Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
262
Views
0
Helpful
0
Replies

Easy VPN Issue

Junior Mateus
Level 1
Level 1

‎10-28-2014 07:52 AM

Hi 

Everybody,

 

I ' m getting stuck with on of my configuration ( Easy VPN Server)

here is my configuration :

crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2


crypto isakmp client configuration address-pool local DHCP_VPN_Client
crypto isakmp xauth timeout 60
crypto isakmp client configuration group VictoriaIpsec
 key 6 _MSUQ[KP_Lg`Ii\dhfQTWLJQg`XgWPOiBE[YAAB
 dns 10.30.10.1 10.30.10.10
 wins 10.30.10.1 10.30.10.10
 domain victoria.local
 pool DHCP_VPN_Client
 acl SplitAClVPN

crypto ipsec transform-set MyEasy esp-3des esp-sha-hmac 
no crypto ipsec nat-transparency udp-encapsulation

crypto dynamic-map Mymap 1
 set transform-set MyEasy

reverse-route

 

crypto map VPN-TUNNEL client authentication list My_AUTHENT
crypto map VPN-TUNNEL isakmp authorization list VictoriaIpsec
crypto map VPN-TUNNEL client configuration address respond
crypto map VPN-TUNNEL 1 ipsec-isakmp dynamic Mymap 

 

 

Here is some show commands : 

RTBORDER_EDGE2#sh crypto map interface FastEthernet0/1.212
Crypto Map IPv4 "VPN-TUNNEL" 1 ipsec-isakmp
        Dynamic map template tag: Mymap
        Interfaces using crypto map VPN-TUNNEL:
                FastEthernet0/1.212


Crypto Map IPv4 "VPN-TUNNEL" 1 ipsec-isakmp
        Dynamic map template tag: Mymap
        Interfaces using crypto map VPN-TUNNEL:
                FastEthernet0/1.212

 

 


 Pool                     Begin           End             Free  In use   Blocked
 DHCP_VPN_Client          10.30.201.1     10.30.201.50      50       0       0

 

And Also my AAA a working fine

 

Here is the Output from de the debug :

Oct 28 15:11:21.139: ISAKMP (0): received packet from 105.172.0.76 dport 500 sport 44189 Global (N) NEW SA

*Oct 28 15:11:21.139: ISAKMP: Created a peer struct for 105.172.0.76, peer port 44189

*Oct 28 15:11:21.139: ISAKMP: New peer created peer = 0x4BF15664 peer_handle = 0x8000000B

*Oct 28 15:11:21.143: ISAKMP: Locking peer struct 0x4BF15664, refcount 1 for crypto_isakmp_process_block

*Oct 28 15:11:21.143: ISAKMP:(0):Setting client config settings 4B266074

*Oct 28 15:11:21.143: ISAKMP:(0):(Re)Setting client xauth list  and state

*Oct 28 15:11:21.143: ISAKMP/xauth: initializing AAA request

*Oct 28 15:11:21.143: AAA/BIND(00000016): Bind i/f  

*Oct 28 15:11:21.143: ISAKMP: local port 500, remote port 44189

*Oct 28 15:11:21.143: ISAKMP:(0):insert sa successfully sa = 4B582F54

*Oct 28 15:11:21.143: ISAKMP:(0): processing SA payload. message ID = 0

*Oct 28 15:11:21.143: ISAKMP:(0): processing ID payload. message ID = 0

*Oct 28 15:11:21.143: ISAKMP (0): ID payload 

        next-payload : 13

        type         : 11 

        group id     : VictoriaIpsec 

        protocol     : 17 

        port         : 500 

        length       : 21

*Oct 28 15:11:21.143: ISAKMP:(0):: peer matches *none* of the profiles

*Oct 28 15:11:21.143: ISAKMP:(0): processing vendor id payload

*Oct 28 15:11:21.143: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch

*Oct 28 15:11:21.143: ISAKMP:(0): vendor ID is XAUTH

*Oct 28 15:11:21.143: ISAKMP:(0): processing vendor id payload

*Oct 28 15:11:21.143: ISAKMP:(0): vendor ID is DPD

*Oct 28 15:11:21.143: ISAKMP:(0): processing vendor id payload

*Oct 28 15:11:21.143: ISAKMP:(0): processing IKE frag vendor id payload

*Oct 28 15:11:21.147: ISAKMP:(0):Support for IKE Fragmentation not enabled

*Oct 28 15:11:21.147: ISAKMP:(0): processing vendor id payload

*Oct 28 15:11:21.147: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Oct 28 15:11:21.147: ISAKMP:(0): vendor ID is NAT-T v2

*Oct 28 15:11:21.147: ISAKMP:(0): processing vendor id payload

*Oct 28 15:11:21.147: ISAKMP:(0): vendor ID is Unity

*Oct 28 15:11:21.147: ISAKMP:(0): Authentication by xauth preshared

*Oct 28 15:11:21.147: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

*Oct 28 15:11:21.147: ISAKMP:      encryption AES-CBC

*Oct 28 15:11:21.147: ISAKMP:      hash SHA

*Oct 28 15:11:21.147: ISAKMP:      default group 2

*Oct 28 15:11:21.147: ISAKMP:      auth XAUTHInitPreShared

*Oct 28 15:11:21.147: ISAKMP:      life type in seconds

*Oct 28 15:11:21.147: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Oct 28 15:11:21.147: ISAKMP:      keylength of 256

*Oct 28 15:11:21.147: ISAKMP:(0):Proposed key length does not match policy

*Oct 28 15:11:21.147: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Oct 28 15:11:21.147: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy

*Oct 28 15:11:21.147: ISAKMP:      encryption AES-CBC

*Oct 28 15:11:21.147: ISAKMP:      hash MD5

*Oct 28 15:11:21.147: ISAKMP:      default group 2

*Oct 28 15:11:21.147: ISAKMP:      auth XAUTHInitPreShared

*Oct 28 15:11:21.147: ISAKMP:      life type in seconds

*Oct 28 15:11:21.147: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Oct 28 15:11:21.147: ISAKMP:      keylength of 256

*Oct 28 15:11:21.147: ISAKMP:(0):Hash algorithm offered does not match policy!

*Oct 28 15:11:21.147: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Oct 28 15:11:21.147: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy

*Oct 28 15:11:21.147: ISAKMP:      encryption AES-CBC

*Oct 28 15:11:21.147: ISAKMP:      hash SHA

*Oct 28 15:11:21.147: ISAKMP:      default group 2

*Oct 28 15:11:21.147: ISAKMP:      auth pre-share

*Oct 28 15:11:21.147: ISAKMP:      life type in seconds

*Oct 28 15:11:21.147: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Oct 28 15:11:21.151: ISAKMP:      keylength of 256

*Oct 28 15:11:21.151: ISAKMP:(0):Proposed key length does not match policy

*Oct 28 15:11:21.151: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Oct 28 15:11:21.151: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy

*Oct 28 15:11:21.151: ISAKMP:      encryption AES-CBC

*Oct 28 15:11:21.151: ISAKMP:      hash MD5

*Oct 28 15:11:21.151: ISAKMP:      default group 2

*Oct 28 15:11:21.151: ISAKMP:      auth pre-share

*Oct 28 15:11:21.151: ISAKMP:      life type in seconds

*Oct 28 15:11:21.151: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Oct 28 15:11:21.151: ISAKMP:      keylength of 256

*Oct 28 15:11:21.151: ISAKMP:(0):Hash algorithm offered does not match policy!

*Oct 28 15:11:21.151: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Oct 28 15:11:21.151: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy

*Oct 28 15:11:21.151: ISAKMP:      encryption AES-CBC

*Oct 28 15:11:21.151: ISAKMP:      hash SHA

*Oct 28 15:11:21.151: ISAKMP:      default group 2

*Oct 28 15:11:21.151: ISAKMP:      auth XAUTHInitPreShared

*Oct 28 15:11:21.151: ISAKMP:      life type in seconds

*Oct 28 15:11:21.151: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Oct 28 15:11:21.151: ISAKMP:      keylength of 128

*Oct 28 15:11:21.151: ISAKMP:(0):atts are acceptable. Next payload is 3

*Oct 28 15:11:21.151: ISAKMP:(0):Acceptable atts:actual life: 86400

*Oct 28 15:11:21.151: ISAKMP:(0):Acceptable atts:life: 0

*Oct 28 15:11:21.151: ISAKMP:(0):Fill atts in sa vpi_length:4

*Oct 28 15:11:21.151: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483

*Oct 28 15:11:21.151: ISAKMP:(0):Returning Actual lifetime: 86400

*Oct 28 15:11:21.151: ISAKMP:(0)::Started lifetime timer: 86400.

 

*Oct 28 15:11:21.151: ISAKMP:(0): processing KE payload. message ID = 0

*Oct 28 15:11:21.203: ISAKMP:(0): processing NONCE payload. message ID = 0

*Oct 28 15:11:21.203: ISAKMP:(0): vendor ID is NAT-T v2

*Oct 28 15:11:21.203: ISAKMP:(0):peer does not do paranoid keepalives.

 

*Oct 28 15:11:21.203: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer 105.172.0.76)

*Oct 28 15:11:21.203: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY

*Oct 28 15:11:21.203: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

*Oct 28 15:11:21.203: ISAKMP:(0):Old State = IKE_READY  New State = IKE_READY 

 

*Oct 28 15:11:21.207: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 105.172.0.76

RTBORDER_EDGE2#

*Oct 28 15:11:21.207: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer 105.172.0.76) 

*Oct 28 15:11:21.207: ISAKMP: Unlocking peer struct 0x4BF15664 for isadb_mark_sa_deleted(), count 0

*Oct 28 15:11:21.207: ISAKMP: Deleting peer node by peer_reap for 105.172.0.76: 4BF15664

*Oct 28 15:11:21.207: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Oct 28 15:11:21.207: ISAKMP:(0):Old State = IKE_READY  New State = IKE_DEST_SA 

 

*Oct 28 15:11:21.207: IPSEC(key_engine): got a queue event with 1 KMI message(s)

RTBORDER_EDGE2#

*Oct 28 15:11:25.879: ISAKMP (0): received packet from 105.172.0.76 dport 500 sport 44189 Global (R) MM_NO_STATE

RTBORDER_EDGE2#

*Oct 28 15:11:33.347: ISAKMP (0): received packet from 105.172.0.76 dport 500 sport 44189 Global (R) MM_NO_STATE

RTBORDER_EDGE2#

*Oct 28 15:11:37.839: ISAKMP (0): received packet from 105.172.0.76 dport 500 sport 44189 Global (R) MM_NO_STATE

RTBORDER_EDGE2#

 

 

 

 

 

 

 

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents