10-28-2014 07:52 AM
Hi
Everybody,
I ' m getting stuck with on of my configuration ( Easy VPN Server)
here is my configuration :
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local DHCP_VPN_Client
crypto isakmp xauth timeout 60
crypto isakmp client configuration group VictoriaIpsec
key 6 _MSUQ[KP_Lg`Ii\dhfQTWLJQg`XgWPOiBE[YAAB
dns 10.30.10.1 10.30.10.10
wins 10.30.10.1 10.30.10.10
domain victoria.local
pool DHCP_VPN_Client
acl SplitAClVPN
crypto ipsec transform-set MyEasy esp-3des esp-sha-hmac
no crypto ipsec nat-transparency udp-encapsulation
crypto dynamic-map Mymap 1
set transform-set MyEasy
reverse-route
crypto map VPN-TUNNEL client authentication list My_AUTHENT
crypto map VPN-TUNNEL isakmp authorization list VictoriaIpsec
crypto map VPN-TUNNEL client configuration address respond
crypto map VPN-TUNNEL 1 ipsec-isakmp dynamic Mymap
Here is some show commands :
RTBORDER_EDGE2#sh crypto map interface FastEthernet0/1.212
Crypto Map IPv4 "VPN-TUNNEL" 1 ipsec-isakmp
Dynamic map template tag: Mymap
Interfaces using crypto map VPN-TUNNEL:
FastEthernet0/1.212
Crypto Map IPv4 "VPN-TUNNEL" 1 ipsec-isakmp
Dynamic map template tag: Mymap
Interfaces using crypto map VPN-TUNNEL:
FastEthernet0/1.212
Pool Begin End Free In use Blocked
DHCP_VPN_Client 10.30.201.1 10.30.201.50 50 0 0
And Also my AAA a working fine
Here is the Output from de the debug :
Oct 28 15:11:21.139: ISAKMP (0): received packet from 105.172.0.76 dport 500 sport 44189 Global (N) NEW SA
*Oct 28 15:11:21.139: ISAKMP: Created a peer struct for 105.172.0.76, peer port 44189
*Oct 28 15:11:21.139: ISAKMP: New peer created peer = 0x4BF15664 peer_handle = 0x8000000B
*Oct 28 15:11:21.143: ISAKMP: Locking peer struct 0x4BF15664, refcount 1 for crypto_isakmp_process_block
*Oct 28 15:11:21.143: ISAKMP:(0):Setting client config settings 4B266074
*Oct 28 15:11:21.143: ISAKMP:(0):(Re)Setting client xauth list and state
*Oct 28 15:11:21.143: ISAKMP/xauth: initializing AAA request
*Oct 28 15:11:21.143: AAA/BIND(00000016): Bind i/f
*Oct 28 15:11:21.143: ISAKMP: local port 500, remote port 44189
*Oct 28 15:11:21.143: ISAKMP:(0):insert sa successfully sa = 4B582F54
*Oct 28 15:11:21.143: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 28 15:11:21.143: ISAKMP:(0): processing ID payload. message ID = 0
*Oct 28 15:11:21.143: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : VictoriaIpsec
protocol : 17
port : 500
length : 21
*Oct 28 15:11:21.143: ISAKMP:(0):: peer matches *none* of the profiles
*Oct 28 15:11:21.143: ISAKMP:(0): processing vendor id payload
*Oct 28 15:11:21.143: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Oct 28 15:11:21.143: ISAKMP:(0): vendor ID is XAUTH
*Oct 28 15:11:21.143: ISAKMP:(0): processing vendor id payload
*Oct 28 15:11:21.143: ISAKMP:(0): vendor ID is DPD
*Oct 28 15:11:21.143: ISAKMP:(0): processing vendor id payload
*Oct 28 15:11:21.143: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 28 15:11:21.147: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 28 15:11:21.147: ISAKMP:(0): processing vendor id payload
*Oct 28 15:11:21.147: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 28 15:11:21.147: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 28 15:11:21.147: ISAKMP:(0): processing vendor id payload
*Oct 28 15:11:21.147: ISAKMP:(0): vendor ID is Unity
*Oct 28 15:11:21.147: ISAKMP:(0): Authentication by xauth preshared
*Oct 28 15:11:21.147: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Oct 28 15:11:21.147: ISAKMP: encryption AES-CBC
*Oct 28 15:11:21.147: ISAKMP: hash SHA
*Oct 28 15:11:21.147: ISAKMP: default group 2
*Oct 28 15:11:21.147: ISAKMP: auth XAUTHInitPreShared
*Oct 28 15:11:21.147: ISAKMP: life type in seconds
*Oct 28 15:11:21.147: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 28 15:11:21.147: ISAKMP: keylength of 256
*Oct 28 15:11:21.147: ISAKMP:(0):Proposed key length does not match policy
*Oct 28 15:11:21.147: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 28 15:11:21.147: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 28 15:11:21.147: ISAKMP: encryption AES-CBC
*Oct 28 15:11:21.147: ISAKMP: hash MD5
*Oct 28 15:11:21.147: ISAKMP: default group 2
*Oct 28 15:11:21.147: ISAKMP: auth XAUTHInitPreShared
*Oct 28 15:11:21.147: ISAKMP: life type in seconds
*Oct 28 15:11:21.147: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 28 15:11:21.147: ISAKMP: keylength of 256
*Oct 28 15:11:21.147: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 28 15:11:21.147: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 28 15:11:21.147: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Oct 28 15:11:21.147: ISAKMP: encryption AES-CBC
*Oct 28 15:11:21.147: ISAKMP: hash SHA
*Oct 28 15:11:21.147: ISAKMP: default group 2
*Oct 28 15:11:21.147: ISAKMP: auth pre-share
*Oct 28 15:11:21.147: ISAKMP: life type in seconds
*Oct 28 15:11:21.147: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 28 15:11:21.151: ISAKMP: keylength of 256
*Oct 28 15:11:21.151: ISAKMP:(0):Proposed key length does not match policy
*Oct 28 15:11:21.151: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 28 15:11:21.151: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Oct 28 15:11:21.151: ISAKMP: encryption AES-CBC
*Oct 28 15:11:21.151: ISAKMP: hash MD5
*Oct 28 15:11:21.151: ISAKMP: default group 2
*Oct 28 15:11:21.151: ISAKMP: auth pre-share
*Oct 28 15:11:21.151: ISAKMP: life type in seconds
*Oct 28 15:11:21.151: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 28 15:11:21.151: ISAKMP: keylength of 256
*Oct 28 15:11:21.151: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 28 15:11:21.151: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 28 15:11:21.151: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Oct 28 15:11:21.151: ISAKMP: encryption AES-CBC
*Oct 28 15:11:21.151: ISAKMP: hash SHA
*Oct 28 15:11:21.151: ISAKMP: default group 2
*Oct 28 15:11:21.151: ISAKMP: auth XAUTHInitPreShared
*Oct 28 15:11:21.151: ISAKMP: life type in seconds
*Oct 28 15:11:21.151: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 28 15:11:21.151: ISAKMP: keylength of 128
*Oct 28 15:11:21.151: ISAKMP:(0):atts are acceptable. Next payload is 3
*Oct 28 15:11:21.151: ISAKMP:(0):Acceptable atts:actual life: 86400
*Oct 28 15:11:21.151: ISAKMP:(0):Acceptable atts:life: 0
*Oct 28 15:11:21.151: ISAKMP:(0):Fill atts in sa vpi_length:4
*Oct 28 15:11:21.151: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
*Oct 28 15:11:21.151: ISAKMP:(0):Returning Actual lifetime: 86400
*Oct 28 15:11:21.151: ISAKMP:(0)::Started lifetime timer: 86400.
*Oct 28 15:11:21.151: ISAKMP:(0): processing KE payload. message ID = 0
*Oct 28 15:11:21.203: ISAKMP:(0): processing NONCE payload. message ID = 0
*Oct 28 15:11:21.203: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 28 15:11:21.203: ISAKMP:(0):peer does not do paranoid keepalives.
*Oct 28 15:11:21.203: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer 105.172.0.76)
*Oct 28 15:11:21.203: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY
*Oct 28 15:11:21.203: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Oct 28 15:11:21.203: ISAKMP:(0):Old State = IKE_READY New State = IKE_READY
*Oct 28 15:11:21.207: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 105.172.0.76
RTBORDER_EDGE2#
*Oct 28 15:11:21.207: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer 105.172.0.76)
*Oct 28 15:11:21.207: ISAKMP: Unlocking peer struct 0x4BF15664 for isadb_mark_sa_deleted(), count 0
*Oct 28 15:11:21.207: ISAKMP: Deleting peer node by peer_reap for 105.172.0.76: 4BF15664
*Oct 28 15:11:21.207: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 28 15:11:21.207: ISAKMP:(0):Old State = IKE_READY New State = IKE_DEST_SA
*Oct 28 15:11:21.207: IPSEC(key_engine): got a queue event with 1 KMI message(s)
RTBORDER_EDGE2#
*Oct 28 15:11:25.879: ISAKMP (0): received packet from 105.172.0.76 dport 500 sport 44189 Global (R) MM_NO_STATE
RTBORDER_EDGE2#
*Oct 28 15:11:33.347: ISAKMP (0): received packet from 105.172.0.76 dport 500 sport 44189 Global (R) MM_NO_STATE
RTBORDER_EDGE2#
*Oct 28 15:11:37.839: ISAKMP (0): received packet from 105.172.0.76 dport 500 sport 44189 Global (R) MM_NO_STATE
RTBORDER_EDGE2#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide