Solved: Re: Cisco 2600 router as an IPSec client

adamfayaz · ‎01-17-2013

Hello,

Currently I'm using Cisco VPN client software to connect to a remote IPSec server on the workstations.

I want to to configure IPSec client on Cisco 2600 router which connects to the remote IPSec server so the workstations can access VPN subnet without using VPN software.

Anyone can guide me on how to configure IPSec client on the router?

Thanks

Michal Maciejczak · ‎01-24-2013

Hi Adam,

Sorry for my late responce I am a bit ill.

I have checked the logs and did small repro. To me it looks like the server is not supporting NEM:

This is from VPN server with NEM disabled:

Nov 30 00:13:56 [IKEv1 DEBUG]: Group = gsa3mle3, Username = cisco, IP = 10.10.10.2, MODE_CFG: Received request for DHCP hostname for DDNS is: R1!

Nov 30 00:13:56 [IKEv1]: Group = gsa3mle3, Username = cisco, IP = 10.10.10.2, Hardware Client connection rejected! Network Extension Mode is not allowed for this group!

On client:

*Mar 1 00:45:56.387: ISAKMP:(1007): sending packet to 10.10.10.13 my_port 500 peer_port 500 (I) CONF_ADDR

*Mar 1 00:45:56.439: ISAKMP (0:1007): received packet from 10.10.10.13 dport 500 sport 500 Global (I) CONF_ADDR

*Mar 1 00:45:56.439: DGVPN:crypt_iv after decrypt, sa:650BE464

7BCF116E8E4DFF6C

*Mar 1 00:45:56.443:

*Mar 1 00:45:56.443: ISAKMP: Information packet contents (flags 1, len 92):

*Mar 1 00:45:56.447: HASH payload

*Mar 1 00:45:56.447: DELETE payload

*Mar 1 00:45:56.459: ISAKMP: Information packet contents (flags 1, len 80):

*Mar 1 00:45:56.459: HASH payload

*Mar 1 00:45:56.459: DELETE payload

*Mar 1 00:45:56.459: DGVPN: crypt_iv after encrypt, sa:650BE464

Change it to client mode and try it.

Kind regards

Michal

View solution in original post

Michal Maciejczak · ‎01-17-2013

Hi Adam,

Have a look there:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080808395.shtml

Config for this router - Easy VPN Remote (Cisco 871W Router)

You will have to choose best mode for you. In your case, if workstations want to access subnets behind router, NEM is what you need - more details here:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_esyvpn/configuration/12-4t/sec-easy-vpn-rem.html#GUID-2AB2FB74-4811-4C25-9B79-B5B18987FB11

I hope this helps

Michal

adamfayaz · ‎01-18-2013

I will check the Easy VPN

Rudy Sanjoko · ‎01-18-2013

Which VPN that you are using currently to connect to the server? Depends on the VPN type that you choose, it might require you to do some changes on the ipsec server. Are there any other routers that connected to the ipsec server? If you just need to connect 2600 to the server and no other router are involved,then I recommend you to use site to site vpn, as it is easier to configure, no vpn client software is needed, but ofcourse its not flexible.

adamfayaz · ‎01-18-2013

Currently I use Cisco VPN Client software on each workstation. Since the IPSec server is manageg by another provider, there is no way I can change settings on IPSec server.

Michal Maciejczak · ‎01-18-2013

Hi Adam,

Sorry for misunderstanding, you said before:

Currently I'm using Cisco VPN client software to connect to a remote IPSec server on the workstations.

I assumed you have this VPN server installed on workstation and you need Cisco router to ba a VPN client and connect there.

If you are not managing VPN server it might be difficult to achieve it.

Other way is to use the same VPN client software on your workstations and connect it directly to Cisco router and apply SPLIT ACL on that VPN.

Kind regards

Michal

Rudy Sanjoko · ‎01-18-2013

I assume your scenario as follow (correct me if I'm wrong):

WS#01 ------

... |------ 2600 ------- cloud ------- server

WS#20 ------

Then it is better to configure site to site vpn on your 2600 router, you will need to get the isakmp policy parameters from your server and configure it on your 2600 to match the ipsec server's policy, then configure split tunneling to allow only permitted traffic going through the vpn tunnel. This way if the workstation try to access the resources on the server, they will go trough the vpn tunnel.

Michal Maciejczak · ‎01-18-2013

Hi Rudy,

If this is the scenerio then my first answer is correct.

Kind regards

Michal

Rudy Sanjoko · ‎01-18-2013

Hi Michal, the different is that Adam has no control on the server, because of this, it makes a lot easier if he uses s2s vpn, what do you think?

Michal Maciejczak · ‎01-18-2013

Hi Rudy,

That is why most likely he won't be able to set up L2L tunnel.

With Cisco EzVPN client on IOS, you can choose the mode (in this case I would try NEM) and also you can specify acl for SA establishment (also could be tried in this example).

Kind regards
Michal

adamfayaz · ‎01-18-2013

That's the correct scenario. I'm trying with EzVPN. Here is my config. Peer address has been replaced with A.B.C.D

crypto ipsec client ezvpn mle3gsa

connect auto

group gsa3mle3 key GROUPKEY

mode network-extension

peer A.B.C.D

xauth userid mode interactive

!

interface Loopback0

ip address 10.236.164.19 255.255.0.0

crypto ipsec client ezvpn mle3gsa

!

interface FastEthernet0/0

ip address 192.168.101.12 255.255.255.0

duplex auto

speed auto

crypto ipsec client ezvpn mle3gsa inside

!

It doesn't seem to be completing phase 1. Here is the terminal log

.Jan 18 17:37:44.809: EZVPN(mle3gsa): Attempting to connect to peer A.B.C.D

.Jan 18 17:37:44.809: EZVPN(mle3gsa): New State: CONNECT_REQUIRED

.Jan 18 17:37:44.809: ISAKMP:(0:1:SW:1):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer A.B.C.D)

.Jan 18 17:37:44.813: ISAKMP: Unlocking IKE struct 0x84D8E2DC for isadb_mark_sa_deleted(), count 0

.Jan 18 17:37:44.813: ISAKMP: Deleting peer node by peer_reap for A.B.C.D: 84D8E2DC

.Jan 18 17:37:44.813: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

.Jan 18 17:37:44.813: ISAKMP:(0:1:SW:1):Old State = IKE_I_AM1 New State = IKE_DEST_SA

.Jan 18 17:37:44.817: IPSEC(key_engine): got a queue event with 1 kei messages

.Jan 18 17:37:44.817: EZVPN(mle3gsa): Current State: CONNECT_REQUIRED

.Jan 18 17:37:44.817: EZVPN(mle3gsa): Event: CONNECT

.Jan 18 17:37:44.817: EZVPN(mle3gsa): ezvpn_connect_request

.Jan 18 17:37:44.821: EZVPN(mle3gsa): Found valid peer A.B.C.D

.Jan 18 17:37:44.821: EZVPN(mle3gsa): Added PSK for address A.B.C.D

.Jan 18 17:37:44.821: ISAKMP: Created a peer struct for A.B.C.D, peer port 500

.Jan 18 17:37:44.821: del_node src 10.236.164.19:500 dst A.B.C.D:500 fvrf 0x0, ivrf 0x0

.Jan 18 17:37:44.821: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives.

.Jan 18 17:37:44.825: EZVPN(mle3gsa): New State: READY

.Jan 18 17:37:44.825: IPSEC(key_engine): got a queue event with 1 kei messages

.Jan 18 17:37:44.825: ISAKMP: received ke message (1/1)

.Jan 18 17:37:44.829: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)

.Jan 18 17:37:44.829: ISAKMP: Found a peer struct for A.B.C.D, peer port 500

.Jan 18 17:37:44.829: ISAKMP: Locking peer struct 0x84D8E2DC, IKE refcount 1 for isakmp_initiator

.Jan 18 17:37:44.829: ISAKMP:(0:0:N/A:0):Setting client config settings 8577307C

.Jan 18 17:37:44.829: ISAKMP: local port 500, remote port 500

.Jan 18 17:37:44.829: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 854B8900

.Jan 18 17:37:44.833: ISAKMP:(0:0:N/A:0): client mode configured.

.Jan 18 17:37:44.837: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID

.Jan 18 17:37:44.837: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID

.Jan 18 17:37:44.837: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID

.Jan 18 17:37:45.058: EZVPN(mle3gsa): Current State: READY

.Jan 18 17:37:45.058: EZVPN(mle3gsa): Event: CONN_DOWN

.Jan 18 17:37:45.058: EZVPN(mle3gsa): event CONN_DOWN is not for us, ignoring (41:40)

.Jan 18 17:37:45.062: ISKAMP: growing send buffer from 1024 to 3072

.Jan 18 17:37:45.062: ISAKMP:(0:2:SW:1):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID

.Jan 18 17:37:45.062: ISAKMP (0:134217730): ID payload

next-payload : 13

type : 11

group id : gsa3mle3

protocol : 17

port : 0

length : 16

.Jan 18 17:37:45.062: ISAKMP:(0:2:SW:1):Total payload length: 16

.Jan 18 17:37:45.066: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM

.Jan 18 17:37:45.066: ISAKMP:(0:2:SW:1):Old State = IKE_READY New State = IKE_I_AM1

.Jan 18 17:37:45.066: ISAKMP:(0:2:SW:1): beginning Aggressive Mode exchange

.Jan 18 17:37:45.066: ISAKMP:(0:2:SW:1): sending packet to A.B.C.D my_port 500 peer_port 500 (I) AG_INIT_EXCH

.Jan 18 17:37:55.070: ISAKMP:(0:2:SW:1): retransmitting phase 1 AG_INIT_EXCH...

.Jan 18 17:37:55.070: ISAKMP (0:134217730): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

.Jan 18 17:37:55.070: ISAKMP:(0:2:SW:1): retransmitting phase 1 AG_INIT_EXCH

Something wrong with my config?

Thanks

Michal Maciejczak · ‎01-18-2013

Hi Adam,
You applied it to lo0 interface. Is it yours outging interface? And workstations are behind fa0/0?

Could you pleae provide sh ip route output.

Kind regards

Michal

adamfayaz · ‎01-18-2013

Hi Michal,

Yes, Lo0 is outgoing interface and workstations are behind fa0/0.

Here is the sh ip route output

Gateway of last resort is 192.168.101.1 to network 0.0.0.0

10.0.0.0/16 is subnetted, 1 subnets

C 10.236.0.0 is directly connected, Loopback0

C 192.168.101.0/24 is directly connected, FastEthernet0/0

S* 0.0.0.0/0 [1/0] via 192.168.101.1

Thanks

Michal Maciejczak · ‎01-19-2013

Hi Adam,

Sorry for my late response.

I can see that default route is via fa0/0 interface and it is also your “inside” interface :

interface FastEthernet0/0

crypto ipsec client ezvpn mle3gsa inside

I understand that you are accessing your peer A.B.C.D via fa0/0 in this case you have to use it as outside interface for EzVPN.
Could you please advise on which interface you have your workstations connected?

Also do you only use group authentication, what about user?

Kind regards

Michal

adamfayaz · ‎01-21-2013

Hi Michal,

I have changed the configuration, now it goes to phase 2 and some problem occurs. Here is the config

crypto ipsec client ezvpn mle3gsa

connect manual

group gsa3mle3 key GROUPKEY

mode network-extension

peer A.B.C.D

username USERNAME password PASSWORD

xauth userid mode interactive

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.50

encapsulation dot1Q 50

ip address 192.168.50.60 255.255.255.0

ip nat inside

ip virtual-reassembly

crypto ipsec client ezvpn mle3gsa inside

!

interface FastEthernet0/0.101

encapsulation dot1Q 101

ip address 192.168.101.12 255.255.255.0

ip nat outside

ip virtual-reassembly

crypto ipsec client ezvpn mle3gsa

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.101.1

!

fa0/0.50 is the inside interface the workstations are connected.

fa0/0.101 is the outside interface

Here is the log

*Jan 19 14:32:34.339: EZVPN(mle3gsa): nulling context

*Jan 19 14:32:34.339: ISAKMP:isadb_key_addr_delete: no key for address A.B.C.D (NULL root)

*Jan 19 14:32:34.339: EZVPN(mle3gsa): Deleted PSK for address A.B.C.D

*Jan 19 14:32:34.343: EZVPN(mle3gsa): Current State: CONNECT_REQUIRED

*Jan 19 14:32:34.343: EZVPN(mle3gsa): Event: CONNECT

*Jan 19 14:32:34.343: EZVPN(mle3gsa): ezvpn_connect_request

*Jan 19 14:32:34.343: EZVPN(mle3gsa): Found valid peer A.B.C.D

*Jan 19 14:32:34.347: EZVPN(mle3gsa): Added PSK for address A.B.C.D

*Jan 19 14:32:34.347: ISAKMP: Created a peer struct for A.B.C.D, peer port 500

*Jan 19 14:32:34.347: EZVPN(mle3gsa): New State: READY

*Jan 19 14:32:34.351: ISAKMP: received ke message (1/1)

*Jan 19 14:32:34.351: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)

*Jan 19 14:32:34.351: ISAKMP: Found a peer struct for A.B.C.D, peer port 500

*Jan 19 14:32:34.351: ISAKMP: Locking peer struct 0x85A97494, IKE refcount 1 for isakmp_initiator

*Jan 19 14:32:34.355: ISAKMP:(0:0:N/A:0):Setting client config settings 85975BF0

*Jan 19 14:32:34.355: ISAKMP: local port 500, remote port 500

*Jan 19 14:32:34.355: insert sa successfully sa = 859754DC

*Jan 19 14:32:34.355: ISAKMP:(0:0:N/A:0): client mode configured.

*Jan 19 14:32:34.359: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID

*Jan 19 14:32:34.359: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID

*Jan 19 14:32:34.359: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID

*Jan 19 14:32:34.584: ISKAMP: growing send buffer from 1024 to 3072

*Jan 19 14:32:34.584: ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID

*Jan 19 14:32:34.584: ISAKMP (0:134217729): ID payload

#011next-payload : 13

#011type : 11

#011group id : gsa3mle3

#011protocol : 17

#011port : 0

#011length : 16

*Jan 19 14:32:34.584: ISAKMP:(0:1:SW:1):Total payload length: 16

*Jan 19 14:32:34.588: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM

*Jan 19 14:32:34.588: ISAKMP:(0:1:SW:1):Old State = IKE_READY New State = IKE_I_AM1

*Jan 19 14:32:34.588: ISAKMP:(0:1:SW:1): beginning Aggressive Mode exchange

*Jan 19 14:32:34.592: ISAKMP:(0:1:SW:1): sending packet to A.B.C.D my_port 500 peer_port 500 (I) AG_INIT_EXCH

*Jan 19 14:32:34.856: ISAKMP (0:134217729): received packet from A.B.C.D dport 500 sport 500 Global (I) AG_INIT_EXCH

*Jan 19 14:32:34.860: ISAKMP:(0:1:SW:1): processing SA payload. message ID = 0

*Jan 19 14:32:34.860: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0

*Jan 19 14:32:34.860: ISAKMP (0:134217729): ID payload

#011next-payload : 8

#011type : 1

#011address : A.B.C.D

#011protocol : 17

#011port : 0

#011length : 12

*Jan 19 14:32:34.860: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles

*Jan 19 14:32:34.864: ISAKMP:(0:1:SW:1): processing vendor id payload

*Jan 19 14:32:34.864: ISAKMP:(0:1:SW:1): vendor ID is Unity

*Jan 19 14:32:34.864: ISAKMP:(0:1:SW:1): processing vendor id payload

*Jan 19 14:32:34.864: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 215 mismatch

*Jan 19 14:32:34.864: ISAKMP:(0:1:SW:1): vendor ID is XAUTH

*Jan 19 14:32:34.864: ISAKMP:(0:1:SW:1): processing vendor id payload

*Jan 19 14:32:34.864: ISAKMP:(0:1:SW:1): vendor ID is DPD

*Jan 19 14:32:34.868: ISAKMP:(0:1:SW:1): local preshared key found

*Jan 19 14:32:34.868: ISAKMP : Scanning profiles for xauth ...

*Jan 19 14:32:34.868: ISAKMP:(0:1:SW:1): Authentication by xauth preshared

*Jan 19 14:32:34.868: ISAKMP:(0:1:SW:1):Checking ISAKMP transform 14 against priority 65515 policy

*Jan 19 14:32:34.868: ISAKMP: encryption 3DES-CBC

*Jan 19 14:32:34.868: ISAKMP: hash MD5

*Jan 19 14:32:34.868: ISAKMP: default group 2

*Jan 19 14:32:34.868: ISAKMP: auth XAUTHInitPreShared

*Jan 19 14:32:34.868: ISAKMP: life type in seconds

*Jan 19 14:32:34.872: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Jan 19 14:32:34.872: ISAKMP:(0:1:SW:1):Encryption algorithm offered does not match policy!

*Jan 19 14:32:34.872: ISAKMP:(0:1:SW:1):atts are not acceptable. Next payload is 0

*Jan 19 14:32:34.872: ISAKMP:(0:1:SW:1):Checking ISAKMP transform 14 against priority 65516 policy

*Jan 19 14:32:34.872: ISAKMP: encryption 3DES-CBC

*Jan 19 14:32:34.872: ISAKMP: hash MD5

*Jan 19 14:32:34.872: ISAKMP: default group 2

*Jan 19 14:32:34.872: ISAKMP: auth XAUTHInitPreShared

*Jan 19 14:32:34.876: ISAKMP: life type in seconds

*Jan 19 14:32:34.876: ISAKMP: life duration (VPI) of 0x0

0x20 0xC4 0x9B

*Jan 19 14:32:34.876: ISAKMP:(0:1:SW:1):Encryption algorithm offered does not match policy!

*Jan 19 14:32:34.876: ISAKMP:(0:1:SW:1):atts are not acceptable. Next payload is 0

*Jan 19 14:32:34.876: ISAKMP:(0:1:SW:1):Checking ISAKMP transform 14 against priority 65517 policy

*Jan 19 14:32:34.876: ISAKMP: encryption 3DES-CBC

*Jan 19 14:32:34.876: ISAKMP: hash MD5

*Jan 19 14:32:34.876: ISAKMP: default group 2

*Jan 19 14:32:34.880: ISAKMP: auth XAUTHInitPreShared

*Jan 19 14:32:34.880: ISAKMP: life type in seconds

*Jan 19 14:32:34.880: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Jan 19 14:32:34.880: ISAKMP:(0:1:SW:1):Encryption algorithm offered does not match policy!

*Jan 19 14:32:34.880: ISAKMP:(0:1:SW:1):atts are not acceptable. Next payload is 0

*Jan 19 14:32:34.880: ISAKMP:(0:1:SW:1):Checking ISAKMP transform 14 against priority 65518 policy

*Jan 19 14:32:34.880: ISAKMP: encryption 3DES-CBC

*Jan 19 14:32:34.880: ISAKMP: hash MD5

*Jan 19 14:32:34.884: ISAKMP: default group 2

*Jan 19 14:32:34.884: ISAKMP: auth XAUTHInitPreShared

*Jan 19 14:32:34.884: ISAKMP: life type in seconds

*Jan 19 14:32:34.884: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Jan 19 14:32:34.884: ISAKMP:(0:1:SW:1):Encryption algorithm offered does not match policy!

*Jan 19 14:32:34.884: ISAKMP:(0:1:SW:1):atts are not acceptable. Next payload is 0

*Jan 19 14:32:34.884: ISAKMP:(0:1:SW:1):Checking ISAKMP transform 14 against priority 65519 policy

*Jan 19 14:32:34.884: ISAKMP: encryption 3DES-CBC

*Jan 19 14:32:34.888: ISAKMP: hash MD5

*Jan 19 14:32:34.888: ISAKMP: default group 2

*Jan 19 14:32:34.888: ISAKMP: auth XAUTHInitPreShared

*Jan 19 14:32:34.888: ISAKMP: life type in seconds

*Jan 19 14:32:34.888: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Jan 19 14:32:34.888: ISAKMP:(0:1:SW:1):Encryption algorithm offered does not match policy!

*Jan 19 14:32:34.888: ISAKMP:(0:1:SW:1):atts are not acceptable. Next payload is 0

*Jan 19 14:32:34.888: ISAKMP:(0:1:SW:1):Checking ISAKMP transform 14 against priority 65520 policy

*Jan 19 14:32:34.892: ISAKMP: encryption 3DES-CBC

*Jan 19 14:32:34.892: ISAKMP: hash MD5

*Jan 19 14:32:34.892: ISAKMP: default group 2

*Jan 19 14:32:34.892: ISAKMP: auth XAUTHInitPreShared

*Jan 19 14:32:34.892: ISAKMP: life type in seconds

*Jan 19 14:32:34.892: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Jan 19 14:32:34.892: ISAKMP:(0:1:SW:1):Encryption algorithm offered does not match policy!

*Jan 19 14:32:34.892: ISAKMP:(0:1:SW:1):atts are not acceptable. Next payload is 0

*Jan 19 14:32:34.896: ISAKMP:(0:1:SW:1):Checking ISAKMP transform 14 against priority 65521 policy

*Jan 19 14:32:34.896: ISAKMP: encryption 3DES-CBC

*Jan 19 14:32:34.896: ISAKMP: hash MD5

*Jan 19 14:32:34.896: ISAKMP: default group 2

*Jan 19 14:32:34.896: ISAKMP: auth XAUTHInitPreShared

*Jan 19 14:32:34.896: ISAKMP: life type in seconds

*Jan 19 14:32:34.896: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Jan 19 14:32:34.896: ISAKMP:(0:1:SW:1):Encryption algorithm offered does not match policy!

*Jan 19 14:32:34.896: ISAKMP:(0:1:SW:1):atts are not acceptable. Next payload is 0

*Jan 19 14:32:34.900: ISAKMP:(0:1:SW:1):Checking ISAKMP transform 14 against priority 65522 policy

*Jan 19 14:32:34.900: ISAKMP: encryption 3DES-CBC

*Jan 19 14:32:34.900: ISAKMP: hash MD5

*Jan 19 14:32:34.900: ISAKMP: default group 2

*Jan 19 14:32:34.900: ISAKMP: auth XAUTHInitPreShared

*Jan 19 14:32:34.900: ISAKMP: life type in seconds

*Jan 19 14:32:34.900: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Jan 19 14:32:34.900: ISAKMP:(0:1:SW:1):Encryption algorithm offered does not match policy!

*Jan 19 14:32:34.900: ISAKMP:(0:1:SW:1):atts are not acceptable. Next payload is 0

*Jan 19 14:32:34.900: ISAKMP:(0:1:SW:1):Checking ISAKMP transform 14 against priority 65523 policy

*Jan 19 14:32:35.217: EZVPN(mle3gsa): Event: IKE_PFS

*Jan 19 14:32:35.217: EZVPN(mle3gsa): No state change

*Jan 19 14:32:35.233: ISAKMP:(0:1:SW:1):Need XAUTH

*Jan 19 14:32:35.233: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Jan 19 14:32:35.233: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Jan 19 14:32:35.237: EZVPN(mle3gsa): Current State: READY

*Jan 19 14:32:35.237: EZVPN(mle3gsa): Event: CONN_UP

*Jan 19 14:32:35.237: EZVPN(mle3gsa): ezvpn_conn_up B4BF1C50 7BE01529 1CC514E6 686E1594

*Jan 19 14:32:35.237: EZVPN(mle3gsa): No state change

*Jan 19 14:32:35.469: ISAKMP (0:134217729): received packet from A.B.C.D dport 4500 sport 4500 Global (I) CONF_XAUTH

*Jan 19 14:32:35.473: ISAKMP: set new node 1453684845 to CONF_XAUTH

*Jan 19 14:32:35.473: ISAKMP:(0:1:SW:1):processing transaction payload from A.B.C.D. message ID = 1453684845

*Jan 19 14:32:35.473: ISAKMP: Config payload REQUEST

*Jan 19 14:32:35.477: ISAKMP:(0:1:SW:1):checking request:

*Jan 19 14:32:35.477: ISAKMP: XAUTH_TYPE_V2

*Jan 19 14:32:35.477: ISAKMP: XAUTH_USER_NAME_V2

*Jan 19 14:32:35.477: ISAKMP: XAUTH_USER_PASSWORD_V2

*Jan 19 14:32:35.477: ISAKMP:(0:1:SW:1):Xauth process request

*Jan 19 14:32:35.477: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST

*Jan 19 14:32:35.477: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REPLY_AWAIT

*Jan 19 14:32:35.481: EZVPN(mle3gsa): Current State: READY

*Jan 19 14:32:35.481: EZVPN(mle3gsa): Event: XAUTH_REQUEST

*Jan 19 14:32:35.481: EZVPN(mle3gsa): ezvpn_xauth_request

*Jan 19 14:32:35.481: EZVPN(mle3gsa): ezvpn_parse_xauth_msg

*Jan 19 14:32:35.481: EZVPN: Attributes sent in xauth request message:

*Jan 19 14:32:35.481: XAUTH_TYPE_V2(mle3gsa): 0

*Jan 19 14:32:35.481: XAUTH_USER_NAME_V2(mle3gsa):

*Jan 19 14:32:35.481: XAUTH_USER_PASSWORD_V2(mle3gsa):

*Jan 19 14:32:35.481: EZVPN(mle3gsa): send saved username USERNAME and password

*Jan 19 14:32:35.485: EZVPN(mle3gsa): New State: XAUTH_REQ

*Jan 19 14:32:35.485: EZVPN(mle3gsa): Current State: XAUTH_REQ

*Jan 19 14:32:35.485: EZVPN(mle3gsa): Event: XAUTH_REQ_INFO_READY

*Jan 19 14:32:35.485: EZVPN(mle3gsa): ezvpn_xauth_reply

*Jan 19 14:32:35.485: XAUTH_TYPE_V2(mle3gsa): 0

*Jan 19 14:32:35.489: XAUTH_USER_NAME_V2(mle3gsa): USERNAME

*Jan 19 14:32:35.489: XAUTH_USER_PASSWORD_V2(mle3gsa):

*Jan 19 14:32:35.489: EZVPN(mle3gsa): New State: XAUTH_REPLIED

*Jan 19 14:32:35.489: xauth-type: 0

*Jan 19 14:32:35.489: username: USERNAME

*Jan 19 14:32:35.493: password:

*Jan 19 14:32:35.493: ISAKMP:(0:1:SW:1): responding to peer config from A.B.C.D. ID = 1453684845

*Jan 19 14:32:35.493: ISAKMP:(0:1:SW:1): sending packet to A.B.C.D my_port 4500 peer_port 4500 (I) CONF_XAUTH

*Jan 19 14:32:35.497: ISAKMP:(0:1:SW:1):deleting node 1453684845 error FALSE reason "Done with xauth request/reply exchange"

*Jan 19 14:32:35.497: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_XAUTH_REPLY_ATTR

*Jan 19 14:32:35.497: ISAKMP:(0:1:SW:1):Old State = IKE_XAUTH_REPLY_AWAIT New State = IKE_XAUTH_REPLY_SENT

*Jan 19 14:32:35.758: ISAKMP (0:134217729): received packet from A.B.C.D dport 4500 sport 4500 Global (I) CONF_XAUTH

*Jan 19 14:32:35.762: ISAKMP: set new node -683667766 to CONF_XAUTH

*Jan 19 14:32:35.762: ISAKMP:(0:1:SW:1):processing transaction payload from A.B.C.D. message ID = -683667766

*Jan 19 14:32:35.766: ISAKMP: Config payload SET

*Jan 19 14:32:35.766: ISAKMP:(0:1:SW:1):Xauth process set, status = 1

*Jan 19 14:32:35.766: ISAKMP:(0:1:SW:1):checking SET:

*Jan 19 14:32:35.766: ISAKMP: XAUTH_STATUS_V2 XAUTH-OK

*Jan 19 14:32:35.766: ISAKMP:(0:1:SW:1):attributes sent in message:

*Jan 19 14:32:35.766: Status: 1

*Jan 19 14:32:35.770: ISAKMP:(0:1:SW:1): sending packet to A.B.C.D my_port 4500 peer_port 4500 (I) CONF_XAUTH

*Jan 19 14:32:35.770: ISAKMP:(0:1:SW:1):deleting node -683667766 error FALSE reason "No Error"

*Jan 19 14:32:35.774: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_CFG_SET

*Jan 19 14:32:35.774: ISAKMP:(0:1:SW:1):Old State = IKE_XAUTH_REPLY_SENT New State = IKE_P1_COMPLETE

*Jan 19 14:32:35.774: EZVPN(mle3gsa): Current State: XAUTH_REPLIED

*Jan 19 14:32:35.774: EZVPN(mle3gsa): Event: XAUTH_STATUS

*Jan 19 14:32:35.774: EZVPN(mle3gsa): xauth status received: Success

*Jan 19 14:32:35.778: EZVPN(mle3gsa): New State: READY

*Jan 19 14:32:35.778: ISAKMP:(0:1:SW:1):Need config/address

*Jan 19 14:32:35.778: ISAKMP: set new node 60341496 to CONF_ADDR

*Jan 19 14:32:35.778: ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9_SNA-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Compiled Thu 11-Feb-10 23:02 by prod_rel_team

*Jan 19 14:32:35.782: ISAKMP:(0:1:SW:1): initiating peer config to A.B.C.D. ID = 60341496

*Jan 19 14:32:35.786: ISAKMP:(0:1:SW:1): sending packet to A.B.C.D my_port 4500 peer_port 4500 (I) CONF_ADDR

*Jan 19 14:32:35.786: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Jan 19 14:32:35.786: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_MODE_REQ_SENT

*Jan 19 14:32:36.046: ISAKMP (0:134217729): received packet from A.B.C.D dport 4500 sport 4500 Global (I) CONF_ADDR

*Jan 19 14:32:36.050: ISAKMP: set new node 333504033 to CONF_ADDR

*Jan 19 14:32:36.050: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 333504033

*Jan 19 14:32:36.050: ISAKMP:(0:1:SW:1): processing DELETE payload. message ID = 333504033

*Jan 19 14:32:36.054: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives.

*Jan 19 14:32:36.054: ISAKMP:(0:1:SW:1):deleting SA reason "No reason" state (I) CONF_ADDR (peer A.B.C.D)

*Jan 19 14:32:36.054: ISAKMP:(0:1:SW:1):deleting node 333504033 error FALSE reason "Informational (in) state 1"

*Jan 19 14:32:36.058: ISAKMP: set new node -1109538945 to CONF_ADDR

*Jan 19 14:32:36.062: ISAKMP:(0:1:SW:1): sending packet to A.B.C.D my_port 4500 peer_port 4500 (I) CONF_ADDR

*Jan 19 14:32:36.062: ISAKMP:(0:1:SW:1):purging node -1109538945

*Jan 19 14:32:36.062: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Jan 19 14:32:36.062: ISAKMP:(0:1:SW:1):Old State = IKE_CONFIG_MODE_REQ_SENT New State = IKE_DEST_SA

*Jan 19 14:32:36.066: ISAKMP:(0:1:SW:1):deleting SA reason "No reason" state (I) CONF_ADDR (peer A.B.C.D)

*Jan 19 14:32:36.066: ISAKMP:(0:0:N/A:0):Can't decrement IKE Call Admisstion Control stat outgoing_active since it's already 0.

*Jan 19 14:32:36.070: ISAKMP: Unlocking IKE struct 0x85A97494 for isadb_mark_sa_deleted(), count 0

*Jan 19 14:32:36.070: ISAKMP: Deferring peer node 85A97494 deletion, by peer_reap as there are other users 4

*Jan 19 14:32:36.070: ISAKMP:(0:1:SW:1):deleting node 60341496 error FALSE reason "IKE deleted"

*Jan 19 14:32:36.070: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jan 19 14:32:36.070: ISAKMP:(0:1:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA

*Jan 19 14:32:36.074: EZVPN(mle3gsa): Current State: READY

*Jan 19 14:32:36.074: EZVPN(mle3gsa): Event: CONN_DOWN

*Jan 19 14:32:36.074: EZVPN(mle3gsa): ezvpn_close

*Jan 19 14:32:36.074: EZVPN(mle3gsa): nulling context

*Jan 19 14:32:36.074: ISAKMP: Deleting peer node by peer_reap for A.B.C.D: 85A97494

*Jan 19 14:32:36.074: EZVPN(mle3gsa): Deleted PSK for address A.B.C.D

*Jan 19 14:32:36.078: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=USERNAME Group=gsa3mle3 Client_public_addr= Server_public_addr=A.B.C.D

*Jan 19 14:32:36.078: EZVPN(mle3gsa): New State: CONNECT_REQUIRED

*Jan 19 14:33:25.772: ISAKMP:(0:1:SW:1):purging node -683667766

*Jan 19 14:33:26.056: ISAKMP:(0:1:SW:1):purging node 333504033

*Jan 19 14:33:26.072: ISAKMP:(0:1:SW:1):purging node 60341496

**Jan 19 14:33:36.073: ISAKMP:(0:1:SW:1):purging SA., sa=859754DC, delme=859754DC

**Jan 19 14:33:36.073: ISAKMP:(0:1:SW:1):purging node 1453684845

**Jan 19 14:34:04.351: EZVPN(mle3gsa): Current State: CONNECT_REQUIRED

**Jan 19 14:34:04.351: EZVPN(mle3gsa): Event: RESET

**Jan 19 14:34:04.351: ISAKMP:isadb_key_addr_delete: no key for address A.B.C.D (NULL root)

**Jan 19 14:34:04.351: EZVPN(mle3gsa): Deleted PSK for address A.B.C.D

**Jan 19 14:34:04.351: EZVPN(mle3gsa): New active peer is A.B.C.D

**Jan 19 14:34:04.351: EZVPN(mle3gsa): Ready to connect to peer A.B.C.D

**Jan 19 14:34:04.351: EZVPN(mle3gsa): ezvpn_close

**Jan 19 14:34:04.351: EZVPN(mle3gsa): nulling context

**Jan 19 14:34:04.355: ISAKMP:isadb_key_addr_delete: no key for address A.B.C.D (NULL root)

**Jan 19 14:34:04.355: EZVPN(mle3gsa): Deleted PSK for address A.B.C.D

**Jan 19 14:34:04.355: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=USERNAME Group=gsa3mle3 Client_public_addr= Server_public_addr=A.B.C.D

**Jan 19 14:34:04.355: EZVPN(mle3gsa): ezvpn_reset

Best regards,

Adam