cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1896
Views
5
Helpful
3
Replies

Cisco cisco ISR4431/K9 Cisco IOS XE Software, Version 16.08.01 unable to negotiate IPSec tunnel with WIndows10 client[SOLVED]

john-serink
Level 1
Level 1

Hello:

 

I have the above mentioned router and am attempting to configure it to bring up an L2TP/IPSec connection with a windows client.

It completes phase 1 fine but fails the phase 2 negotiation stating the transforms don't match but it seems that they do.

I don't get past the IPSec so the L2TP is not yet an issue, need to fix the IPSec first.

Here is the router setup:

crypto keyring hubspokes
pre-shared-key address 0.0.0.0 0.0.0.0 key reallylongkey

crypto isakmp policy 100
encr aes 256
hash sha256
authentication pre-share
group 14

crypto isakmp policy 100
encr aes 256
hash sha256
authentication pre-share
group 14

crypto isakmp keepalive 15 3
crypto isakmp profile LanToLan
description Lan to lan profile for CORS set connections
keyring hubspokes
match identity address 0.0.0.0
match identity host jserinki7

crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set mainset esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec transform-set mainset2 esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set mainset3 esp-aes 192 esp-sha-hmac
mode tunnel
crypto ipsec transform-set mainset4 esp-aes 256 esp-md5-hmac
mode tunnel
crypto ipsec transform-set mainset5 esp-aes 256 esp-sha256-hmac
mode transport
crypto ipsec transform-set mainset6 esp-aes esp-sha-hmac
mode transport

crypto dynamic-map mainmap 100
description Dynamic map for the CORS site connections
set transform-set mainset
set pfs group14
set isakmp-profile LanToLan
crypto dynamic-map mainmap 110
description dynamic map for older digi routers
set security-association lifetime seconds 14400
set transform-set mainset mainset2 mainset3 mainset4
set pfs group2
set isakmp-profile LanToLan
crypto dynamic-map mainmap 120
description Windows10 L2TP no PFS
set security-association lifetime seconds 14400
set transform-set mainset6 mainset5 mainset2
set isakmp-profile LanToLan
!

crypto map soimainmap 100 ipsec-isakmp dynamic mainmap

interface Loopback0
ip address 1.1.1.1 255.255.255.255
no ip redirects
no ip unreachables

interface GigabitEthernet0/0/0
description Internet Link
ip address A.B.C.D 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip access-group FilteredList in
negotiation auto
crypto map soimainmap
ip virtual-reassembly

ip nat inside source route-map NoNAT interface GigabitEthernet0/0/0 overload

ip access-list extended NATexempts
deny ip 192.168.48.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 192.168.49.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 192.168.50.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.48.0 0.0.0.255 any
permit ip 192.168.49.0 0.0.0.255 any
permit ip 192.168.50.0 0.0.0.255 any
!
!
route-map NoNAT permit 100
match ip address NATexempts

 

Here is the debug:

Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto IPSEC debugging is on

*Jul 4 14:00:46.579: ISAKMP-PAK: (0):received packet from 220.255.242.218 dport 500 sport 500 Global (N) NEW SA
*Jul 4 14:00:46.579: ISAKMP: (0):Created a peer struct for 220.255.242.218, peer port 500
*Jul 4 14:00:46.579: ISAKMP: (0):New peer created peer = 0x80007F2ADBCA9DC8 peer_handle = 0x8000000080000007
*Jul 4 14:00:46.580: ISAKMP: (0):Locking peer struct 0x80007F2ADBCA9DC8, refcount 1 for crypto_isakmp_process_block
*Jul 4 14:00:46.580: ISAKMP: (0):local port 500, remote port 500
*Jul 4 14:00:46.580: ISAKMP: (0):insert sa successfully sa = 80007F2ADBD78D58
*Jul 4 14:00:46.580: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 4 14:00:46.580: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1

*Jul 4 14:00:46.580: ISAKMP: (0):processing SA payload. message ID = 0
*Jul 4 14:00:46.580: ISAKMP: (0):processing vendor id payload
*Jul 4 14:00:46.580: ISAKMP: (0):processing IKE frag vendor id payload
*Jul 4 14:00:46.580: ISAKMP: (0):Support for IKE Fragmentation not enabled
*Jul 4 14:00:46.580: ISAKMP: (0):processing vendor id payload
*Jul 4 14:00:46.580: ISAKMP: (0):processing IKE frag vendor id payload
*Jul 4 14:00:46.580: ISAKMP: (0):Support for IKE Fragmentation not enabled
*Jul 4 14:00:46.580: ISAKMP: (0):processing vendor id payload
*Jul 4 14:00:46.580: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
*Jul 4 14:00:46.580: ISAKMP: (0):vendor ID is NAT-T RFC 3947
*Jul 4 14:00:46.580: ISAKMP: (0):processing vendor id payload
*Jul 4 14:00:46.580: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
*Jul 4 14:00:46.580: ISAKMP: (0):vendor ID is NAT-T v2
*Jul 4 14:00:46.580: ISAKMP: (0):processing vendor id payload
*Jul 4 14:00:46.580: ISAKMP: (0):vendor ID seems Unity/DPD but major 194 mismatch
*Jul 4 14:00:46.580: ISAKMP: (0):processing vendor id payload
*Jul 4 14:00:46.580: ISAKMP: (0):vendor ID seems Unity/DPD but major 241 mismatch
*Jul 4 14:00:46.580: ISAKMP: (0):processing vendor id payload
*Jul 4 14:00:46.581: ISAKMP: (0):vendor ID seems Unity/DPD but major 184 mismatch
*Jul 4 14:00:46.581: ISAKMP: (0):processing vendor id payload
*Jul 4 14:00:46.581: ISAKMP: (0):vendor ID seems Unity/DPD but major 134 mismatch
*Jul 4 14:00:46.581: ISAKMP: (0):found peer pre-shared key matching 220.255.242.218
*Jul 4 14:00:46.581: ISAKMP: (0):local preshared key found
*Jul 4 14:00:46.581: ISAKMP: (0):Scanning profiles for xauth ... LanToLan
*Jul 4 14:00:46.581: ISAKMP: (0):Checking ISAKMP transform 1 against priority 100 policy
*Jul 4 14:00:46.581: ISAKMP: (0): encryption AES-CBC
*Jul 4 14:00:46.581: ISAKMP: (0): keylength of 256
*Jul 4 14:00:46.581: ISAKMP: (0): hash SHA
*Jul 4 14:00:46.581: ISAKMP: (0): default group 20
*Jul 4 14:00:46.581: ISAKMP: (0): auth pre-share
*Jul 4 14:00:46.581: ISAKMP: (0): life type in seconds
*Jul 4 14:00:46.581: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Jul 4 14:00:46.581: ISAKMP-ERROR: (0):Hash algorithm offered does not match policy!
*Jul 4 14:00:46.581: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
*Jul 4 14:00:46.581: ISAKMP: (0):Checking ISAKMP transform 2 against priority 100 policy
*Jul 4 14:00:46.581: ISAKMP: (0): encryption AES-CBC
*Jul 4 14:00:46.581: ISAKMP: (0): keylength of 128
*Jul 4 14:00:46.581: ISAKMP: (0): hash SHA
*Jul 4 14:00:46.581: ISAKMP: (0): default group 19
*Jul 4 14:00:46.581: ISAKMP: (0): auth pre-share
*Jul 4 14:00:46.581: ISAKMP: (0): life type in seconds
*Jul 4 14:00:46.581: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Jul 4 14:00:46.582: ISAKMP-ERROR: (0):Hash algorithm offered does not match policy!
*Jul 4 14:00:46.582: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
*Jul 4 14:00:46.582: ISAKMP: (0):Checking ISAKMP transform 3 against priority 100 policy
*Jul 4 14:00:46.582: ISAKMP: (0): encryption AES-CBC
*Jul 4 14:00:46.582: ISAKMP: (0): keylength of 256
*Jul 4 14:00:46.582: ISAKMP: (0): hash SHA
*Jul 4 14:00:46.582: ISAKMP: (0): default group 14
*Jul 4 14:00:46.582: ISAKMP: (0): auth pre-share
*Jul 4 14:00:46.582: ISAKMP: (0): life type in seconds
*Jul 4 14:00:46.582: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Jul 4 14:00:46.582: ISAKMP-ERROR: (0):Hash algorithm offered does not match policy!
*Jul 4 14:00:46.582: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
*Jul 4 14:00:46.582: ISAKMP: (0):Checking ISAKMP transform 4 against priority 100 policy
*Jul 4 14:00:46.582: ISAKMP: (0): encryption 3DES-CBC
*Jul 4 14:00:46.582: ISAKMP: (0): hash SHA
*Jul 4 14:00:46.582: ISAKMP: (0): default group 14
*Jul 4 14:00:46.582: ISAKMP: (0): auth pre-share
*Jul 4 14:00:46.582: ISAKMP: (0): life type in seconds
*Jul 4 14:00:46.582: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Jul 4 14:00:46.582: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
*Jul 4 14:00:46.582: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
*Jul 4 14:00:46.582: ISAKMP: (0):Checking ISAKMP transform 5 against priority 100 policy
*Jul 4 14:00:46.582: ISAKMP: (0): encryption 3DES-CBC
*Jul 4 14:00:46.582: ISAKMP: (0): hash SHA
*Jul 4 14:00:46.583: ISAKMP: (0): default group 2
*Jul 4 14:00:46.583: ISAKMP: (0): auth pre-share
*Jul 4 14:00:46.583: ISAKMP: (0): life type in seconds
*Jul 4 14:00:46.583: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Jul 4 14:00:46.583: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
*Jul 4 14:00:46.583: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
*Jul 4 14:00:46.583: ISAKMP: (0):Checking ISAKMP transform 1 against priority 110 policy
*Jul 4 14:00:46.583: ISAKMP: (0): encryption AES-CBC
*Jul 4 14:00:46.583: ISAKMP: (0): keylength of 256
*Jul 4 14:00:46.583: ISAKMP: (0): hash SHA
*Jul 4 14:00:46.583: ISAKMP: (0): default group 20
*Jul 4 14:00:46.583: ISAKMP: (0): auth pre-share
*Jul 4 14:00:46.583: ISAKMP: (0): life type in seconds
*Jul 4 14:00:46.583: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Jul 4 14:00:46.583: ISAKMP-ERROR: (0):Diffie-Hellman group offered does not match policy!
*Jul 4 14:00:46.583: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
*Jul 4 14:00:46.583: ISAKMP: (0):Checking ISAKMP transform 2 against priority 110 policy
*Jul 4 14:00:46.583: ISAKMP: (0): encryption AES-CBC
*Jul 4 14:00:46.583: ISAKMP: (0): keylength of 128
*Jul 4 14:00:46.583: ISAKMP: (0): hash SHA
*Jul 4 14:00:46.583: ISAKMP: (0): default group 19
*Jul 4 14:00:46.583: ISAKMP: (0): auth pre-share
*Jul 4 14:00:46.583: ISAKMP: (0): life type in seconds
*Jul 4 14:00:46.584: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Jul 4 14:00:46.584: ISAKMP-ERROR: (0):Proposed key length does not match policy
*Jul 4 14:00:46.584: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
*Jul 4 14:00:46.584: ISAKMP: (0):Checking ISAKMP transform 3 against priority 110 policy
*Jul 4 14:00:46.584: ISAKMP: (0): encryption AES-CBC
*Jul 4 14:00:46.584: ISAKMP: (0): keylength of 256
*Jul 4 14:00:46.584: ISAKMP: (0): hash SHA
*Jul 4 14:00:46.584: ISAKMP: (0): default group 14
*Jul 4 14:00:46.584: ISAKMP: (0): auth pre-share
*Jul 4 14:00:46.584: ISAKMP: (0): life type in seconds
*Jul 4 14:00:46.584: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Jul 4 14:00:46.584: ISAKMP: (0):atts are acceptable. Next payload is 3
*Jul 4 14:00:46.584: ISAKMP: (0):Acceptable atts:actual life: 14400
*Jul 4 14:00:46.584: ISAKMP: (0):Acceptable atts:life: 0
*Jul 4 14:00:46.584: ISAKMP: (0):Fill atts in sa vpi_length:4
*Jul 4 14:00:46.584: ISAKMP: (0):Fill atts in sa life_in_seconds:28800
*Jul 4 14:00:46.584: ISAKMP: (0):Returning Actual lifetime: 14400
*Jul 4 14:00:46.584: ISAKMP: (0):Started lifetime timer: 14400.

*Jul 4 14:00:46.586: ISAKMP: (0):processing vendor id payload
*Jul 4 14:00:46.586: ISAKMP: (0):processing IKE frag vendor id payload
*Jul 4 14:00:46.586: ISAKMP: (0):Support for IKE Fragmentation not enabled
*Jul 4 14:00:46.586: ISAKMP: (0):processing vendor id payload
*Jul 4 14:00:46.587: ISAKMP: (0):processing IKE frag vendor id payload
*Jul 4 14:00:46.587: ISAKMP: (0):Support for IKE Fragmentation not enabled
*Jul 4 14:00:46.587: ISAKMP: (0):processing vendor id payload
*Jul 4 14:00:46.587: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
*Jul 4 14:00:46.587: ISAKMP: (0):vendor ID is NAT-T RFC 3947
*Jul 4 14:00:46.587: ISAKMP: (0):processing vendor id payload
*Jul 4 14:00:46.587: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
*Jul 4 14:00:46.587: ISAKMP: (0):vendor ID is NAT-T v2
*Jul 4 14:00:46.587: ISAKMP: (0):processing vendor id payload
*Jul 4 14:00:46.587: ISAKMP: (0):vendor ID seems Unity/DPD but major 194 mismatch
*Jul 4 14:00:46.587: ISAKMP: (0):processing vendor id payload
*Jul 4 14:00:46.587: ISAKMP: (0):vendor ID seems Unity/DPD but major 241 mismatch
*Jul 4 14:00:46.587: ISAKMP: (0):processing vendor id payload
*Jul 4 14:00:46.587: ISAKMP: (0):vendor ID seems Unity/DPD but major 184 mismatch
*Jul 4 14:00:46.587: ISAKMP: (0):processing vendor id payload
*Jul 4 14:00:46.587: ISAKMP: (0):vendor ID seems Unity/DPD but major 134 mismatch
*Jul 4 14:00:46.587: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 4 14:00:46.587: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*Jul 4 14:00:46.587: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Jul 4 14:00:46.588: ISAKMP-PAK: (0):sending packet to 220.255.242.218 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Jul 4 14:00:46.588: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jul 4 14:00:46.588: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 4 14:00:46.588: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2

*Jul 4 14:00:46.701: ISAKMP-PAK: (0):received packet from 220.255.242.218 dport 500 sport 500 Global (R) MM_SA_SETUP
*Jul 4 14:00:46.701: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 4 14:00:46.702: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3

*Jul 4 14:00:46.702: ISAKMP: (0):processing KE payload. message ID = 0
*Jul 4 14:00:46.704: ISAKMP: (0):processing NONCE payload. message ID = 0
*Jul 4 14:00:46.704: ISAKMP: (0):found peer pre-shared key matching 220.255.242.218
*Jul 4 14:00:46.704: ISAKMP: (1006):received payload type 20
*Jul 4 14:00:46.704: ISAKMP: (1006):His hash no match - this node outside NAT
*Jul 4 14:00:46.704: ISAKMP: (1006):received payload type 20
*Jul 4 14:00:46.704: ISAKMP: (1006):His hash no match - this node outside NAT
*Jul 4 14:00:46.704: ISAKMP: (1006):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 4 14:00:46.704: ISAKMP: (1006):Old State = IKE_R_MM3 New State = IKE_R_MM3

*Jul 4 14:00:46.704: ISAKMP-PAK: (1006):sending packet to 220.255.242.218 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jul 4 14:00:46.704: ISAKMP: (1006):Sending an IKE IPv4 Packet.
*Jul 4 14:00:46.704: ISAKMP: (1006):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 4 14:00:46.704: ISAKMP: (1006):Old State = IKE_R_MM3 New State = IKE_R_MM4

*Jul 4 14:00:46.825: ISAKMP-PAK: (1006):received packet from 220.255.242.218 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
*Jul 4 14:00:46.825: ISAKMP: (1006):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 4 14:00:46.825: ISAKMP: (1006):Old State = IKE_R_MM4 New State = IKE_R_MM5

*Jul 4 14:00:46.825: ISAKMP: (1006):processing ID payload. message ID = 0
*Jul 4 14:00:46.825: ISAKMP: (1006):ID payload
next-payload : 8
type : 1
*Jul 4 14:00:46.825: ISAKMP: (1006): address : 192.168.100.233
*Jul 4 14:00:46.826: ISAKMP: (1006): protocol : 0
port : 0
length : 12
*Jul 4 14:00:46.826: ISAKMP: (0):peer matches LanToLan profile
*Jul 4 14:00:46.826: ISAKMP: (1006):Found ADDRESS key in keyring hubspokes
*Jul 4 14:00:46.826: ISAKMP: (1006):processing HASH payload. message ID = 0
*Jul 4 14:00:46.826: ISAKMP: (1006):SA authentication status:
authenticated
*Jul 4 14:00:46.826: ISAKMP: (1006):SA has been authenticated with 220.255.242.218
*Jul 4 14:00:46.826: ISAKMP: (1006):Detected port floating to port = 4500
*Jul 4 14:00:46.826: ISAKMP: (0):Trying to insert a peer 103.205.244.106/220.255.242.218/4500/,
*Jul 4 14:00:46.826: ISAKMP: (0): and inserted successfully 80007F2ADBCA9DC8.
*Jul 4 14:00:46.827: ISAKMP: (1006):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 4 14:00:46.827: ISAKMP: (1006):Old State = IKE_R_MM5 New State = IKE_R_MM5

*Jul 4 14:00:46.827: ISAKMP: (1006):SA is doing
*Jul 4 14:00:46.827: ISAKMP: (1006):pre-shared key authentication using id type ID_IPV4_ADDR
*Jul 4 14:00:46.827: ISAKMP: (1006):ID payload
next-payload : 8
type : 1
*Jul 4 14:00:46.827: ISAKMP: (1006): address : 103.205.244.106
*Jul 4 14:00:46.827: ISAKMP: (1006): protocol : 17
port : 0
length : 12
*Jul 4 14:00:46.827: ISAKMP: (1006):Total payload length: 12
*Jul 4 14:00:46.827: ISAKMP-PAK: (1006):sending packet to 220.255.242.218 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
*Jul 4 14:00:46.827: ISAKMP: (1006):Sending an IKE IPv4 Packet.
*Jul 4 14:00:46.827: ISAKMP: (1006):Returning Actual lifetime: 14400
*Jul 4 14:00:46.827: ISAKMP: (1006):set new node 2838546071 to QM_IDLE
*Jul 4 14:00:46.827: ISAKMP: (1006):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 9223511858847286880, message ID = 2838546071
*Jul 4 14:00:46.827: ISAKMP-PAK: (1006):sending packet to 220.255.242.218 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
*Jul 4 14:00:46.827: ISAKMP: (1006):Sending an IKE IPv4 Packet.
*Jul 4 14:00:46.828: ISAKMP: (1006):purging node 2838546071
*Jul 4 14:00:46.828: ISAKMP: (1006):Sending phase 1 responder lifetime 14400

*Jul 4 14:00:46.828: ISAKMP: (1006):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 4 14:00:46.828: ISAKMP: (1006):Old State = IKE_R_MM5 New State = IKE_R_MM5

*Jul 4 14:00:46.828: ISAKMP: (1006):Input = IKE_MESG_INTERNAL, IKE_FETCH_USER_ATTR
*Jul 4 14:00:46.828: ISAKMP: (1006):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

*Jul 4 14:00:46.828: ISAKMP: (1006):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jul 4 14:00:46.828: ISAKMP: (1006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Jul 4 14:00:46.950: ISAKMP-PAK: (1006):received packet from 220.255.242.218 dport 4500 sport 4500 Global (R) QM_IDLE
*Jul 4 14:00:46.950: ISAKMP: (1006):set new node 1 to QM_IDLE
*Jul 4 14:00:46.950: ISAKMP: (1006):processing HASH payload. message ID = 1
*Jul 4 14:00:46.950: ISAKMP: (1006):processing SA payload. message ID = 1
*Jul 4 14:00:46.950: ISAKMP: (1006):processing NAT-OAi payload. addr = 192.168.100.233, message ID = 1
*Jul 4 14:00:46.950: ISAKMP: (1006):processing NAT-OAr payload. addr = 103.205.244.106, message ID = 1
*Jul 4 14:00:46.950: ISAKMP: (1006):Checking IPSec proposal 1
*Jul 4 14:00:46.950: ISAKMP: (1006):transform 1, ESP_AES
*Jul 4 14:00:46.950: ISAKMP: (1006): attributes in transform:
*Jul 4 14:00:46.950: ISAKMP: (1006): encaps is 4 (Transport-UDP)
*Jul 4 14:00:46.950: ISAKMP: (1006): key length is 256
*Jul 4 14:00:46.950: ISAKMP: (1006): authenticator is HMAC-SHA
*Jul 4 14:00:46.950: ISAKMP: (1006): SA life type in seconds
*Jul 4 14:00:46.951: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Jul 4 14:00:46.951: ISAKMP: (1006): SA life type in kilobytes
*Jul 4 14:00:46.951: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90
*Jul 4 14:00:46.951: ISAKMP: (1006):atts are acceptable.
*Jul 4 14:00:46.951: IPSEC(validate_proposal_request): proposal part #1
*Jul 4 14:00:46.951: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 103.205.244.106:0, remote= 220.255.242.218:0,
local_proxy= 103.205.244.106/255.255.255.255/17/1701,
remote_proxy= 220.255.242.218/255.255.255.255/17/1701,
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jul 4 14:00:46.951: IPSEC(ipsec_process_proposal): invalid transform proposal received:
{esp-aes 256 esp-sha-hmac }
*Jul 4 14:00:46.952: ISAKMP-ERROR: (1006):IPSec policy invalidated proposal with error 256
*Jul 4 14:00:46.953: ISAKMP: (1006):Checking IPSec proposal 2
*Jul 4 14:00:46.953: ISAKMP: (1006):transform 1, ESP_AES
*Jul 4 14:00:46.953: ISAKMP: (1006): attributes in transform:
*Jul 4 14:00:46.953: ISAKMP: (1006): encaps is 4 (Transport-UDP)
*Jul 4 14:00:46.953: ISAKMP: (1006): key length is 128
*Jul 4 14:00:46.953: ISAKMP: (1006): authenticator is HMAC-SHA
*Jul 4 14:00:46.953: ISAKMP: (1006): SA life type in seconds
*Jul 4 14:00:46.953: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Jul 4 14:00:46.953: ISAKMP: (1006): SA life type in kilobytes
*Jul 4 14:00:46.953: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90
*Jul 4 14:00:46.953: ISAKMP: (1006):atts are acceptable.
*Jul 4 14:00:46.953: IPSEC(validate_proposal_request): proposal part #1
*Jul 4 14:00:46.953: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 103.205.244.106:0, remote= 220.255.242.218:0,
local_proxy= 103.205.244.106/255.255.255.255/17/1701,
remote_proxy= 220.255.242.218/255.255.255.255/17/1701,
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 4 14:00:46.953: IPSEC(ipsec_process_proposal): invalid transform proposal received:
{esp-aes esp-sha-hmac }
*Jul 4 14:00:46.954: ISAKMP-ERROR: (1006):IPSec policy invalidated proposal with error 256
*Jul 4 14:00:46.955: ISAKMP: (1006):Checking IPSec proposal 3
*Jul 4 14:00:46.955: ISAKMP: (1006):transform 1, ESP_3DES
*Jul 4 14:00:46.955: ISAKMP: (1006): attributes in transform:
*Jul 4 14:00:46.955: ISAKMP: (1006): encaps is 4 (Transport-UDP)
*Jul 4 14:00:46.955: ISAKMP: (1006): authenticator is HMAC-SHA
*Jul 4 14:00:46.955: ISAKMP: (1006): SA life type in seconds
*Jul 4 14:00:46.955: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Jul 4 14:00:46.955: ISAKMP: (1006): SA life type in kilobytes
*Jul 4 14:00:46.955: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90
*Jul 4 14:00:46.955: ISAKMP: (1006):atts are acceptable.
*Jul 4 14:00:46.955: IPSEC(validate_proposal_request): proposal part #1
*Jul 4 14:00:46.955: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 103.205.244.106:0, remote= 220.255.242.218:0,
local_proxy= 103.205.244.106/255.255.255.255/17/1701,
remote_proxy= 220.255.242.218/255.255.255.255/17/1701,
protocol= ESP, transform= esp-3des esp-sha-hmac (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jul 4 14:00:46.956: IPSEC(ipsec_process_proposal): invalid transform proposal received:
{esp-3des esp-sha-hmac }
*Jul 4 14:00:46.957: ISAKMP-ERROR: (1006):IPSec policy invalidated proposal with error 256
*Jul 4 14:00:46.957: ISAKMP: (1006):Checking IPSec proposal 4
*Jul 4 14:00:46.957: ISAKMP: (1006):transform 1, ESP_DES
*Jul 4 14:00:46.957: ISAKMP: (1006): attributes in transform:
*Jul 4 14:00:46.957: ISAKMP: (1006): encaps is 4 (Transport-UDP)
*Jul 4 14:00:46.957: ISAKMP: (1006): authenticator is HMAC-SHA
*Jul 4 14:00:46.957: ISAKMP: (1006): SA life type in seconds
*Jul 4 14:00:46.957: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Jul 4 14:00:46.957: ISAKMP: (1006): SA life type in kilobytes
*Jul 4 14:00:46.957: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90
*Jul 4 14:00:46.958: ISAKMP: (1006):atts are acceptable.
*Jul 4 14:00:46.958: IPSEC(validate_proposal_request): proposal part #1
*Jul 4 14:00:46.958: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 103.205.244.106:0, remote= 220.255.242.218:0,
local_proxy= 103.205.244.106/255.255.255.255/17/1701,
remote_proxy= 220.255.242.218/255.255.255.255/17/1701,
protocol= ESP, transform= esp-des esp-sha-hmac (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jul 4 14:00:46.958: IPSEC(ipsec_process_proposal): invalid transform proposal received:
{esp-des esp-sha-hmac }
*Jul 4 14:00:46.959: ISAKMP-ERROR: (1006):IPSec policy invalidated proposal with error 256
*Jul 4 14:00:46.959: ISAKMP: (1006):Checking IPSec proposal 5
*Jul 4 14:00:46.959: ISAKMP: (1006):transform 1, ESP_NULL
*Jul 4 14:00:46.959: ISAKMP: (1006): attributes in transform:
*Jul 4 14:00:46.959: ISAKMP: (1006): encaps is 4 (Transport-UDP)
*Jul 4 14:00:46.959: ISAKMP: (1006): authenticator is HMAC-SHA
*Jul 4 14:00:46.960: ISAKMP: (1006): SA life type in seconds
*Jul 4 14:00:46.960: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Jul 4 14:00:46.960: ISAKMP: (1006): SA life type in kilobytes
*Jul 4 14:00:46.960: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90
*Jul 4 14:00:46.960: ISAKMP: (1006):atts are acceptable.
*Jul 4 14:00:46.960: IPSEC(validate_proposal_request): proposal part #1
*Jul 4 14:00:46.960: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 103.205.244.106:0, remote= 220.255.242.218:0,
local_proxy= 103.205.244.106/255.255.255.255/17/1701,
remote_proxy= 220.255.242.218/255.255.255.255/17/1701,
protocol= ESP, transform= esp-null esp-sha-hmac (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jul 4 14:00:46.960: IPSEC(ipsec_process_proposal): invalid transform proposal received:
{esp-null esp-sha-hmac }
*Jul 4 14:00:46.961: ISAKMP-ERROR: (1006):IPSec policy invalidated proposal with error 256
*Jul 4 14:00:46.962: ISAKMP-ERROR: (1006):phase 2 SA policy not acceptable! (local 103.205.244.106 remote 220.255.242.218)
*Jul 4 14:00:46.962: ISAKMP: (1006):set new node 1931992349 to QM_IDLE
*Jul 4 14:00:46.962: ISAKMP: (1006):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 9223511858847286000, message ID = 1931992349
*Jul 4 14:00:46.962: ISAKMP-PAK: (1006):sending packet to 220.255.242.218 my_port 4500 peer_port 4500 (R) QM_IDLE
*Jul 4 14:00:46.962: ISAKMP: (1006):Sending an IKE IPv4 Packet.
*Jul 4 14:00:46.962: ISAKMP: (1006):purging node 1931992349
*Jul 4 14:00:46.962: ISAKMP-ERROR: (1006):deleting node 1 error TRUE reason "QM rejected"
*Jul 4 14:00:46.963: ISAKMP: (1006):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 4 14:00:46.963: ISAKMP: (1006):Old State = IKE_QM_READY New State = IKE_QM_READY
*Jul 4 14:00:47.189: ISAKMP-PAK: (1006):received packet from 220.255.242.218 dport 4500 sport 4500 Global (R) QM_IDLE
*Jul 4 14:00:47.189: ISAKMP: (1006):set new node 1253399401 to QM_IDLE
*Jul 4 14:00:47.189: ISAKMP: (1006):processing HASH payload. message ID = 1253399401
*Jul 4 14:00:47.189: ISAKMP: (1006):processing DELETE payload. message ID = 1253399401
*Jul 4 14:00:47.189: ISAKMP: (1006):peer does not do paranoid keepalives.
*Jul 4 14:00:47.190: ISAKMP: (1006):deleting SA reason "No reason" state (R) QM_IDLE (peer 220.255.242.218)
*Jul 4 14:00:47.190: ISAKMP: (1006):deleting node 1253399401 error FALSE reason "Informational (in) state 1"
*Jul 4 14:00:47.190: ISAKMP: (1006):set new node 469067412 to QM_IDLE
*Jul 4 14:00:47.190: ISAKMP-PAK: (1006):sending packet to 220.255.242.218 my_port 4500 peer_port 4500 (R) QM_IDLE
*Jul 4 14:00:47.190: ISAKMP: (1006):Sending an IKE IPv4 Packet.
*Jul 4 14:00:47.190: ISAKMP: (1006):purging node 469067412
*Jul 4 14:00:47.190: ISAKMP: (1006):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jul 4 14:00:47.190: ISAKMP: (1006):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

*Jul 4 14:00:47.190: ISAKMP: (1006):deleting SA reason "No reason" state (R) QM_IDLE (peer 220.255.242.218)
*Jul 4 14:00:47.190: ISAKMP: (0):Unlocking peer struct 0x80007F2ADBCA9DC8 for isadb_mark_sa_deleted(), count 0
*Jul 4 14:00:47.190: ISAKMP: (0):Deleting peer node by peer_reap for 220.255.242.218: 80007F2ADBCA9DC8
*Jul 4 14:00:47.191: ISAKMP: (1006):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 4 14:00:47.191: ISAKMP: (1006):Old State = IKE_DEST_SA New State = IKE_DEST_SA

*Jul 4 14:00:47.191: IPSEC(key_engine): got a queue event with 1 KMI message(s)

 

As you can see, phase one finishes and then the WIndows10 client tosses out 5 phase 2 proposals which are all denied with an error 256. Three of the proposals are rubbish, Des, 3Des and null but the other two:

esp-aes esp-sha-hmac

esp-aes 256 esp-sha-hmac

I have covered in transform-sets mainset6 and mainset2.

 

I must be missing something really basic.

The Cisco terminates tunnels from Linux and Digi Transport routers in main mode with PFS fine. The windows10 client has me stumped.

 

If anyone can see my mistake, let me know.

 

Cheers,

john

 

3 Replies 3

ngkin2010
Level 7
Level 7

Hi,

 

Could you try to match the Phase 2's lifetime parameters:

 

*Jul 4 14:00:46.950: ISAKMP: (1006): SA life type in seconds
*Jul 4 14:00:46.951: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Jul 4 14:00:46.951: ISAKMP: (1006): SA life type in kilobytes
*Jul 4 14:00:46.951: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x9

 

 

On router:

 

crypto dynamic-map mainmap 120
description Windows10 L2TP no PFS
set security-association lifetime seconds 14400 3600
set security-association lifetime kilobyte 250000
set transform-set mainset2 set isakmp-profile LanToLan

 

 

 

 

Thank you very much for the suggestion:

This is my phase 1 policy which works:

crypto isakmp policy 100
encr aes 256
hash sha256
authentication pre-share
group 14

 

isakmp profile:

crypto isakmp profile LanToLan
description Lan to lan profile for CORS set connections
keyring hubspokes
match identity address 0.0.0.0
match identity host jserinki7<-----------this is there so libreswan can connect, works fine but was not required using IOS15.4.

 

crypto ipsec transform-set mainset5 esp-aes 256 esp-sha256-hmac
mode transport

crypto dynamic-map mainmap 105
set nat demux
set security-association lifetime kilobytes 250000
set transform-set mainset5
set isakmp-profile LanToLan

 

Turns out the sa lifetime default is 3600 so it down't show up.

 

This is how windows10 is setup:

PS C:\> Set-VpnConnectionIPsecConfiguration -ConnectionName "TestL2TP" -AllUserConnection -AuthenticationTransformConstants SHA256 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup none -DHGroup gROUP14 -PassThru -Force


AuthenticationTransformConstants : SHA256128
CipherTransformConstants : AES256
DHGroup : Group14
IntegrityCheckMethod : SHA256
PfsGroup : None
EncryptionMethod : AES256

 

And the debug:

*Jul 16 10:28:34.922: ISAKMP: (1015):Checking IPSec proposal 1
*Jul 16 10:28:34.922: ISAKMP: (1015):transform 1, ESP_AES
*Jul 16 10:28:34.922: ISAKMP: (1015): attributes in transform:
*Jul 16 10:28:34.922: ISAKMP: (1015): encaps is 4 (Transport-UDP)
*Jul 16 10:28:34.922: ISAKMP: (1015): key length is 256
*Jul 16 10:28:34.922: ISAKMP: (1015): authenticator is HMAC-SHA256
*Jul 16 10:28:34.922: ISAKMP: (1015): SA life type in seconds
*Jul 16 10:28:34.922: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Jul 16 10:28:34.922: ISAKMP: (1015): SA life type in kilobytes
*Jul 16 10:28:34.922: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90
*Jul 16 10:28:34.923: ISAKMP: (1015):atts are acceptable.
*Jul 16 10:28:34.923: IPSEC(validate_proposal_request): proposal part #1
*Jul 16 10:28:34.923: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 103.205.244.106:0, remote= 220.255.242.218:0,
local_proxy= 103.205.244.106/255.255.255.255/17/1701,
remote_proxy= 220.255.242.218/255.255.255.255/17/1701,
protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jul 16 10:28:34.923: IPSEC(ipsec_process_proposal): invalid transform proposal flags -- 0x4
*Jul 16 10:28:34.924: ISAKMP-ERROR: (1015):IPSec policy invalidated proposal with error 1024
*Jul 16 10:28:34.925: ISAKMP-ERROR: (1015):phase 2 SA policy not acceptable! (local 103.205.244.106 remote 220.255.242.218)
*Jul 16 10:28:34.925: ISAKMP: (1015):set new node 772449960 to QM_IDLE
*Jul 16 10:28:34.925: ISAKMP: (1015):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

 

It all looks fine until it throws that "invalid transform proposal flag". I'd love to find a list of those somewhere.

Scratching my head here, the proposals look the same and in fact, the router seems happy with everything until that proposal flag.

 

It doesn't seem that it should be this hard....

Here is my debug:Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto IPSEC debugging is on
PKI:
verbose debug output debugging is on

 

I wonder if there is anything else I should be looking at?

 

:)

John

 

 

Hi Everyone:

 

I figured this out.

This is my original config:

crypto isakmp policy 100
encr aes 256
hash sha256
authentication pre-share
group 14

crypto isakmp profile LanToLan
description Lan to lan profile for CORS set connections
keyring hubspokes
match identity address 0.0.0.0
match identity host jserinki7<---------------------Windows10 did not like this
crypto ipsec transform-set mainset5 esp-aes 256 esp-sha-hmac
mode transport

crypto dynamic-map mainmap 105
description windows10 L2TP connection
set nat demux
set security-association lifetime kilobytes 250000
set security-association lifetime seconds 4000
set transform-set mainset5
set isakmp-profile LanToLan
reverse-route

crypto map soimainmap 100 ipsec-isakmp dynamic mainmap

 

So I changed it to this:

crypto isakmp profile Windows10
description windows10 dial in
keyring hubspokes
match identity address 0.0.0.0
crypto ipsec transform-set mainset5 esp-aes 256 esp-sha256-hmac
mode transport
crypto dynamic-map mainmap 105
description windows10 L2TP connection
set nat demux
set security-association lifetime kilobytes 250000
set security-association lifetime seconds 4000
set transform-set mainset5
set isakmp-profile Windows10
reverse-route

 

Worked fine.

I then added PFS to it like this:

On WIndows 10:

PS C:\> Set-VpnConnectionIPsecConfiguration -ConnectionName "TestL2TP" -AllUserConnection -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup PFS2048 -DHGroup Group14 -PassThru -Force


AuthenticationTransformConstants : SHA256128
CipherTransformConstants : AES256
DHGroup : Group14
IntegrityCheckMethod : SHA256
PfsGroup : PFS2048
EncryptionMethod : AES256

 

On the Cisco end:

crypto dynamic-map mainmap 105
description windows10 L2TP connection
set nat demux
set security-association lifetime kilobytes 250000
set security-association lifetime seconds 4000
set transform-set mainset5
set pfs group14
set isakmp-profile Windows10
reverse-route

 

Worked perfectly.

All good.

 

So the hiccup was the statement 'match identify host jserinki7" that I needed to make libreswan work from my linux box.

Solution was to just make a separate isakmp profile as above.

 

Cheers,

john