

R2 is configured with PAT, as the intention is to simulate a cheap DSL router that most users already have at home. There is no nat from the external interface of R2 to the IP address of R1.

Will I need to set up a NAT on R2?

hello Geoff,

Even if you are doing PAT for all the IP coming behind R2, the VPN shoud work and get connected.. Could you provide the ouput of below while connecting

From Client: debug crypto ipsec client ezvpn

show crypto isakmp sa

show crypto ipsec sa

from Server

debug crypto isakmp

show crypto isakmp sa

show crypto ipsec sa

regards

Harish

from server

R3#
R3#sh debug

Cryptographic Subsystem:
  Crypto ISAKMP debugging is on


R3#
R3#
R3#
*Oct 11 12:21:59.138: ISAKMP (0:0): received packet from 193.128.190.34 dport 50
0 sport 500 Global (N) NEW SA
*Oct 11 12:21:59.138: ISAKMP: Created a peer struct for 193.128.190.34, peer por
t 500
*Oct 11 12:21:59.138: ISAKMP: New peer created peer = 0x45BD3B14 peer_handle = 0
x80000188
*Oct 11 12:21:59.138: ISAKMP: Locking peer struct 0x45BD3B14, IKE refcount 1 for
crypto_isakmp_process_block
*Oct 11 12:21:59.138: ISAKMP:(0:0:N/A:0):Setting client config settings 45E22848
*Oct 11 12:21:59.138: ISAKMP:(0:0:N/A:0):(Re)Setting client xauth list  and stat
e
*Oct 11 12:21:59.138: ISAKMP/xauth: initializing AAA request
*Oct 11 12:21:59.138: ISAKMP: local port 500, remote port 500
*Oct 11 12:21:59.138: insert sa successfully sa = 45BD25C8
*Oct 11 12:21:59.138: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Oct 11 12:21:59.138: ISAKMP:(0:0:N/A:0): processing ID payload. message ID = 0
*Oct 11 12:21:59.138: ISAKMP (0:0): ID payload
        next-payload : 13
        type         : 11
        group id     : easy_vpn_remote_groupname
        protocol     : 17
        port         : 0
        length       : 33
*Oct 11 12:21:59.138: ISAKMP:(0:0:N/A:0):: peer matches *none* of the profiles
*Oct 11 12:21:59.138: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Oct 11 12:21:59.138: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 69
mismatch
*Oct 11 12:21:59.138: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Oct 11 12:21:59.138: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 24
5 mismatch
*Oct 11 12:21:59.138: ISAKMP (0:0): vendor ID is NAT-T v7
*Oct 11 12:21:59.138: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Oct 11 12:21:59.142: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 15
7 mismatch
*Oct 11 12:21:59.142: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
*Oct 11 12:21:59.142: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Oct 11 12:21:59.142: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 12
3 mismatch
*Oct 11 12:21:59.142: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
*Oct 11 12:21:59.142: ISAKMP:(0:0:N/A:0): Authentication by xauth preshared
*Oct 11 12:21:59.142: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against pri
ority 1 policy
*Oct 11 12:21:59.142: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.142: ISAKMP:      keylength of 128
*Oct 11 12:21:59.142: ISAKMP:      hash SHA
*Oct 11 12:21:59.142: ISAKMP:      default group 2
*Oct 11 12:21:59.142: ISAKMP:      auth XAUTHInitPreShared
*Oct 11 12:21:59.142: ISAKMP:      life type in seconds
*Oct 11 12:21:59.142: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.142: ISAKMP:(0:0:N/A:0):Proposed key length does not match poli
cy
*Oct 11 12:21:59.142: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.142: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against pri
ority 1 policy
*Oct 11 12:21:59.142: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.142: ISAKMP:      keylength of 128
*Oct 11 12:21:59.142: ISAKMP:      hash MD5
*Oct 11 12:21:59.142: ISAKMP:      default group 2
*Oct 11 12:21:59.142: ISAKMP:      auth XAUTHInitPreShared
*Oct 11 12:21:59.142: ISAKMP:      life type in seconds
*Oct 11 12:21:59.142: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.142: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match p
olicy!
*Oct 11 12:21:59.142: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.142: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against pri
ority 1 policy
*Oct 11 12:21:59.142: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.142: ISAKMP:      keylength of 192
*Oct 11 12:21:59.142: ISAKMP:      hash SHA
*Oct 11 12:21:59.142: ISAKMP:      default group 2
*Oct 11 12:21:59.142: ISAKMP:      auth XAUTHInitPreShared
*Oct 11 12:21:59.142: ISAKMP:      life type in seconds
*Oct 11 12:21:59.142: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.142: ISAKMP:(0:0:N/A:0):Proposed key length does not match poli
cy
*Oct 11 12:21:59.142: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.142: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 4 against pri
ority 1 policy
*Oct 11 12:21:59.142: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.142: ISAKMP:      keylength of 192
*Oct 11 12:21:59.142: ISAKMP:      hash MD5
*Oct 11 12:21:59.142: ISAKMP:      default group 2
*Oct 11 12:21:59.142: ISAKMP:      auth XAUTHInitPreShared
*Oct 11 12:21:59.142: ISAKMP:      life type in seconds
*Oct 11 12:21:59.142: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.142: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match p
olicy!
*Oct 11 12:21:59.142: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.142: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 5 against pri
ority 1 policy
*Oct 11 12:21:59.142: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.142: ISAKMP:      keylength of 256
*Oct 11 12:21:59.146: ISAKMP:      hash SHA
*Oct 11 12:21:59.146: ISAKMP:      default group 2
*Oct 11 12:21:59.146: ISAKMP:      auth XAUTHInitPreShared
*Oct 11 12:21:59.146: ISAKMP:      life type in seconds
*Oct 11 12:21:59.146: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.146: ISAKMP:(0:0:N/A:0):Diffie-Hellman group offered does not m
atch policy!
*Oct 11 12:21:59.146: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.146: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 6 against pri
ority 1 policy
*Oct 11 12:21:59.146: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.146: ISAKMP:      keylength of 256
*Oct 11 12:21:59.146: ISAKMP:      hash MD5
*Oct 11 12:21:59.146: ISAKMP:      default group 2
*Oct 11 12:21:59.146: ISAKMP:      auth XAUTHInitPreShared
*Oct 11 12:21:59.146: ISAKMP:      life type in seconds
*Oct 11 12:21:59.146: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.146: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match p
olicy!
*Oct 11 12:21:59.146: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.146: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 7 against pri
ority 1 policy
*Oct 11 12:21:59.146: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.146: ISAKMP:      keylength of 128
*Oct 11 12:21:59.146: ISAKMP:      hash SHA
*Oct 11 12:21:59.146: ISAKMP:      default group 2
*Oct 11 12:21:59.146: ISAKMP:      auth pre-share
*Oct 11 12:21:59.146: ISAKMP:      life type in seconds
*Oct 11 12:21:59.146: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.146: ISAKMP:(0:0:N/A:0):Proposed key length does not match poli
cy
*Oct 11 12:21:59.146: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.146: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 8 against pri
ority 1 policy
*Oct 11 12:21:59.146: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.146: ISAKMP:      keylength of 128
*Oct 11 12:21:59.146: ISAKMP:      hash MD5
*Oct 11 12:21:59.146: ISAKMP:      default group 2
*Oct 11 12:21:59.146: ISAKMP:      auth pre-share
*Oct 11 12:21:59.146: ISAKMP:      life type in seconds
*Oct 11 12:21:59.146: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.146: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match p
olicy!
*Oct 11 12:21:59.146: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.146: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 9 against pri
ority 1 policy
*Oct 11 12:21:59.146: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.146: ISAKMP:      keylength of 192
*Oct 11 12:21:59.146: ISAKMP:      hash SHA
*Oct 11 12:21:59.146: ISAKMP:      default group 2
*Oct 11 12:21:59.146: ISAKMP:      auth pre-share
*Oct 11 12:21:59.146: ISAKMP:      life type in seconds
*Oct 11 12:21:59.146: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.146: ISAKMP:(0:0:N/A:0):Proposed key length does not match poli
cy
*Oct 11 12:21:59.146: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.146: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 10 against pr
iority 1 policy
*Oct 11 12:21:59.146: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.146: ISAKMP:      keylength of 192
*Oct 11 12:21:59.146: ISAKMP:      hash MD5
*Oct 11 12:21:59.146: ISAKMP:      default group 2
*Oct 11 12:21:59.146: ISAKMP:      auth pre-share
*Oct 11 12:21:59.146: ISAKMP:      life type in seconds
*Oct 11 12:21:59.146: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.146: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match p
olicy!
*Oct 11 12:21:59.146: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.146: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 11 against pr
iority 1 policy
*Oct 11 12:21:59.146: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.146: ISAKMP:      keylength of 256
*Oct 11 12:21:59.146: ISAKMP:      hash SHA
*Oct 11 12:21:59.146: ISAKMP:      default group 2
*Oct 11 12:21:59.146: ISAKMP:      auth pre-share
*Oct 11 12:21:59.146: ISAKMP:      life type in seconds
*Oct 11 12:21:59.146: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.146: ISAKMP:(0:0:N/A:0):Diffie-Hellman group offered does not m
atch policy!
*Oct 11 12:21:59.146: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 12 against pr
iority 1 policy
*Oct 11 12:21:59.150: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.150: ISAKMP:      keylength of 256
*Oct 11 12:21:59.150: ISAKMP:      hash MD5
*Oct 11 12:21:59.150: ISAKMP:      default group 2
*Oct 11 12:21:59.150: ISAKMP:      auth pre-share
*Oct 11 12:21:59.150: ISAKMP:      life type in seconds
*Oct 11 12:21:59.150: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match p
olicy!
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 13 against pr
iority 1 policy
*Oct 11 12:21:59.150: ISAKMP:      encryption 3DES-CBC
*Oct 11 12:21:59.150: ISAKMP:      hash SHA
*Oct 11 12:21:59.150: ISAKMP:      default group 2
*Oct 11 12:21:59.150: ISAKMP:      auth XAUTHInitPreShared
*Oct 11 12:21:59.150: ISAKMP:      life type in seconds
*Oct 11 12:21:59.150: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 14 against pr
iority 1 policy
*Oct 11 12:21:59.150: ISAKMP:      encryption 3DES-CBC
*Oct 11 12:21:59.150: ISAKMP:      hash MD5
*Oct 11 12:21:59.150: ISAKMP:      default group 2
*Oct 11 12:21:59.150: ISAKMP:      auth XAUTHInitPreShared
*Oct 11 12:21:59.150: ISAKMP:      life type in seconds
*Oct 11 12:21:59.150: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 15 against pr
iority 1 policy
*Oct 11 12:21:59.150: ISAKMP:      encryption DES-CBC
*Oct 11 12:21:59.150: ISAKMP:      hash SHA
*Oct 11 12:21:59.150: ISAKMP:      default group 2
*Oct 11 12:21:59.150: ISAKMP:      auth XAUTHInitPreShared
*Oct 11 12:21:59.150: ISAKMP:      life type in seconds
*Oct 11 12:21:59.150: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 16 against pr
iority 1 policy
*Oct 11 12:21:59.150: ISAKMP:      encryption DES-CBC
*Oct 11 12:21:59.150: ISAKMP:      hash MD5
*Oct 11 12:21:59.150: ISAKMP:      default group 2
*Oct 11 12:21:59.150: ISAKMP:      auth XAUTHInitPreShared
*Oct 11 12:21:59.150: ISAKMP:      life type in seconds
*Oct 11 12:21:59.150: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 17 against pr
iority 1 policy
*Oct 11 12:21:59.150: ISAKMP:      encryption 3DES-CBC
*Oct 11 12:21:59.150: ISAKMP:      hash SHA
*Oct 11 12:21:59.150: ISAKMP:      default group 2
*Oct 11 12:21:59.150: ISAKMP:      auth pre-share
*Oct 11 12:21:59.150: ISAKMP:      life type in seconds
*Oct 11 12:21:59.150: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 18 against pr
iority 1 policy
*Oct 11 12:21:59.150: ISAKMP:      encryption 3DES-CBC
*Oct 11 12:21:59.150: ISAKMP:      hash MD5
*Oct 11 12:21:59.150: ISAKMP:      default group 2
*Oct 11 12:21:59.150: ISAKMP:      auth pre-share
*Oct 11 12:21:59.150: ISAKMP:      life type in seconds
*Oct 11 12:21:59.150: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 19 against pr
iority 1 policy
*Oct 11 12:21:59.150: ISAKMP:      encryption DES-CBC
*Oct 11 12:21:59.150: ISAKMP:      hash SHA
*Oct 11 12:21:59.150: ISAKMP:      default group 2
*Oct 11 12:21:59.150: ISAKMP:      auth pre-share
*Oct 11 12:21:59.150: ISAKMP:      life type in seconds
*Oct 11 12:21:59.150: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.150: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 20 against pr
iority 1 policy
*Oct 11 12:21:59.154: ISAKMP:      encryption DES-CBC
*Oct 11 12:21:59.154: ISAKMP:      hash MD5
*Oct 11 12:21:59.154: ISAKMP:      default group 2
*Oct 11 12:21:59.154: ISAKMP:      auth pre-share
*Oct 11 12:21:59.154: ISAKMP:      life type in seconds
*Oct 11 12:21:59.154: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.154: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Oct 11 12:21:59.154: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 0
*Oct 11 12:21:59.154: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against pri
ority 3 policy
*Oct 11 12:21:59.154: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.154: ISAKMP:      keylength of 128
*Oct 11 12:21:59.154: ISAKMP:      hash SHA
*Oct 11 12:21:59.154: ISAKMP:      default group 2
*Oct 11 12:21:59.154: ISAKMP:      auth XAUTHInitPreShared
*Oct 11 12:21:59.154: ISAKMP:      life type in seconds
*Oct 11 12:21:59.154: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.154: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Oct 11 12:21:59.154: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.154: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against pri
ority 3 policy
*Oct 11 12:21:59.154: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.154: ISAKMP:      keylength of 128
*Oct 11 12:21:59.154: ISAKMP:      hash MD5
*Oct 11 12:21:59.154: ISAKMP:      default group 2
*Oct 11 12:21:59.154: ISAKMP:      auth XAUTHInitPreShared
*Oct 11 12:21:59.154: ISAKMP:      life type in seconds
*Oct 11 12:21:59.154: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.154: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Oct 11 12:21:59.154: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.154: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against pri
ority 3 policy
*Oct 11 12:21:59.154: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.154: ISAKMP:      keylength of 192
*Oct 11 12:21:59.154: ISAKMP:      hash SHA
*Oct 11 12:21:59.154: ISAKMP:      default group 2
*Oct 11 12:21:59.154: ISAKMP:      auth XAUTHInitPreShared
*Oct 11 12:21:59.154: ISAKMP:      life type in seconds
*Oct 11 12:21:59.154: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.154: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Oct 11 12:21:59.154: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.154: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 4 against pri
ority 3 policy
*Oct 11 12:21:59.154: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.154: ISAKMP:      keylength of 192
*Oct 11 12:21:59.154: ISAKMP:      hash MD5
*Oct 11 12:21:59.154: ISAKMP:      default group 2
*Oct 11 12:21:59.154: ISAKMP:      auth XAUTHInitPreShared
*Oct 11 12:21:59.154: ISAKMP:      life type in seconds
*Oct 11 12:21:59.154: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.154: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Oct 11 12:21:59.154: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.154: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 5 against pri
ority 3 policy
*Oct 11 12:21:59.154: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.154: ISAKMP:      keylength of 256
*Oct 11 12:21:59.154: ISAKMP:      hash SHA
*Oct 11 12:21:59.154: ISAKMP:      default group 2
*Oct 11 12:21:59.154: ISAKMP:      auth XAUTHInitPreShared
*Oct 11 12:21:59.154: ISAKMP:      life type in seconds
*Oct 11 12:21:59.154: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.154: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Oct 11 12:21:59.154: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.154: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 6 against pri
ority 3 policy
*Oct 11 12:21:59.154: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.154: ISAKMP:      keylength of 256
*Oct 11 12:21:59.154: ISAKMP:      hash MD5
*Oct 11 12:21:59.154: ISAKMP:      default group 2
*Oct 11 12:21:59.154: ISAKMP:      auth XAUTHInitPreShared
*Oct 11 12:21:59.154: ISAKMP:      life type in seconds
*Oct 11 12:21:59.154: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.154: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Oct 11 12:21:59.158: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.158: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 7 against pri
ority 3 policy
*Oct 11 12:21:59.158: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.158: ISAKMP:      keylength of 128
*Oct 11 12:21:59.158: ISAKMP:      hash SHA
*Oct 11 12:21:59.158: ISAKMP:      default group 2
*Oct 11 12:21:59.158: ISAKMP:      auth pre-share
*Oct 11 12:21:59.158: ISAKMP:      life type in seconds
*Oct 11 12:21:59.158: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.158: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Oct 11 12:21:59.158: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.158: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 8 against pri
ority 3 policy
*Oct 11 12:21:59.158: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.158: ISAKMP:      keylength of 128
*Oct 11 12:21:59.158: ISAKMP:      hash MD5
*Oct 11 12:21:59.158: ISAKMP:      default group 2
*Oct 11 12:21:59.158: ISAKMP:      auth pre-share
*Oct 11 12:21:59.158: ISAKMP:      life type in seconds
*Oct 11 12:21:59.158: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.158: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Oct 11 12:21:59.158: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.158: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 9 against pri
ority 3 policy
*Oct 11 12:21:59.158: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.158: ISAKMP:      keylength of 192
*Oct 11 12:21:59.158: ISAKMP:      hash SHA
*Oct 11 12:21:59.158: ISAKMP:      default group 2
*Oct 11 12:21:59.158: ISAKMP:      auth pre-share
*Oct 11 12:21:59.158: ISAKMP:      life type in seconds
*Oct 11 12:21:59.158: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.158: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Oct 11 12:21:59.158: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.158: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 10 against pr
iority 3 policy
*Oct 11 12:21:59.158: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.158: ISAKMP:      keylength of 192
*Oct 11 12:21:59.158: ISAKMP:      hash MD5
*Oct 11 12:21:59.158: ISAKMP:      default group 2
*Oct 11 12:21:59.158: ISAKMP:      auth pre-share
*Oct 11 12:21:59.158: ISAKMP:      life type in seconds
*Oct 11 12:21:59.158: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.158: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Oct 11 12:21:59.158: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.158: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 11 against pr
iority 3 policy
*Oct 11 12:21:59.158: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.158: ISAKMP:      keylength of 256
*Oct 11 12:21:59.158: ISAKMP:      hash SHA
*Oct 11 12:21:59.158: ISAKMP:      default group 2
*Oct 11 12:21:59.158: ISAKMP:      auth pre-share
*Oct 11 12:21:59.158: ISAKMP:      life type in seconds
*Oct 11 12:21:59.158: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.158: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Oct 11 12:21:59.158: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.158: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 12 against pr
iority 3 policy
*Oct 11 12:21:59.158: ISAKMP:      encryption AES-CBC
*Oct 11 12:21:59.158: ISAKMP:      keylength of 256
*Oct 11 12:21:59.158: ISAKMP:      hash MD5
*Oct 11 12:21:59.158: ISAKMP:      default group 2
*Oct 11 12:21:59.158: ISAKMP:      auth pre-share
*Oct 11 12:21:59.158: ISAKMP:      life type in seconds
*Oct 11 12:21:59.158: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.158: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Oct 11 12:21:59.158: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Oct 11 12:21:59.158: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 13 against pr
iority 3 policy
*Oct 11 12:21:59.158: ISAKMP:      encryption 3DES-CBC
*Oct 11 12:21:59.158: ISAKMP:      hash SHA
*Oct 11 12:21:59.158: ISAKMP:      default group 2
*Oct 11 12:21:59.158: ISAKMP:      auth XAUTHInitPreShared
*Oct 11 12:21:59.158: ISAKMP:      life type in seconds
*Oct 11 12:21:59.158: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Oct 11 12:21:59.162: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
*Oct 11 12:21:59.198: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 11 12:21:59.198: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 69
mismatch
*Oct 11 12:21:59.198: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 11 12:21:59.198: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245
mismatch
*Oct 11 12:21:59.198: ISAKMP (0:134217729): vendor ID is NAT-T v7
*Oct 11 12:21:59.198: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 11 12:21:59.198: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 157
mismatch
*Oct 11 12:21:59.198: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v3
*Oct 11 12:21:59.198: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 11 12:21:59.198: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123
mismatch
*Oct 11 12:21:59.198: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v2
*Oct 11 12:21:59.198: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
*Oct 11 12:21:59.246: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID =
0
*Oct 11 12:21:59.246: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 11 12:21:59.246: ISAKMP:(0:1:SW:1): vendor ID is DPD
*Oct 11 12:21:59.246: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 11 12:21:59.246: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 49
mismatch
*Oct 11 12:21:59.246: ISAKMP:(0:1:SW:1): vendor ID is XAUTH
*Oct 11 12:21:59.246: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 11 12:21:59.246: ISAKMP:(0:1:SW:1): claimed IOS but failed authentication
*Oct 11 12:21:59.246: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 11 12:21:59.246: ISAKMP:(0:1:SW:1): vendor ID is Unity
*Oct 11 12:21:59.246: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Oct 11 12:21:59.246: ISAKMP:(0:1:SW:1):Old State = IKE_READY  New State = IKE_R
_AM_AAA_AWAIT

*Oct 11 12:21:59.250: ISAKMP:(0:1:SW:1):SKEYID state generated
*Oct 11 12:21:59.250: ISAKMP:(0:1:SW:1): constructed NAT-T vendor-07 ID
*Oct 11 12:21:59.250: ISAKMP:(0:1:SW:1):SA is doing pre-shared key authenticatio
n plus XAUTH using id type ID_IPV4_ADDR
*Oct 11 12:21:59.250: ISAKMP (0:134217729): ID payload
        next-payload : 10
        type         : 1
        address      : 10.228.156.33
        protocol     : 0
        port         : 0
        length       : 12
*Oct 11 12:21:59.250: ISAKMP:(0:1:SW:1):Total payload length: 12
*Oct 11 12:21:59.250: ISAKMP:(0:1:SW:1): sending packet to 193.128.190.34 my_por
t 500 peer_port 500 (R) AG_INIT_EXCH
*Oct 11 12:21:59.250: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY
_REPLY
*Oct 11 12:21:59.250: ISAKMP:(0:1:SW:1):Old State = IKE_R_AM_AAA_AWAIT  New Stat
e = IKE_R_AM2

R3#
R3#
R3#
R3#
R3#sh crypto ipsec sa

R3#sh crypto isakmp sa
dst             src             state          conn-id slot status
10.228.156.33   193.128.190.34  AG_INIT_EXCH         1    0 ACTIVE

R3#
*Oct 11 12:22:09.250: ISAKMP:(0:1:SW:1): retransmitting phase 1 AG_INIT_EXCH...
*Oct 11 12:22:09.250: ISAKMP (0:134217729): incrementing error counter on sa, at
tempt 1 of 5: retransmit phase 1
*Oct 11 12:22:09.250: ISAKMP:(0:1:SW:1): retransmitting phase 1 AG_INIT_EXCH
*Oct 11 12:22:09.250: ISAKMP:(0:1:SW:1): sending packet to 193.128.190.34 my_por
t 500 peer_port 500 (R) AG_INIT_EXCH
*Oct 11 12:22:19.250: ISAKMP:(0:1:SW:1): retransmitting phase 1 AG_INIT_EXCH...
*Oct 11 12:22:19.250: ISAKMP (0:134217729): incrementing error counter on sa, at
tempt 2 of 5: retransmit phase 1
*Oct 11 12:22:19.250: ISAKMP:(0:1:SW:1): retransmitting phase 1 AG_INIT_EXCH
*Oct 11 12:22:19.250: ISAKMP:(0:1:SW:1): sending packet to 193.128.190.34 my_por
t 500 peer_port 500 (R) AG_INIT_EXCH
*Oct 11 12:22:29.250: ISAKMP:(0:1:SW:1): retransmitting phase 1 AG_INIT_EXCH...
*Oct 11 12:22:29.250: ISAKMP (0:134217729): incrementing error counter on sa, at
tempt 3 of 5: retransmit phase 1
*Oct 11 12:22:29.250: ISAKMP:(0:1:SW:1): retransmitting phase 1 AG_INIT_EXCH
*Oct 11 12:22:29.250: ISAKMP:(0:1:SW:1): sending packet to 193.128.190.34 my_por
t 500 peer_port 500 (R) AG_INIT_EXCH
*Oct 11 12:22:39.250: ISAKMP:(0:1:SW:1): retransmitting phase 1 AG_INIT_EXCH...
*Oct 11 12:22:39.250: ISAKMP (0:134217729): incrementing error counter on sa, at
tempt 4 of 5: retransmit phase 1
*Oct 11 12:22:39.250: ISAKMP:(0:1:SW:1): retransmitting phase 1 AG_INIT_EXCH
*Oct 11 12:22:39.250: ISAKMP:(0:1:SW:1): sending packet to 193.128.190.34 my_por
t 500 peer_port 500 (R) AG_INIT_EXCH
*Oct 11 12:22:49.250: ISAKMP:(0:1:SW:1): retransmitting phase 1 AG_INIT_EXCH...
*Oct 11 12:22:49.250: ISAKMP (0:134217729): incrementing error counter on sa, at
tempt 5 of 5: retransmit phase 1
*Oct 11 12:22:49.250: ISAKMP:(0:1:SW:1): retransmitting phase 1 AG_INIT_EXCH
*Oct 11 12:22:49.250: ISAKMP:(0:1:SW:1): sending packet to 193.128.190.34 my_por
t 500 peer_port 500 (R) AG_INIT_EXCH
R3#
R3#
R3#
R3#term no mon
R3#sh crypto isakmp sa
dst             src             state          conn-id slot status
10.228.156.33   193.128.190.34  MM_NO_STATE          1    0 ACTIVE (deleted)

R3#sh crypto ipsec sa

R3#

from client


r1#clear crypto isakmp sa 
r1#
Oct 11 12:02:28.246: del_node src 193.128.190.34:4500 dst 193.128.190.33:4500 fvrf 0x0, ivrf 0x0
Oct 11 12:02:28.246: ISAKMP:(2008):peer does not do paranoid keepalives.

Oct 11 12:02:28.246: ISAKMP:(2008):peer does not do paranoid keepalives.

Oct 11 12:02:28.246: ISAKMP:(2008):deleting SA reason "Death by tree-walk" state (I) CONF_XAUTH    (peer 193.128.190.33)
Oct 11 12:02:28.246: ISAKMP: set new node 2070298983 to CONF_XAUTH  
Oct 11 12:02:28.250: ISAKMP:(2008): sending packet to 193.128.190.33 my_port 4500 peer_port 4500 (I) CONF_XAUTH  
Oct 11 12:02:28.250: ISAKMP:(2008):Sending an IKE IPv4 Packet.
Oct 11 12:02:28.250: ISAKMP:(2008):purging node 2070298983
Oct 11 12:02:28.250: ISAKMP:(2008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Oct 11 12:02:28.250: ISAKMP:(2008):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

Oct 11 12:02:28.250: ISAKMP:(2008):deleting SA reason "Death by tree-walk" state (I) CONF_XAUTH    (peer 193.128.190.33)
Oct 11 12:02:28.250: ISAKMP: Unlocking peer struct 0xA675330 for isadb_mark_sa_deleted(), count 0
Oct 11 12:02:28.250: ISAKMP: Deferring peer node A675330 deletion, by peer_reap as there are other users 4
Oct 11 12:02:28.250: ISAKMP:(2008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 11 12:02:28.250: ISAKMP:(2008):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

Oct 11 12:02:28.250: ISAKMP: Deleting peer node by peer_reap for 193.128.190.33: A675330
Oct 11 12:02:28.250: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=easy_vpn_remote_groupname  Client_public_addr=193.128.190.34  Server_public_addr=193.128.190.33 
Oct 11 12:02:28.250: ISAKMP:(2008):peer does not do paranoid keepalives.

Oct 11 12:02:29.690: del_node src 193.128.190.34:4500 dst 193.128.190.33:4500 fvrf 0x0, ivrf 0x0
Oct 11 12:02:29.690: ISAKMP:(2008):peer does not do paranoid keepalives.

Oct 11 12:02:29.690: ISAKMP:(0): SA request profile is (NULL)
Oct 11 12:02:29.690: ISAKMP: Created a peer struct for 193.128.190.33, peer port 500
Oct 11 12:02:29.690: ISAKMP: New peer created peer = 0xA675330 peer_handle = 0x8000002E
Oct 11 12:02:29.690: ISAKMP: Locking peer struct 0xA675330, refcount 1 for isakmp_initiator
Oct 11 12:02:29.690: ISAKMP:(0):Setting client config settings ABC5174
Oct 11 12:02:29.690: ISAKMP: local port 500, remote port 500
Oct 11 12:02:29.690: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = A917C84
Oct 11 12:02:29.690: ISAKMP:(0): client mode configured.
Oct 11 12:02:29.690: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 11 12:02:29.690: ISAKMP:(0): constructed NAT-T vendor-07 ID
Oct 11 12:02:29.690: ISAKMP:(0): constructed NAT-T vendor-03 ID
Oct 11 12:02:29.690: ISAKMP:(0): constructed NAT-T vendor-02 ID
Oct 11 12:02:29.690: ISKAMP: growing send buffer from 1024 to 3072
Oct 11 12:02:29.690: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID
Oct 11 12:02:29.690: ISAKMP (0): ID payload
next-payload : 13
type         : 11
group id     : easy_vpn_remote_groupname
protocol     : 17
port         : 0
length       : 33
Oct 11 12:02:29.690: ISAKMP:(0):Total payload length: 33
Oct 11 12:02:29.690: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
Oct 11 12:02:29.690: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_AM1

Oct 11 12:02:29.690: ISAKMP:(0): beginning Aggressive Mode exchange
Oct 11 12:02:29.690: ISAKMP:(0): sending packet to 193.128.190.33 my_port 500 peer_port 500 (I) AG_INIT_EXCH
Oct 11 12:02:29.690: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 11 12:02:29.810: ISAKMP (0): received packet from 193.128.190.33 dport 500 sport 500 Global (I) AG_INIT_EXCH
Oct 11 12:02:29.810: ISAKMP:(0): processing SA payload. message ID = 0
Oct 11 12:02:29.810: ISAKMP:(0): processing ID payload. message ID = 0
Oct 11 12:02:29.810: ISAKMP (0): ID payload
next-payload : 10
type         : 1
address      : 10.228.156.33
protocol     : 0
port         : 0
length       : 12
Oct 11 12:02:29.810: ISAKMP:(0):: peer matches *none* of the profiles
Oct 11 12:02:29.810: ISAKMP:(0): processing vendor id payload
Oct 11 12:02:29.810: ISAKMP:(0): vendor ID is Unity
Oct 11 12:02:29.810: ISAKMP:(0): processing vendor id payload
Oct 11 12:02:29.810: ISAKMP:(0): vendor ID is DPD
Oct 11 12:02:29.810: ISAKMP:(0): processing vendor id payload
Oct 11 12:02:29.810: ISAKMP:(0): speaking to another IOS box!
Oct 11 12:02:29.810: ISAKMP: no pre-shared key based on address 10.228.156.33!
Oct 11 12:02:29.810: ISAKMP:(0):found peer pre-shared key matching 193.128.190.33
Oct 11 12:02:29.810: ISAKMP:(0): local preshared key found
Oct 11 12:02:29.810: ISAKMP : Scanning profiles for xauth ...
Oct 11 12:02:29.810: ISAKMP:(0): Authentication by xauth preshared
Oct 11 12:02:29.810: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65515 policy
Oct 11 12:02:29.810: ISAKMP:      encryption 3DES-CBC
Oct 11 12:02:29.810: ISAKMP:      hash SHA
Oct 11 12:02:29.810: ISAKMP:      default group 2
Oct 11 12:02:29.810: ISAKMP:      auth XAUTHInitPreShared
Oct 11 12:02:29.810: ISAKMP:      life type in seconds
Oct 11 12:02:29.810: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Oct 11 12:02:29.810: ISAKMP:(0):Encryption algorithm offered does not match policy!
Oct 11 12:02:29.810: ISAKMP:(0):atts are not acceptable. Next payload is 0
Oct 11 12:02:29.810: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65516 policy
Oct 11 12:02:29.810: ISAKMP:      encryption 3DES-CBC
Oct 11 12:02:29.810: ISAKMP:      hash SHA
Oct 11 12:02:29.810: ISAKMP:      default group 2
Oct 11 12:02:29.810: ISAKMP:      auth XAUTHInitPreShared
Oct 11 12:02:29.810: ISAKMP:      life type in seconds
Oct 11 12:02:29.810: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Oct 11 12:02:29.810: ISAKMP:(0):Encryption algorithm offered does not match policy!
Oct 11 12:02:29.810: ISAKMP:(0):atts are not acceptable. Next payload is 0
Oct 11 12:02:29.810: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65517 policy
Oct 11 12:02:29.810: ISAKMP:      encryption 3DES-CBC
Oct 11 12:02:29.810: ISAKMP:      hash SHA
Oct 11 12:02:29.810: ISAKMP:      default group 2
Oct 11 12:02:29.810: ISAKMP:      auth XAUTHInitPreShared
Oct 11 12:02:29.810: ISAKMP:      life type in seconds
Oct 11 12:02:29.810: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Oct 11 12:02:29.810: ISAKMP:(0):Encryption algorithm offered does not match policy!
Oct 11 12:02:29.814: ISAKMP:(0):atts are not acceptable. Next payload is 0
Oct 11 12:02:29.814: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65518 policy
Oct 11 12:02:29.814: ISAKMP:      encryption 3DES-CBC
Oct 11 12:02:29.814: ISAKMP:      hash SHA
Oct 11 12:02:29.814: ISAKMP:      default group 2
Oct 11 12:02:29.814: ISAKMP:      auth XAUTHInitPreShared
Oct 11 12:02:29.814: ISAKMP:      life type in seconds
Oct 11 12:02:29.814: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Oct 11 12:02:29.814: ISAKMP:(0):Encryption algorithm offered does not match policy!
Oct 11 12:02:29.814: ISAKMP:(0):atts are not acceptable. Next payload is 0
Oct 11 12:02:29.814: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65519 policy
Oct 11 12:02:29.814: ISAKMP:      encryption 3DES-CBC
Oct 11 12:02:29.814: ISAKMP:      hash SHA
Oct 11 12:02:29.814: ISAKMP:      default group 2
Oct 11 12:02:29.814: ISAKMP:      auth XAUTHInitPreShared
Oct 11 12:02:29.814: ISAKMP:      life type in seconds
Oct 11 12:02:29.814: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Oct 11 12:02:29.814: ISAKMP:(0):Encryption algorithm offered does not match policy!
Oct 11 12:02:29.814: ISAKMP:(0):atts are not acceptable. Next payload is 0
Oct 11 12:02:29.814: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65520 policy
Oct 11 12:02:29.814: ISAKMP:      encryption 3DES-CBC
Oct 11 12:02:29.814: ISAKMP:      hash SHA
Oct 11 12:02:29.814: ISAKMP:      default group 2
Oct 11 12:02:29.814: ISAKMP:      auth XAUTHInitPreShared
Oct 11 12:02:29.814: ISAKMP:      life type in seconds
Oct 11 12:02:29.814: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Oct 11 12:02:29.814: ISAKMP:(0):Encryption algorithm offered does not match policy!
Oct 11 12:02:29.814: ISAKMP:(0):atts are not acceptable. Next payload is 0
Oct 11 12:02:29.814: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65521 policy
Oct 11 12:02:29.814: ISAKMP:      encryption 3DES-CBC
Oct 11 12:02:29.814: ISAKMP:      hash SHA
Oct 11 12:02:29.814: ISAKMP:      default group 2
Oct 11 12:02:29.814: ISAKMP:      auth XAUTHInitPreShared
Oct 11 12:02:29.814: ISAKMP:      life type in seconds
Oct 11 12:02:29.814: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Oct 11 12:02:29.814: ISAKMP:(0):Encryption algorithm offered does not match policy!
Oct 11 12:02:29.814: ISAKMP:(0):atts are not acceptable. Next payload is 0
Oct 11 12:02:29.814: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65522 policy
Oct 11 12:02:29.814: ISAKMP:      encryption 3DES-CBC
Oct 11 12:02:29.814: ISAKMP:      hash SHA
Oct 11 12:02:29.814: ISAKMP:      default group 2
Oct 11 12:02:29.814: ISAKMP:      auth XAUTHInitPreShared
Oct 11 12:02:29.814: ISAKMP:      life type in seconds
Oct 11 12:02:29.814: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Oct 11 12:02:29.814: ISAKMP:(0):Encryption algorithm offered does not match policy!
Oct 11 12:02:29.814: ISAKMP:(0):atts are not acceptable. Next payload is 0
Oct 11 12:02:29.814: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65523 policy
Oct 11 12:02:29.814: ISAKMP:      encryption 3DES-CBC
Oct 11 12:02:29.814: ISAKMP:      hash SHA
Oct 11 12:02:29.814: ISAKMP:      default group 2
Oct 11 12:02:29.814: ISAKMP:      auth XAUTHInitPreShared
Oct 11 12:02:29.814: ISAKMP:      life type in seconds
Oct 11 12:02:29.814: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Oct 11 12:02:29.814: ISAKMP:(0):Encryption algorithm offered does not match policy!
Oct 11 12:02:29.814: ISAKMP:(0):atts are not acceptable. Next payload is 0
Oct 11 12:02:29.814: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65524 policy
Oct 11 12:02:29.814: ISAKMP:      encryption 3DES-CBC
Oct 11 12:02:29.814: ISAKMP:      hash SHA
Oct 11 12:02:29.814: ISAKMP:      default group 2
Oct 11 12:02:29.814: ISAKMP:      auth XAUTHInitPreShared
Oct 11 12:02:29.814: ISAKMP:      life type in seconds
Oct 11 12:02:29.814: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Oct 11 12:02:29.814: ISAKMP:(0):Encryption algorithm offered does not match policy!
Oct 11 12:02:29.814: ISAKMP:(0):atts are not acceptable. Next payload is 0
Oct 11 12:02:29.814: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65525 policy
Oct 11 12:02:29.814: ISAKMP:      encryption 3DES-CBC
Oct 11 12:02:29.814: ISAKMP:      hash SHA
Oct 11 12:02:29.814: ISAKMP:      default group 2
Oct 11 12:02:29.814: ISAKMP:      auth XAUTHInitPreShared
Oct 11 12:02:29.814: ISAKMP:      life type in seconds
Oct 11 12:02:29.814: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Oct 11 12:02:29.814: ISAKMP:(0):Encryption algorithm offered does not match policy!
Oct 11 12:02:29.814: ISAKMP:(0):atts are not acceptable. Next payload is 0
Oct 11 12:02:29.814: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65526 policy
Oct 11 12:02:29.814: ISAKMP:      encryption 3DES-CBC
Oct 11 12:02:29.814: ISAKMP:      hash SHA
Oct 11 12:02:29.814: ISAKMP:      default group 2
Oct 11 12:02:29.814: ISAKMP:      auth XAUTHInitPreShared
Oct 11 12:02:29.814: ISAKMP:      life type in seconds
Oct 11 12:02:29.814: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Oct 11 12:02:29.814: ISAKMP:(0):Encryption algorithm offered does not match policy!
Oct 11 12:02:29.814: ISAKMP:(0):atts are not acceptable. Next payload is 0
Oct 11 12:02:29.814: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65527 policy
Oct 11 12:02:29.814: ISAKMP:      encryption 3DES-CBC
Oct 11 12:02:29.814: ISAKMP:      hash SHA
Oct 11 12:02:29.814: ISAKMP:      default group 2
Oct 11 12:02:29.814: ISAKMP:      auth XAUTHInitPreShared
Oct 11 12:02:29.814: ISAKMP:      life type in seconds
Oct 11 12:02:29.814: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Oct 11 12:02:29.814: ISAKMP:(0):atts are acceptable. Next payload is 0
Oct 11 12:02:29.814: ISAKMP:(0):Acceptable atts:actual life: 2147483
Oct 11 12:02:29.814: ISAKMP:(0):Acceptable atts:life: 0
Oct 11 12:02:29.814: ISAKMP:(0):Fill atts in sa vpi_length:4
Oct 11 12:02:29.814: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
Oct 11 12:02:29.814: ISAKMP:(0):Returning Actual lifetime: 2147483
Oct 11 12:02:29.814: ISAKMP:(0)::Started lifetime timer: 2147483.

Oct 11 12:02:29.814: ISAKMP (0): vendor ID is NAT-T v7
Oct 11 12:02:29.814: ISAKMP:(0): processing KE payload. message ID = 0
Oct 11 12:02:29.818: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 11 12:02:29.818: ISAKMP: no pre-shared key based on address 10.228.156.33!
Oct 11 12:02:29.818: ISAKMP:(0):found peer pre-shared key matching 193.128.190.33
Oct 11 12:02:29.818: ISAKMP:(2009): processing HASH payload. message ID = 0
Oct 11 12:02:29.818: ISAKMP (2009): His hash no match - this node outside NAT
Oct 11 12:02:29.818: ISAKMP (2009): His hash no match - this node outside NAT
Oct 11 12:02:29.818: ISAKMP:(2009):SA authentication status:
authenticated
Oct 11 12:02:29.818: ISAKMP:(2009):SA has been authenticated with 193.128.190.33
Oct 11 12:02:29.818: ISAKMP: Trying to insert a peer 193.128.190.34/193.128.190.33/4500/,  and inserted successfully A675330.
Oct 11 12:02:29.818: ISAKMP:(2009):Send initial contact
Oct 11 12:02:29.822: ISAKMP:(2009): sending packet to 193.128.190.33 my_port 4500 peer_port 4500 (I) AG_INIT_EXCH
Oct 11 12:02:29.822: ISAKMP:(2009):Sending an IKE IPv4 Packet.
Oct 11 12:02:29.822: ISAKMP:(2009):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Oct 11 12:02:29.822: ISAKMP:(2009):Old State = IKE_I_AM1  New State = IKE_P1_COMPLETE

Oct 11 12:02:29.822: ISAKMP:(2009):Need XAUTH
Oct 11 12:02:29.822: ISAKMP:(2009):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Oct 11 12:02:29.822: ISAKMP:(2009):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Oct 11 12:02:39.690: ISAKMP:(2009): no outgoing phase 1 packet to retransmit. CONF_XAUTH  
Oct 11 12:02:39.810: ISAKMP (2009): received packet from 193.128.190.33 dport 500 sport 500 Global (I) CONF_XAUTH  
Oct 11 12:02:39.810: ISAKMP:(2009): phase 1 packet is a duplicate of a previous packet.
Oct 11 12:02:39.810: ISAKMP:(2009): retransmitting due to retransmit phase 1
Oct 11 12:02:39.810: ISAKMP:(2009): no outgoing phase 1 packet to retransmit. CONF_XAUTH  
r1#
r1#
r1#
r1#
r1#
r1#
r1#sh c
Oct 11 12:02:49.810: ISAKMP (2009): received packet from 193.128.190.33 dport 500 sport 500 Global (I) CONF_XAUTH  
Oct 11 12:02:49.810: ISAKMP:(2009): phase 1 packet is a duplicate of a previous packet.
Oct 11 12:02:49.810: ISAKMP:(2009): retransmitting due to retransmit phase 1
Oct 11 12:02:49.810: ISAKMP:(2009): no outgoing phase 1 packet to retransmit. CONF_XAUTH   ry    
% Type "show ?" for a list of subcommands
r1#
r1#
r1#
r1#
r1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
193.128.190.33  193.128.190.34  CONF_XAUTH        2009 ACTIVE
193.128.190.33  193.128.190.34  MM_NO_STATE       2008 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

r1#sh crypto isakmp sa
Oct 11 12:02:59.814: ISAKMP (2009): received packet from 193.128.190.33 dport 500 sport 500 Global (I) CONF_XAUTH  
Oct 11 12:02:59.814: ISAKMP:(2009): phase 1 packet is a duplicate of a previous packet.
Oct 11 12:02:59.814: ISAKMP:(2009): retransmitting due to retransmit phase 1
Oct 11 12:02:59.814: ISAKMP:(2009): no outgoing phase 1 packet to retransmit. CONF_XAUTH  
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
193.128.190.33  193.128.190.34  CONF_XAUTH        2009 ACTIVE
193.128.190.33  193.128.190.34  MM_NO_STATE       2008 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

r1#
r1#
r1#sh crypto isakmp sa sa  sa  sa  sa  sa p sas sae sac sa
No SAs found
r1#
Oct 11 12:03:09.814: ISAKMP (2009): received packet from 193.128.190.33 dport 500 sport 500 Global (I) CONF_XAUTH  
Oct 11 12:03:09.814: ISAKMP:(2009): phase 1 packet is a duplicate of a previous packet.
Oct 11 12:03:09.814: ISAKMP:(2009): retransmitting due to retransmit phase 1
Oct 11 12:03:09.814: ISAKMP:(2009): no outgoing phase 1 packet to retransmit. CONF_XAUTH  

Hello Geoff,

The VPN is stuck in extended authentication phase where your username & password configured are really used..

as per your client configuration, you have configured 'xauth userid mode interactive' so you have to give the following command manually to input your username and password on the client

'crypto ipsec client ezvpn xauth'

If you wanted this to happen automatically, you have to change he client configuration as follows

crypto ipsec client ezvpn Remote

peer 1.2.3.4 xauth userid mode local

please let me know how it goes..

Harish

Thank you for all your help.

I cannot find the option to specify local authentication


r1(config-crypto-ezvpn)#xauth userid mode ?
  http-intercept  Intercept user's HTTP requests to prompt
  interactive     Prompt the user on the console

r1(config-crypto-ezvpn)#xauth userid mode

it is not configurable after the peer command

r1(config-crypto-ezvpn)#peer 193.128.190.33 ?

  default  Define this as the primary peer

 

using IOS ver c800-universalk9-mz.SPA.151-4.M4.bin

by adding the command username xxx password xxx under crypto ipsec client ezvpn Remote, the router has automatically added userid mode local to the config

crypto ipsec client ezvpn Remote

connect auto

group easy_vpn_remote_groupname key xxxxxxx

mode network-extension

peer 193.128.190.33

username xxxxx password xxxxxx

xauth userid mode local

Alright.. Thats good then..  So i hope we done with the VPN.. please make this answered so that others can refer

Regards

Harish.

Unfortunately, the connection is still failing with the new configuration.

s 3
*Oct 11 13:35:18.239: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 13 against pr
iority 3 policy
*Oct 11 13:35:18.239: ISAKMP: encryption 3DES-CBC
*Oct 11 13:35:18.239: ISAKMP: hash SHA
*Oct 11 13:35:18.239: ISAKMP: default group 2
*Oct 11 13:35:18.239: ISAKMP: auth XAUTHInitPreShared
*Oct 11 13:35:18.239: ISAKMP: life type in seconds
*Oct 11 13:35:18.239: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 11 13:35:18.239: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
*Oct 11 13:35:18.275: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 11 13:35:18.275: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 69
mismatch
*Oct 11 13:35:18.275: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 11 13:35:18.275: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245
mismatch
*Oct 11 13:35:18.275: ISAKMP (0:134217729): vendor ID is NAT-T v7
*Oct 11 13:35:18.275: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 11 13:35:18.275: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 157
mismatch
*Oct 11 13:35:18.275: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v3
*Oct 11 13:35:18.275: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 11 13:35:18.275: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123
mismatch
*Oct 11 13:35:18.275: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v2
*Oct 11 13:35:18.275: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
*Oct 11 13:35:18.323: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID =
0
*Oct 11 13:35:18.323: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 11 13:35:18.323: ISAKMP:(0:1:SW:1): vendor ID is DPD
*Oct 11 13:35:18.323: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 11 13:35:18.323: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 49
mismatch
*Oct 11 13:35:18.323: ISAKMP:(0:1:SW:1): vendor ID is XAUTH
*Oct 11 13:35:18.323: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 11 13:35:18.323: ISAKMP:(0:1:SW:1): claimed IOS but failed authentication
*Oct 11 13:35:18.323: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 11 13:35:18.323: ISAKMP:(0:1:SW:1): vendor ID is Unity
*Oct 11 13:35:18.327: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Oct 11 13:35:18.327: ISAKMP:(0:1:SW:1):Old State = IKE_READY New State = IKE_R
_AM_AAA_AWAIT

*Oct 11 13:35:18.327: ISAKMP:(0:1:SW:1):SKEYID state generated
*Oct 11 13:35:18.327: ISAKMP:(0:1:SW:1): constructed NAT-T vendor-07 ID
*Oct 11 13:35:18.327: ISAKMP:(0:1:SW:1):SA is doing pre-shared key authenticatio
n plus XAUTH using id type ID_IPV4_ADDR
*Oct 11 13:35:18.327: ISAKMP (0:134217729): ID payload
next-payload : 10
type : 1
address : 10.228.156.33
protocol : 0
port : 0
length : 12
*Oct 11 13:35:18.327: ISAKMP:(0:1:SW:1):Total payload length: 12
*Oct 11 13:35:18.331: ISAKMP:(0:1:SW:1): sending packet to 193.128.190.34 my_por
t 500 peer_port 500 (R) AG_INIT_EXCH
*Oct 11 13:35:18.331: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY
_REPLY
*Oct 11 13:35:18.331: ISAKMP:(0:1:SW:1):Old State = IKE_R_AM_AAA_AWAIT New Stat
e = IKE_R_AM2

R3#
R3#
R3#
R3#
*Oct 11 13:35:28.331: ISAKMP:(0:1:SW:1): retransmitting phase 1 AG_INIT_EXCH...
*Oct 11 13:35:28.331: ISAKMP (0:134217729): incrementing error counter on sa, at
tempt 1 of 5: retransmit phase 1
*Oct 11 13:35:28.331: ISAKMP:(0:1:SW:1): retransmitting phase 1 AG_INIT_EXCH
*Oct 11 13:35:28.331: ISAKMP:(0:1:SW:1): sending packet to 193.128.190.34 my_por
t 500 peer_port 500 (R) AG_INIT_EXCH
R3#

Hello Geoff,

Thats bad,.. now it looks like its failing in Phase 1 itself, which we could passed before !..  can you post the config again or check yourself if we have missed something compare to the previous one

Harish.

I have eliminated R2 from the setup for the moment, to make sure that was not in the way, so R1 now has a different external address

R3#

aaa new-model
!
!
aaa authentication login VPN_xauth local
aaa authorization network VPN_group local
!
aaa session-id common
!
!
ip cef
!
!
ip name-server 10.203.2.10
ip name-server 10.203.3.10
!
!
voice-card 0
no dspfarm
!

username xxx privilege 15 password 0 xxx
archive
log config
  hidekeys
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group easy_vpn_remote_groupname
key xxxxx
save-password
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto ipsec profile remote-access
!
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list VPN_xauth
crypto map clientmap isakmp authorization list VPN_group
crypto map clientmap client configuration address respond     <--- this line is new
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
ip address 10.203.4.33 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.228.156.33 255.255.255.0
duplex full
speed 100
crypto map clientmap
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.228.156.254
ip route 10.0.0.0 255.0.0.0 10.203.4.254
!
!
ip http server
no ip http secure-server
!

control-plane
!

!
line con 0
line aux 0
line vty 0 4
exec-timeout 360 0
password xxx
!
scheduler allocate 20000 1000
!
end

R3#


r1#
r1#
r1#sh run
Building configuration...

Current configuration : 2066 bytes
!
! Last configuration change at 12:48:06 UTC Thu Oct 11 2012
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!
!
enable secret xxx!
no aaa new-model
crypto pki token default removal timeout 0
!
!
ip source-route
ip cef
!
!
!
!
ip dhcp pool client
network 10.153.100.0 255.255.255.0
default-router 10.153.100.1
dns-server 10.203.2.10
!
!
no ipv6 cef
!
!
license udi pid C887VA-W-E-K9 sn xxx!
!
username xxx privilege 15 password 0 xxx
!
!
!
!
controller VDSL 0
!
!
!
!
!
crypto ipsec client ezvpn Remote
connect auto
group easy_vpn_remote_groupname key xxx
mode network-extension
peer 193.128.190.33
username xxx password xxx
xauth userid mode local
!
!
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
switchport access vlan 2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!

interface Vlan1
ip address 193.128.190.34 255.255.255.0
crypto ipsec client ezvpn Remote
!
interface Vlan2
ip address 10.153.100.1 255.255.255.0
crypto ipsec client ezvpn Remote inside
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
ip pim bidir-enable
ip route 0.0.0.0 0.0.0.0 193.128.190.1
ip route 193.128.190.33 255.255.255.255 Vlan1
!

!
line con 0
exec-timeout 0 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end

r1#

R1#

Hello Geoff,

The commands which I have provided is only required if you dont have 'local' option in the client

Since you set the userid local option, now you can safely remove the 'sav e-password' and 'crypto map clientmap client configuration address respond' from the server..

once you remove those, please remove and add the crypto map from both client  and servers interface

regards

Harish

following removal of those 2 commands from server, and removing, then re-adding crypto map from interfaces

        length       : 12
*Oct 11 14:17:09.203: ISAKMP:(0:1:SW:1):Total payload length: 12
*Oct 11 14:17:09.203: ISAKMP:(0:1:SW:1): sending packet to 193.128.190.34 my_por
t 500 peer_port 500 (R) AG_INIT_EXCH
*Oct 11 14:17:09.203: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY
_REPLY
*Oct 11 14:17:09.203: ISAKMP:(0:1:SW:1):Old State = IKE_R_AM_AAA_AWAIT  New Stat
e = IKE_R_AM2

*Oct 11 14:17:19.203: ISAKMP:(0:1:SW:1): retransmitting phase 1 AG_INIT_EXCH...
*Oct 11 14:17:19.203: ISAKMP (0:134217729): incrementing error counter on sa, at
tempt 1 of 5: retransmit phase 1
*Oct 11 14:17:19.203: ISAKMP:(0:1:SW:1): retransmitting phase 1 AG_INIT_EXCH
*Oct 11 14:17:19.203: ISAKMP:(0:1:SW:1): sending packet to 193.128.190.34 my_por

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: