04-19-2013 04:13 AM
Hi,
I have a remote vpn issue, see debug below please
Log Buffer (8126 bytes):
cking ISAKMP transform 1 against priority 10 policy
002008: *Apr 19 11:18:41.632: ISAKMP: encryption AES-CBC
002009: *Apr 19 11:18:41.632: ISAKMP: keylength of 256
002010: *Apr 19 11:18:41.632: ISAKMP: hash SHA
002011: *Apr 19 11:18:41.632: ISAKMP: unknown DH group 20
002012: *Apr 19 11:18:41.632: ISAKMP: auth RSA sig
002013: *Apr 19 11:18:41.632: ISAKMP: life type in seconds
002014: *Apr 19 11:18:41.632: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
002015: *Apr 19 11:18:41.632: ISAKMP:(0):Authentication method offered does not match policy!
002016: *Apr 19 11:18:41.632: ISAKMP:(0):atts are not acceptable. Next payload is 3
002017: *Apr 19 11:18:41.632: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
002018: *Apr 19 11:18:41.632: ISAKMP: encryption AES-CBC
002019: *Apr 19 11:18:41.632: ISAKMP: keylength of 128
002020: *Apr 19 11:18:41.632: ISAKMP: hash SHA
002021: *Apr 19 11:18:41.632: ISAKMP: unknown DH group 19
002022: *Apr 19 11:18:41.632: ISAKMP: auth RSA sig
002023: *Apr 19 11:18:41.632: ISAKMP: life type in seconds
002024: *Apr 19 11:18:41.632: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
002025: *Apr 19 11:18:41.632: ISAKMP:(0):Authentication method offered does not match policy!
002026: *Apr 19 11:18:41.632: ISAKMP:(0):atts are not acceptable. Next payload is 3
002027: *Apr 19 11:18:41.632: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
002028: *Apr 19 11:18:41.632: ISAKMP: encryption AES-CBC
002029: *Apr 19 11:18:41.632: ISAKMP: keylength of 256
002030: *Apr 19 11:18:41.632: ISAKMP: hash SHA
002031: *Apr 19 11:18:41.636: ISAKMP: default group 14
002032: *Apr 19 11:18:41.636: ISAKMP: auth RSA sig
002033: *Apr 19 11:18:41.636: ISAKMP: life type in seconds
002034: *Apr 19 11:18:41.636: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
002035: *Apr 19 11:18:41.636: ISAKMP:(0):Authentication method offered does not match policy!
002036: *Apr 19 11:18:41.636: ISAKMP:(0):atts are not acceptable. Next payload is 3
002037: *Apr 19 11:18:41.636: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
002038: *Apr 19 11:18:41.636: ISAKMP: encryption 3DES-CBC
002039: *Apr 19 11:18:41.636: ISAKMP: hash SHA
002040: *Apr 19 11:18:41.636: ISAKMP: default group 14
002041: *Apr 19 11:18:41.636: ISAKMP: auth RSA sig
002042: *Apr 19 11:18:41.636: ISAKMP: life type in seconds
002043: *Apr 19 11:18:41.636: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
002044: *Apr 19 11:18:41.636: ISAKMP:(0):Encryption algorithm offered does not match policy!
002045: *Apr 19 11:18:41.636: ISAKMP:(0):atts are not acceptable. Next payload is 3
002046: *Apr 19 11:18:41.636: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
002047: *Apr 19 11:18:41.636: ISAKMP: encryption 3DES-CBC
002048: *Apr 19 11:18:41.636: ISAKMP: hash SHA
002049: *Apr 19 11:18:41.636: ISAKMP: default group 2
002050: *Apr 19 11:18:41.636: ISAKMP: auth RSA sig
002051: *Apr 19 11:18:41.636: ISAKMP: life type in seconds
002052: *Apr 19 11:18:41.636: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
002053: *Apr 19 11:18:41.636: ISAKMP:(0):Encryption algorithm offered does not match policy!
002054: *Apr 19 11:18:41.636: ISAKMP:(0):atts are not acceptable. Next payload is 0
002055: *Apr 19 11:18:41.636: ISAKMP:(0):no offers accepted!
002056: *Apr 19 11:18:41.636: ISAKMP:(0): phase 1 SA policy not acceptable! (local 83.244.151.170 remote 81.140.63.222)
002057: *Apr 19 11:18:41.636: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
002058: *Apr 19 11:18:41.636: ISAKMP:(0): Failed to construct AG informational message.
002059: *Apr 19 11:18:41.636: ISAKMP:(0): sending packet to 81.140.63.222 my_port 500 peer_port 500 (R) MM_NO_STATE
002060: *Apr 19 11:18:41.636: ISAKMP:(0):Sending an IKE IPv4 Packet.
002061: *Apr 19 11:18:41.636: ISAKMP:(0):peer does not do paranoid keepalives.
002062: *Apr 19 11:18:41.636: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 81.140.63.222)
002063: *Apr 19 11:18:41.636: ISAKMP:(0): processing vendor id payload
002064: *Apr 19 11:18:41.640: ISAKMP:(0): processing IKE frag vendor id payload
002065: *Apr 19 11:18:41.640: ISAKMP:(0):Support for IKE Fragmentation not enabled
002066: *Apr 19 11:18:41.640: ISAKMP:(0): processing vendor id payload
002067: *Apr 19 11:18:41.640: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
002068: *Apr 19 11:18:41.640: ISAKMP (0): vendor ID is NAT-T RFC 3947
002069: *Apr 19 11:18:41.640: ISAKMP:(0): processing vendor id payload
002070: *Apr 19 11:18:41.640: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
002071: *Apr 19 11:18:41.640: ISAKMP:(0): vendor ID is NAT-T v2
002072: *Apr 19 11:18:41.640: ISAKMP:(0): processing vendor id payload
002073: *Apr 19 11:18:41.640: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
002074: *Apr 19 11:18:41.640: ISAKMP:(0): processing vendor id payload
002075: *Apr 19 11:18:41.640: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch
002076: *Apr 19 11:18:41.640: ISAKMP:(0): processing vendor id payload
002077: *Apr 19 11:18:41.640: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch
002078: *Apr 19 11:18:41.640: ISAKMP:(0): processing vendor id payload
002079: *Apr 19 11:18:41.640: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch
002080: *Apr 19 11:18:41.640: ISAKMP (0): FSM action returned error: 2
002081: *Apr 19 11:18:41.640: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
002082: *Apr 19 11:18:41.640: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
002083: *Apr 19 11:18:41.640: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 81.140.63.222)
002084: *Apr 19 11:18:41.640: ISAKMP: Unlocking peer struct 0x843DC43C for isadb_mark_sa_deleted(), count 0
002085: *Apr 19 11:18:41.640: ISAKMP: Deleting peer node by peer_reap for 81.140.63.222: 843DC43C
002086: *Apr 19 11:18:41.640: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
002087: *Apr 19 11:18:41.640: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
002088: *Apr 19 11:18:41.640: IPSEC(key_engine): got a queue event with 1 KMI message(s)
002089: *Apr 19 11:18:41.640: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 81.140.63.222)
002090: *Apr 19 11:18:41.640: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
002091: *Apr 19 11:18:41.640: ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_SA
002092: *Apr 19 11:18:42.628: ISAKMP (0): received packet from 81.140.63.222 dport 500 sport 500 Global (R) MM_NO_STATE
002093: *Apr 19 11:18:45.628: ISAKMP (0): received packet from 81.140.63.222 dport 500 sport 500 Global (R) MM_NO_STATE
002094: *Apr 19 11:18:50.628: ISAKMP (0): received packet from 81.140.63.222 dport 500 sport 500 Global (R) MM_NO_STATE
002095: *Apr 19 11:30:25.672: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
002096: *Apr 19 11:30:27.668: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
002097: *Apr 19 11:30:30.668: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
002098: *Apr 19 11:32:11.716: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
002099: *Apr 19 11:32:13.716: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
002100: *Apr 19 11:32:16.716: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
002101: *Apr 19 11:34:31.592: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
002102: *Apr 19 11:34:33.592: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
002103: *Apr 19 11:34:36.592: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
002104: *Apr 19 11:36:50.431: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
002105: *Apr 19 11:36:51.427: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
002106: *Apr 19 11:36:54.427: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
GM-LAD-COR-IND-Test-rTr#
- the client is connected to 877W router provided just internet access,
- 1801 vpn config see attached
First time I am posting an issue here....your input would be appreciated
Thankyou
04-19-2013 06:30 AM
......
002015: *Apr 19 11:18:41.632: ISAKMP:(0):Authentication method offered does not match policy!
002016: *Apr 19 11:18:41.632: ISAKMP:(0):atts are not acceptable. Next payload is 3
....
002025: *Apr 19 11:18:41.632: ISAKMP:(0):Authentication method offered does not match policy!
002026: *Apr 19 11:18:41.632: ISAKMP:(0):atts are not acceptable. Next payload is 3
.....
002035: *Apr 19 11:18:41.636: ISAKMP:(0):Authentication method offered does not match policy!
002036: *Apr 19 11:18:41.636: ISAKMP:(0):atts are not acceptable. Next payload is 3
002037: *Apr 19 11:18:41.636: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
......
002045: *Apr 19 11:18:41.636: ISAKMP:(0):atts are not acceptable. Next payload is 3
002046: *Apr 19 11:18:41.636: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
......
002053: *Apr 19 11:18:41.636: ISAKMP:(0):Encryption algorithm offered does not match policy!
002054: *Apr 19 11:18:41.636: ISAKMP:(0):atts are not acceptable. Next payload is 0
Assuming you have the right crypto isakmp key <...> address <...> no-auth configured then it means the remote device does not have the same phase I policy.
04-24-2013 08:01 AM
Remote equipement is setup with IKEv2.
04-24-2013 08:42 AM
As far as I know, you will need to use the same ike version on both ends. try either change this one to use ikev2 or the remote site with ikev1.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide