1801 Router Remote VPN Issue

GlobalDrawNoc · ‎04-19-2013

Hi,

I have a remote vpn issue, see debug below please

Log Buffer (8126 bytes):

cking ISAKMP transform 1 against priority 10 policy

002008: *Apr 19 11:18:41.632: ISAKMP: encryption AES-CBC

002009: *Apr 19 11:18:41.632: ISAKMP: keylength of 256

002010: *Apr 19 11:18:41.632: ISAKMP: hash SHA

002011: *Apr 19 11:18:41.632: ISAKMP: unknown DH group 20

002012: *Apr 19 11:18:41.632: ISAKMP: auth RSA sig

002013: *Apr 19 11:18:41.632: ISAKMP: life type in seconds

002014: *Apr 19 11:18:41.632: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

002015: *Apr 19 11:18:41.632: ISAKMP:(0):Authentication method offered does not match policy!

002016: *Apr 19 11:18:41.632: ISAKMP:(0):atts are not acceptable. Next payload is 3

002017: *Apr 19 11:18:41.632: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy

002018: *Apr 19 11:18:41.632: ISAKMP: encryption AES-CBC

002019: *Apr 19 11:18:41.632: ISAKMP: keylength of 128

002020: *Apr 19 11:18:41.632: ISAKMP: hash SHA

002021: *Apr 19 11:18:41.632: ISAKMP: unknown DH group 19

002022: *Apr 19 11:18:41.632: ISAKMP: auth RSA sig

002023: *Apr 19 11:18:41.632: ISAKMP: life type in seconds

002024: *Apr 19 11:18:41.632: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

002025: *Apr 19 11:18:41.632: ISAKMP:(0):Authentication method offered does not match policy!

002026: *Apr 19 11:18:41.632: ISAKMP:(0):atts are not acceptable. Next payload is 3

002027: *Apr 19 11:18:41.632: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy

002028: *Apr 19 11:18:41.632: ISAKMP: encryption AES-CBC

002029: *Apr 19 11:18:41.632: ISAKMP: keylength of 256

002030: *Apr 19 11:18:41.632: ISAKMP: hash SHA

002031: *Apr 19 11:18:41.636: ISAKMP: default group 14

002032: *Apr 19 11:18:41.636: ISAKMP: auth RSA sig

002033: *Apr 19 11:18:41.636: ISAKMP: life type in seconds

002034: *Apr 19 11:18:41.636: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

002035: *Apr 19 11:18:41.636: ISAKMP:(0):Authentication method offered does not match policy!

002036: *Apr 19 11:18:41.636: ISAKMP:(0):atts are not acceptable. Next payload is 3

002037: *Apr 19 11:18:41.636: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy

002038: *Apr 19 11:18:41.636: ISAKMP: encryption 3DES-CBC

002039: *Apr 19 11:18:41.636: ISAKMP: hash SHA

002040: *Apr 19 11:18:41.636: ISAKMP: default group 14

002041: *Apr 19 11:18:41.636: ISAKMP: auth RSA sig

002042: *Apr 19 11:18:41.636: ISAKMP: life type in seconds

002043: *Apr 19 11:18:41.636: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

002044: *Apr 19 11:18:41.636: ISAKMP:(0):Encryption algorithm offered does not match policy!

002045: *Apr 19 11:18:41.636: ISAKMP:(0):atts are not acceptable. Next payload is 3

002046: *Apr 19 11:18:41.636: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy

002047: *Apr 19 11:18:41.636: ISAKMP: encryption 3DES-CBC

002048: *Apr 19 11:18:41.636: ISAKMP: hash SHA

002049: *Apr 19 11:18:41.636: ISAKMP: default group 2

002050: *Apr 19 11:18:41.636: ISAKMP: auth RSA sig

002051: *Apr 19 11:18:41.636: ISAKMP: life type in seconds

002052: *Apr 19 11:18:41.636: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

002053: *Apr 19 11:18:41.636: ISAKMP:(0):Encryption algorithm offered does not match policy!

002054: *Apr 19 11:18:41.636: ISAKMP:(0):atts are not acceptable. Next payload is 0

002055: *Apr 19 11:18:41.636: ISAKMP:(0):no offers accepted!

002056: *Apr 19 11:18:41.636: ISAKMP:(0): phase 1 SA policy not acceptable! (local 83.244.151.170 remote 81.140.63.222)

002057: *Apr 19 11:18:41.636: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init

002058: *Apr 19 11:18:41.636: ISAKMP:(0): Failed to construct AG informational message.

002059: *Apr 19 11:18:41.636: ISAKMP:(0): sending packet to 81.140.63.222 my_port 500 peer_port 500 (R) MM_NO_STATE

002060: *Apr 19 11:18:41.636: ISAKMP:(0):Sending an IKE IPv4 Packet.

002061: *Apr 19 11:18:41.636: ISAKMP:(0):peer does not do paranoid keepalives.

002062: *Apr 19 11:18:41.636: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 81.140.63.222)

002063: *Apr 19 11:18:41.636: ISAKMP:(0): processing vendor id payload

002064: *Apr 19 11:18:41.640: ISAKMP:(0): processing IKE frag vendor id payload

002065: *Apr 19 11:18:41.640: ISAKMP:(0):Support for IKE Fragmentation not enabled

002066: *Apr 19 11:18:41.640: ISAKMP:(0): processing vendor id payload

002067: *Apr 19 11:18:41.640: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

002068: *Apr 19 11:18:41.640: ISAKMP (0): vendor ID is NAT-T RFC 3947

002069: *Apr 19 11:18:41.640: ISAKMP:(0): processing vendor id payload

002070: *Apr 19 11:18:41.640: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

002071: *Apr 19 11:18:41.640: ISAKMP:(0): vendor ID is NAT-T v2

002072: *Apr 19 11:18:41.640: ISAKMP:(0): processing vendor id payload

002073: *Apr 19 11:18:41.640: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch

002074: *Apr 19 11:18:41.640: ISAKMP:(0): processing vendor id payload

002075: *Apr 19 11:18:41.640: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch

002076: *Apr 19 11:18:41.640: ISAKMP:(0): processing vendor id payload

002077: *Apr 19 11:18:41.640: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch

002078: *Apr 19 11:18:41.640: ISAKMP:(0): processing vendor id payload

002079: *Apr 19 11:18:41.640: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch

002080: *Apr 19 11:18:41.640: ISAKMP (0): FSM action returned error: 2

002081: *Apr 19 11:18:41.640: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

002082: *Apr 19 11:18:41.640: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

002083: *Apr 19 11:18:41.640: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 81.140.63.222)

002084: *Apr 19 11:18:41.640: ISAKMP: Unlocking peer struct 0x843DC43C for isadb_mark_sa_deleted(), count 0

002085: *Apr 19 11:18:41.640: ISAKMP: Deleting peer node by peer_reap for 81.140.63.222: 843DC43C

002086: *Apr 19 11:18:41.640: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

002087: *Apr 19 11:18:41.640: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA

002088: *Apr 19 11:18:41.640: IPSEC(key_engine): got a queue event with 1 KMI message(s)

002089: *Apr 19 11:18:41.640: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 81.140.63.222)

002090: *Apr 19 11:18:41.640: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR

002091: *Apr 19 11:18:41.640: ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_SA

002092: *Apr 19 11:18:42.628: ISAKMP (0): received packet from 81.140.63.222 dport 500 sport 500 Global (R) MM_NO_STATE

002093: *Apr 19 11:18:45.628: ISAKMP (0): received packet from 81.140.63.222 dport 500 sport 500 Global (R) MM_NO_STATE

002094: *Apr 19 11:18:50.628: ISAKMP (0): received packet from 81.140.63.222 dport 500 sport 500 Global (R) MM_NO_STATE

002095: *Apr 19 11:30:25.672: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!

002096: *Apr 19 11:30:27.668: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!

002097: *Apr 19 11:30:30.668: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!

002098: *Apr 19 11:32:11.716: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!

002099: *Apr 19 11:32:13.716: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!

002100: *Apr 19 11:32:16.716: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!

002101: *Apr 19 11:34:31.592: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!

002102: *Apr 19 11:34:33.592: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!

002103: *Apr 19 11:34:36.592: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!

002104: *Apr 19 11:36:50.431: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!

002105: *Apr 19 11:36:51.427: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!

002106: *Apr 19 11:36:54.427: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!

GM-LAD-COR-IND-Test-rTr#

- the client is connected to 877W router provided just internet access,

- 1801 vpn config see attached

First time I am posting an issue here....your input would be appreciated

Thankyou

olpeleri · ‎04-19-2013

......

002015: *Apr 19 11:18:41.632: ISAKMP:(0):Authentication method offered does not match policy!

002016: *Apr 19 11:18:41.632: ISAKMP:(0):atts are not acceptable. Next payload is 3

....

002025: *Apr 19 11:18:41.632: ISAKMP:(0):Authentication method offered does not match policy!

002026: *Apr 19 11:18:41.632: ISAKMP:(0):atts are not acceptable. Next payload is 3

.....

002035: *Apr 19 11:18:41.636: ISAKMP:(0):Authentication method offered does not match policy!

002036: *Apr 19 11:18:41.636: ISAKMP:(0):atts are not acceptable. Next payload is 3

002037: *Apr 19 11:18:41.636: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy

......

002045: *Apr 19 11:18:41.636: ISAKMP:(0):atts are not acceptable. Next payload is 3

002046: *Apr 19 11:18:41.636: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy

......

002053: *Apr 19 11:18:41.636: ISAKMP:(0):Encryption algorithm offered does not match policy!

002054: *Apr 19 11:18:41.636: ISAKMP:(0):atts are not acceptable. Next payload is 0

Assuming you have the right crypto isakmp key <...> address <...> no-auth configured then it means the remote device does not have the same phase I policy.

Christos Papageorgopoulos · ‎04-24-2013

Remote equipement is setup with IKEv2.

Rudy Sanjoko · ‎04-24-2013

As far as I know, you will need to use the same ike version on both ends. try either change this one to use ikev2 or the remote site with ikev1.