Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2098
Views
5
Helpful
8
Replies

Cisco 1812 no contact to Radius server

Go to solution
SindbyVejle
Level 1
Level 1

‎10-12-2010 05:57 AM

Hi guys,

Im pretty new to cisco products, and is playing around with a 1812... I'm trying to setup a Easy VPN Server, with Radius support, and as far as I can see I have done all tasks right, but there is a problem, because the router do not contact the RADIUS server, and the RADIUS server has been tested ok.

Anyone who can see what I am missing ??? Have worked with this issue for 3 days now.

Here is my conf.

Current configuration : 9170 bytes

!

! Last configuration change at 13:44:49 UTC Tue Oct 12 2010

!

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

no logging buffered

!

aaa new-model

!

!

aaa group server radius sdm-vpn-server-group-1

server 90.0.0.245 auth-port 1645 acct-port 1646

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 passwd-expiry group sdm-vpn-server-group-1

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

!

!

!

!

aaa session-id common

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-250973313

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-250973313

revocation-check none

!

!

crypto pki certificate chain TP-self-signed-250973313

certificate self-signed 01

  3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  30312E30 2C040355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32353039 37333331 33301E17 0D313031 30313230 39343333

  395A170D 32303031 30313030 30303030 5A303031 2E302C06 03540403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3235 30393733

  33313330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

  BCF94FB0 77240E92 B703CE70 556D5D22 A57823E5 DD4CD4C4 12D639DE 5E97DB2D

  81FBB304 9FA677A6 CAD84F96 9734081B F8F8FAAE 000B02FB AEF7C7B1 73AFA44B

  7D27E112 8991F03B 3D4FD484 34E2EA9F BD426F73 48778F2A AD35AAD6 EC00805D

  249B8702 D545AEEA 40670DFD 3E6BEC29 EE48A0C6 CB7694FD 722D1A62 3A499CC5

  02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D

  11040A30 08820652 6F757465 72301F06 03551D23 04183016 801462CB F6BD12F6

  080C8A89 F9FBBDCE 9751528A FFFD301D 0603551D 0E041604 1462CBF6 BD12F608

  0C8A89F9 FBBDCE97 51528AFF FD300D06 092A8648 86F70D01 01040500 03818100

  ACA87977 55225FC6 9147E57E 8B5A8CA8 46348CAF 801D11C6 9DA57C69 14FA5076

  6844F0CC 4CBEB541 136A483A 69F7B7F0 E44474E8 14DC2E80 CC04F840 3531B884

  F08A492D 8C3902C0 725EE93D AC83A29F 799AAE0F 5795484B B3D02F84 911DB135

  21B0B9D4 5C189766 C30DA111 6B9B4E46 E999DA5B 202A6900 07A93D8D 41C7FD21

        quit

dot11 syslog

ip source-route

!

!

!

!

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

license udi pid CISCO1812/K9 sn FCZ10232108

username admin privilege 15 secret 5 $1$P677$Rggfdgt8MeD8letZDL08d/

!

!

!

class-map type inspect match-all sdm-nat-smtp-1

match access-group 101

match protocol smtp

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any sdm-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-insp-traffic

match class-map sdm-cls-insp-traffic

class-map type inspect match-any SDM-Voice-permit

match protocol h323

match protocol skinny

match protocol sip

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-any sdm-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-invalid-src

match access-group 100

class-map type inspect match-all sdm-icmp-access

match class-map sdm-cls-icmp-access

class-map type inspect match-all sdm-protocol-http

match protocol http

!

!

policy-map type inspect sdm-permit-icmpreply

class type inspect sdm-icmp-access

  inspect

class class-default

  pass

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-smtp-1

  inspect

class class-default

  drop

policy-map type inspect sdm-inspect

class type inspect sdm-invalid-src

  drop log

class type inspect sdm-insp-traffic

  inspect

class type inspect sdm-protocol-http

  inspect

class type inspect SDM-Voice-permit

  inspect

class class-default

  pass

policy-map type inspect sdm-permit

class type inspect SDM_EASY_VPN_SERVER_PT

  pass

class class-default

  drop

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  pass

class class-default

  drop log

!

zone security out-zone

zone security in-zone

zone security ezvpn-zone

zone-pair security sdm-zp-self-out source self destination out-zone

service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-out-self source out-zone destination self

service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group Sindby

key TheSommerOf03

dns 90.0.0.240 8.8.8.8

wins 90.0.0.240

domain SBYNET

pool SDM_POOL_2

max-users 15

netmask 255.255.255.0

crypto isakmp profile sdm-ike-profile-1

   match identity group Sindby

   client authentication list sdm_vpn_xauth_ml_1

   isakmp authorization list sdm_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA9 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA10 esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA10

set isakmp-profile sdm-ike-profile-1

!

!

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet0

description $FW_OUTSIDE$

ip address 93.166.xxx.xxx 255.255.255.248

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

duplex auto

speed auto

!

interface FastEthernet1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Virtual-Template1 type tunnel

ip unnumbered FastEthernet0

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Vlan1

description $FW_INSIDE$

ip address 90.0.0.190 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

!

ip local pool SDM_POOL_1 90.0.0.25 90.0.0.29

ip local pool SDM_POOL_2 90.0.0.75 90.0.0.90

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

!

!

ip nat inside source static tcp 192.168.1.200 25 interface FastEthernet0 25

ip nat inside source list 1 interface FastEthernet0 overload

ip route 0.0.0.0 0.0.0.0 93.166.xxx.xxx

!

ip access-list extended SDM_AH

remark SDM_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark SDM_ACL Category=1

permit esp any any

ip access-list extended SDM_IP

remark SDM_ACL Category=1

permit ip any any

!

logging esm config

access-list 1 permit 90.0.0.0 0.0.0.255

access-list 100 remark SDM_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 93.166.xxx.xxx 0.0.0.7 any

access-list 101 remark SDM_ACL Category=0

access-list 101 permit ip any host 192.168.1.200

!

!

!

!

!

!

radius-server host 90.0.0.245 auth-port 1645 acct-port 1646

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

transport input telnet ssh

!

end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
wzhang
Cisco Employee
Cisco Employee
In response to SindbyVejle

‎10-12-2010 11:08 PM

Hi,

It looks like you are missing the radius server key configuration "radius-server host 90.0.0.245 auth-port 1645 acct-port 1646 key your_key".

Thanks,

Wen

View solution in original post

0 Helpful
8 Replies 8

Go to solution
praprama
Cisco Employee
Cisco Employee

‎10-12-2010 08:27 AM

Hi,

Have you run a "test aaa authentication" to confirm the connectivity between the server and the router? Also, please do enable "ip inspect log drop-pkt" prior to running the "test aaa authentication" thereby you should be able to see syslogs pointing to dropped packets by the zone based firewall configuration, if any.

Let me know how it goes!!

Thanks and Regards,

Prapanch

0 Helpful

Go to solution
SindbyVejle
Level 1
Level 1
In response to praprama

‎10-12-2010 12:16 PM

Hi Prapanch,

I have added the inspect line, and when I try to run the test, i issue this command:

Router#test aaa authentication radius host 90.0.0.245

                               ^

% Invalid input detected at '^' marker.

Is the command right ? It seems there is something wrong.
Router#test aaa  authentication ?
  attrlist  aaa attribute list name
/Jesper
0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to SindbyVejle

‎10-12-2010 05:26 PM

Hi Jesper,

The command actually is "test aaa group {group-name | radius} username password". Not really an expert in AAA

Thanks and Regards,

Prapanch

Go to solution
SindbyVejle
Level 1
Level 1
In response to praprama

‎10-12-2010 10:46 PM

Hi Prapanch,

I tried to test the aaa server, and this is what came out:

test aaa group radius ja@sbynet.local xxxxxx legacy

Attempting authentication test to server-group radius using radius

No authoritative response from any server.

Router#

*Oct 13 06:44:08.742: AAA: parse name= idb type=-1 tty=-1

*Oct 13 06:44:08.742: AAA/MEMORY: create_user (0x86BF6A18) user='ja@sbynet.local' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

*Oct 13 06:44:08.742: RADIUS: Pick NAS IP for u=0x86BF6A18 tableid=0 cfg_addr=0.0.0.0

*Oct 13 06:44:08.742: RADIUS: ustruct sharecount=1

*Oct 13 06:44:08.742: Radius: radius_port_info() success=0 radius_nas_port=1

*Oct 13 06:44:08.742: RADIUS/ENCODE: Best Local IP-Address 90.0.0.190 for Radius-Server 90.0.0.245

*Oct 13 06:44:08.742: RADIUS: No secret to encode request (rctx:0x86C11688)

*Oct 13 06:44:08.742: RADIUS: Unable to encrypt (rctx:0x86C11688)

*Oct 13 06:44:08.742: RADIUS: No secret to encode request (rctx:0x86C11688)

*Oct 13 06:44:08.742: RADIUS: Unable to encrypt (rctx:0x86C11688)

*Oct 13 06:44:08.742: RADIUS: No secret to encode request (rctx:0x86C11688)

*Oct 13 06:44:08.742: RADIUS: Unable to encrypt (rctx:0x86C11688)

*Oct 13 06:44:08.742: RADIUS: No secret to encode request (rctx:0x86C11688)

*Oct 13 06:44:08.742: RADIUS: Unable to encrypt (rctx:0x86C11688)

*Oct 13 06:44:08.742: RADIUS: No secret to encode request (rctx:0x86C11688)

*Oct 13 06:44:08.742: RADIUS: Unable to encrypt (rctx:0x86C11688)

*Oct 13 06:44:08.742: RADIUS: No response from server

*Oct 13 06:44:08.742: AAA/MEMORY: free_user (0x86BF6A18) user='ja@sbynet.local' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)

How do I see the log, we activated before testing... (The inspect command ? According to this I cannot see anything which is been blocked.)

I am 100% sure that the Radius server is working, because it works with another Zyxel router.

/Jesper

0 Helpful

Go to solution
wzhang
Cisco Employee
Cisco Employee
In response to SindbyVejle

‎10-12-2010 11:08 PM

Hi,

It looks like you are missing the radius server key configuration "radius-server host 90.0.0.245 auth-port 1645 acct-port 1646 key your_key".

Thanks,

Wen

0 Helpful

Go to solution
SindbyVejle
Level 1
Level 1
In response to wzhang

‎10-12-2010 11:14 PM

wzhang,

Thank you very much, after adding the line, I am now able to successfully authenticate to the radius server...

/Jesper

0 Helpful

Go to solution
SindbyVejle
Level 1
Level 1
In response to SindbyVejle

‎10-13-2010 12:12 AM

I hoped that the VPN connection worked now, but I get this error when try to connect now.

Do you know what is wrong here ?

*Oct 13 08:14:48.778: ISAKMP (0): received packet from xx.xxx.xx.xx dport 500 sport 13747 Global (N) NEW SA

*Oct 13 08:14:48.778: ISAKMP: Created a peer struct for xx.xxx.xx.xx, peer port 13747

*Oct 13 08:14:48.778: ISAKMP: New peer created peer = 0x86F84250 peer_handle = 0x80000013

*Oct 13 08:14:48.778: ISAKMP: Locking peer struct 0x86F84250, refcount 1 for crypto_isakmp_process_block

*Oct 13 08:14:48.778: ISAKMP: local port 500, remote port 13747

*Oct 13 08:14:48.778: ISAKMP:(0):insert sa successfully sa = 874C6244

*Oct 13 08:14:48.778: ISAKMP:(0): processing SA payload. message ID = 0

*Oct 13 08:14:48.778: ISAKMP:(0): processing ID payload. message ID = 0

*Oct 13 08:14:48.778: ISAKMP (0): ID payload

        next-payload : 13

        type         : 11

        group id     : sindby

        protocol     : 17

        port         : 500

        length       : 14

*Oct 13 08:14:48.778: ISAKMP:(0):: peer matches *none* of the profiles

*Oct 13 08:14:48.778: ISAKMP:(0): processing vendor id payload

*Oct 13 08:14:48.778: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch

*Oct 13 08:14:48.778: ISAKMP:(0): vendor ID is XAUTH

*Oct 13 08:14:48.778: ISAKMP:(0): processing vendor id payload

*Oct 13 08:14:48.778: ISAKMP:(0): vendor ID is DPD

*Oct 13 08:14:48.778: ISAKMP:(0): processing vendor id payload

*Oct 13 08:14:48.778: ISAKMP:(0): processing IKE frag vendor id payload

*Oct 13 08:14:48.778: ISAKMP:(0):Support for IKE Fragmentation not enabled

*Oct 13 08:14:48.778: ISAKMP:(0): processing vendor id payload

*Oct 13 08:14:48.778: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Oct 13 08:14:48.778: ISAKMP:(0): vendor ID is NAT-T v2

*Oct 13 08:14:48.778: ISAKMP:(0): processing vendor id payload

*Oct 13 08:14:48.778: ISAKMP:(0): vendor ID is Unity

*Oct 13 08:14:48.778: ISAKMP : Scanning profiles for xauth ... sdm-ike-profile-1

*Oct 13 08:14:48.778: ISAKMP:(0): Authentication by xauth preshared

*Oct 13 08:14:48.778: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

*Oct 13 08:14:48.778: ISAKMP:      encryption AES-CBC

*Oct 13 08:14:48.778: ISAKMP:      hash SHA

*Oct 13 08:14:48.778: ISAKMP:      default group 2

*Oct 13 08:14:48.778: ISAKMP:      auth XAUTHInitPreShared

*Oct 13 08:14:48.782: ISAKMP:      life type in seconds

*Oct 13 08:14:48.782: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Oct 13 08:14:48.782: ISAKMP:      keylength of 256

*Oct 13 08:14:48.782: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Oct 13 08:14:48.782: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Oct 13 08:14:48.782: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy

*Oct 13 08:14:48.782: ISAKMP:      encryption AES-CBC

*Oct 13 08:14:48.782: ISAKMP:      hash MD5

*Oct 13 08:14:48.782: ISAKMP:      default group 2

*Oct 13 08:14:48.782: ISAKMP:      auth XAUTHInitPreShared

*Oct 13 08:14:48.782: ISAKMP:      life type in seconds

*Oct 13 08:14:48.782: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Oct 13 08:14:48.782: ISAKMP:      keylength of 256

*Oct 13 08:14:48.782: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Oct 13 08:14:48.782: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Oct 13 08:14:48.782: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy

*Oct 13 08:14:48.782: ISAKMP:      encryption AES-CBC

*Oct 13 08:14:48.782: ISAKMP:      hash SHA

*Oct 13 08:14:48.782: ISAKMP:      default group 2

*Oct 13 08:14:48.782: ISAKMP:      auth pre-share

*Oct 13 08:14:48.782: ISAKMP:      life type in seconds

*Oct 13 08:14:48.782: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Oct 13 08:14:48.782: ISAKMP:      keylength of 256

*Oct 13 08:14:48.782: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Oct 13 08:14:48.782: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Oct 13 08:14:48.782: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy

*Oct 13 08:14:48.782: ISAKMP:      encryption AES-CBC

*Oct 13 08:14:48.782: ISAKMP:      hash MD5

*Oct 13 08:14:48.782: ISAKMP:      default group 2

*Oct 13 08:14:48.782: ISAKMP:      auth pre-share

*Oct 13 08:14:48.782: ISAKMP:      life type in seconds

*Oct 13 08:14:48.782: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Oct 13 08:14:48.782: ISAKMP:      keylength of 256

*Oct 13 08:14:48.782: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Oct 13 08:14:48.782: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Oct 13 08:14:48.782: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy

*Oct 13 08:14:48.782: ISAKMP:      encryption AES-CBC

*Oct 13 08:14:48.782: ISAKMP:      hash SHA

*Oct 13 08:14:48.782: ISAKMP:      default group 2

*Oct 13 08:14:48.782: ISAKMP:      auth XAUTHInitPreShared

*Oct 13 08:14:48.782: ISAKMP:      life type in seconds

*Oct 13 08:14:48.782: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Oct 13 08:14:48.782: ISAKMP:      keylength of 128

*Oct 13 08:14:48.782: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Oct 13 08:14:48.782: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Oct 13 08:14:48.782: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy

*Oct 13 08:14:48.782: ISAKMP:      encryption AES-CBC

*Oct 13 08:14:48.782: ISAKMP:      hash MD5

*Oct 13 08:14:48.782: ISAKMP:      default group 2

*Oct 13 08:14:48.782: ISAKMP:      auth XAUTHInitPreShared

*Oct 13 08:14:48.782: ISAKMP:      life type in seconds

*Oct 13 08:14:48.782: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Oct 13 08:14:48.782: ISAKMP:      keylength of 128

*Oct 13 08:14:48.782: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Oct 13 08:14:48.782: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Oct 13 08:14:48.782: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy

*Oct 13 08:14:48.782: ISAKMP:      encryption AES-CBC

*Oct 13 08:14:48.782: ISAKMP:      hash SHA

*Oct 13 08:14:48.782: ISAKMP:      default group 2

*Oct 13 08:14:48.782: ISAKMP:      auth pre-share

*Oct 13 08:14:48.782: ISAKMP:      life type in seconds

*Oct 13 08:14:48.782: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Oct 13 08:14:48.782: ISAKMP:      keylength of 128

*Oct 13 08:14:48.782: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Oct 13 08:14:48.782: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Oct 13 08:14:48.782: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy

*Oct 13 08:14:48.782: ISAKMP:      encryption AES-CBC

*Oct 13 08:14:48.782: ISAKMP:      hash MD5

*Oct 13 08:14:48.782: ISAKMP:      default group 2

*Oct 13 08:14:48.782: ISAKMP:      auth pre-share

*Oct 13 08:14:48.782: ISAKMP:      life type in seconds

*Oct 13 08:14:48.782: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Oct 13 08:14:48.782: ISAKMP:      keylength of 128

*Oct 13 08:14:48.782: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Oct 13 08:14:48.782: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Oct 13 08:14:48.782: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy

*Oct 13 08:14:48.782: ISAKMP:      encryption 3DES-CBC

*Oct 13 08:14:48.782: ISAKMP:      hash SHA

*Oct 13 08:14:48.782: ISAKMP:      default group 2

*Oct 13 08:14:48.782: ISAKMP:      auth XAUTHInitPreShared

*Oct 13 08:14:48.782: ISAKMP:      life type in seconds

*Oct 13 08:14:48.782: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Oct 13 08:14:48.782: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!

*Oct 13 08:14:48.782: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Oct 13 08:14:48.782: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1 policy

*Oct 13 08:14:48.782: ISAKMP:      encryption 3DES-CBC

*Oct 13 08:14:48.782: ISAKMP:      hash MD5

*Oct 13 08:14:48.782: ISAKMP:      default group 2

*Oct 13 08:14:48.782: ISAKMP:      auth XAUTHInitPreShared

*Oct 13 08:14:48.782: ISAKMP:      life type in seconds

*Oct 13 08:14:48.782: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Oct 13 08:14:48.782: ISAKMP:(0):Hash algorithm offered does not match policy!

*Oct 13 08:14:48.782: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Oct 13 08:14:48.782: ISAKMP:(0):Checking ISAKMP transform 11 against priority 1 policy

*Oct 13 08:14:48.782: ISAKMP:      encryption 3DES-CBC

*Oct 13 08:14:48.782: ISAKMP:      hash SHA

*Oct 13 08:14:48.782: ISAKMP:      default group 2

*Oct 13 08:14:48.782: ISAKMP:      auth pre-share

*Oct 13 08:14:48.782: ISAKMP:      life type in seconds

*Oct 13 08:14:48.782: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Oct 13 08:14:48.782: ISAKMP:(0):Preshared authentication offered but does not match policy!

*Oct 13 08:14:48.782: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Oct 13 08:14:48.782: ISAKMP:(0):Checking ISAKMP transform 12 against priority 1 policy

*Oct 13 08:14:48.782: ISAKMP:      encryption 3DES-CBC

*Oct 13 08:14:48.782: ISAKMP:      hash MD5

*Oct 13 08:14:48.782: ISAKMP:      default group 2

*Oct 13 08:14:48.782: ISAKMP:      auth pre-share

*Oct 13 08:14:48.782: ISAKMP:      life type in seconds

*Oct 13 08:14:48.782: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Oct 13 08:14:48.782: ISAKMP:(0):Hash algorithm offered does not match policy!

*Oct 13 08:14:48.786: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Oct 13 08:14:48.786: ISAKMP:(0):Checking ISAKMP transform 13 against priority 1 policy

*Oct 13 08:14:48.786: ISAKMP:      encryption DES-CBC

*Oct 13 08:14:48.786: ISAKMP:      hash MD5

*Oct 13 08:14:48.786: ISAKMP:      default group 2

*Oct 13 08:14:48.786: ISAKMP:      auth XAUTHInitPreShared

*Oct 13 08:14:48.786: ISAKMP:      life type in seconds

*Oct 13 08:14:48.786: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Oct 13 08:14:48.786: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Oct 13 08:14:48.786: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Oct 13 08:14:48.786: ISAKMP:(0):Checking ISAKMP transform 14 against priority 1 policy

*Oct 13 08:14:48.786: ISAKMP:      encryption DES-CBC

*Oct 13 08:14:48.786: ISAKMP:      hash MD5

*Oct 13 08:14:48.786: ISAKMP:      default group 2

*Oct 13 08:14:48.786: ISAKMP:      auth pre-share

*Oct 13 08:14:48.786: ISAKMP:      life type in seconds

*Oct 13 08:14:48.786: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Oct 13 08:14:48.786: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Oct 13 08:14:48.786: ISAKMP:(0):atts are not acceptable. Next payload is 0

*Oct 13 08:14:48.786: ISAKMP:(0):no offers accepted!

*Oct 13 08:14:48.786: ISAKMP:(0): phase 1 SA policy not acceptable! (local 93.166.138.93 remote xx.xxx.xx.xx)

*Oct 13 08:14:48.786: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init

*Oct 13 08:14:48.786: ISAKMP:(0): Failed to construct AG informational message.

*Oct 13 08:14:48.786: ISAKMP:(0): sending packet to xx.xxx.xx.xx my_port 500 peer_port 13747 (R) AG_NO_STATE

*Oct 13 08:14:48.786: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Oct 13 08:14:48.786: ISAKMP:(0):peer does not do paranoid keepalives.

*Oct 13 08:14:48.786: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer xx.xxx.xx.xx)

*Oct 13 08:14:48.786: ISAKMP:(0): processing KE payload. message ID = 0

*Oct 13 08:14:48.786: ISAKMP:(0): group size changed! Should be 0, is 128

*Oct 13 08:14:48.786: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission

*Oct 13 08:14:48.786: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY

*Oct 13 08:14:48.786: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

*Oct 13 08:14:48.786: ISAKMP:(0):Old State = IKE_READY  New State = IKE_READY

*Oct 13 08:14:48.786: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at xx.xxx.xx.xx

*Oct 13 08:14:48.786: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer xx.xxx.xx.xx)

*Oct 13 08:14:48.786: ISAKMP: Unlocking peer struct 0x86F84250 for isadb_mark_sa_deleted(), count 0

*Oct 13 08:14:48.786: ISAKMP: Deleting peer node by peer_reap for xx.xxx.xx.xx: 86F84250

*Oct 13 08:14:48.786: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Oct 13 08:14:48.786: ISAKMP:(0):Old State = IKE_READY  New State = IKE_DEST_SA

/Jesper

0 Helpful

Go to solution
SindbyVejle
Level 1
Level 1
In response to SindbyVejle

‎10-13-2010 12:48 AM

Never mind guys.... I had a typo in the group profile name. Its working now.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents