cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2098
Views
0
Helpful
4
Replies

Cisco ios L2TP/IpSec with windows vpn client

Herman Skubic
Level 1
Level 1

Hello,

I'm having problem establish l2tp/ipsec vpn connection from Windows vista/7 vpn client to cisco 1921 ( ios 15.2 )

C1 --------> (internet cloud) ---------> (cisco 1921)----->LAN

Error that I'm retreiving is allways the same: Error 789: "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer"

But I'm able to establish l2tp/ipsec vpn connection to the same vpn server with my iPhone 4.

Below is isakmp debug log from lns router(cisco 1921) when I've tried to establish vpn with windows client.

Could somebody see anything usefull from these logs to point me on the right direction to finally solve this problem with windows clients.

Thank you for your responses.

Rg,

Herman

#debug crypto isakmp

*Apr  8 10:56:47.018: ISAKMP (0): received packet from 186.51.43.137 dport 500 sport 987 Global (N) NEW SA

*Apr  8 10:56:47.018: ISAKMP: Created a peer struct for 186.51.43.137, peer port 987

*Apr  8 10:56:47.018: ISAKMP: New peer created peer = 0x3296C24C peer_handle = 0x80000068

*Apr  8 10:56:47.018: ISAKMP: Locking peer struct 0x3296C24C, refcount 1 for crypto_isakmp_process_block

*Apr  8 10:56:47.018: ISAKMP: local port 500, remote port 987

*Apr  8 10:56:47.018: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 30E00938

*Apr  8 10:56:47.018: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Apr  8 10:56:47.018: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*Apr  8 10:56:47.018: ISAKMP:(0): processing SA payload. message ID = 0

*Apr  8 10:56:47.018: ISAKMP:(0): processing vendor id payload

*Apr  8 10:56:47.018: ISAKMP:(0): processing IKE frag vendor id payload

*Apr  8 10:56:47.018: ISAKMP:(0):Support for IKE Fragmentation not enabled

*Apr  8 10:56:47.018: ISAKMP:(0): processing vendor id payload

*Apr  8 10:56:47.018: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Apr  8 10:56:47.018: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Apr  8 10:56:47.018: ISAKMP:(0): processing vendor id payload

*Apr  8 10:56:47.018: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Apr  8 10:56:47.018: ISAKMP:(0): vendor ID is NAT-T v2

*Apr  8 10:56:47.018: ISAKMP:(0): processing vendor id payload

*Apr  8 10:56:47.018: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch

*Apr  8 10:56:47.018: ISAKMP:(0): processing vendor id payload

*Apr  8 10:56:47.018: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch

*Apr  8 10:56:47.018: ISAKMP:(0): processing vendor id payload

*Apr  8 10:56:47.018: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch

*Apr  8 10:56:47.018: ISAKMP:(0): processing vendor id payload

*Apr  8 10:56:47.018: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch

*Apr  8 10:56:47.018: ISAKMP:(0):found peer pre-shared key matching 186.51.43.137

*Apr  8 10:56:47.018: ISAKMP:(0): local preshared key found

*Apr  8 10:56:47.018: ISAKMP : Scanning profiles for xauth ...

*Apr  8 10:56:47.018: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Apr  8 10:56:47.018: ISAKMP:      encryption AES-CBC

*Apr  8 10:56:47.018: ISAKMP:      keylength of 256

*Apr  8 10:56:47.018: ISAKMP:      hash SHA

*Apr  8 10:56:47.018: ISAKMP:      default group 20

*Apr  8 10:56:47.018: ISAKMP:      auth pre-share

*Apr  8 10:56:47.018: ISAKMP:      life type in seconds

*Apr  8 10:56:47.018: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80

*Apr  8 10:56:47.018: ISAKMP:(0):Proposed key length does not match policy

*Apr  8 10:56:47.018: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Apr  8 10:56:47.018: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy

*Apr  8 10:56:47.018: ISAKMP:      encryption AES-CBC

*Apr  8 10:56:47.018: ISAKMP:      keylength of 128

*Apr  8 10:56:47.018: ISAKMP:      hash SHA

*Apr  8 10:56:47.018: ISAKMP:      default group 19

*Apr  8 10:56:47.018: ISAKMP:      auth pre-share

*Apr  8 10:56:47.018: ISAKMP:      life type in seconds

*Apr  8 10:56:47.022: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80

*Apr  8 10:56:47.022: ISAKMP:(0):Diffie-Hellman group offered does not match policy!

*Apr  8 10:56:47.022: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Apr  8 10:56:47.022: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy

*Apr  8 10:56:47.022: ISAKMP:      encryption AES-CBC

*Apr  8 10:56:47.022: ISAKMP:      keylength of 256

*Apr  8 10:56:47.022: ISAKMP:      hash SHA

*Apr  8 10:56:47.022: ISAKMP:      default group 14

*Apr  8 10:56:47.022: ISAKMP:      auth pre-share

*Apr  8 10:56:47.022: ISAKMP:      life type in seconds

*Apr  8 10:56:47.022: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80

*Apr  8 10:56:47.022: ISAKMP:(0):Proposed key length does not match policy

*Apr  8 10:56:47.022: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Apr  8 10:56:47.022: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy

*Apr  8 10:56:47.022: ISAKMP:      encryption 3DES-CBC

*Apr  8 10:56:47.022: ISAKMP:      hash SHA

*Apr  8 10:56:47.022: ISAKMP:      default group 14

*Apr  8 10:56:47.022: ISAKMP:      auth pre-share

*Apr  8 10:56:47.022: ISAKMP:      life type in seconds

*Apr  8 10:56:47.022: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80

*Apr  8 10:56:47.022: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Apr  8 10:56:47.022: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Apr  8 10:56:47.022: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy

*Apr  8 10:56:47.022: ISAKMP:      encryption 3DES-CBC

*Apr  8 10:56:47.022: ISAKMP:      hash SHA

*Apr  8 10:56:47.022: ISAKMP:      default group 2

*Apr  8 10:56:47.022: ISAKMP:      auth pre-share

*Apr  8 10:56:47.022: ISAKMP:      life type in seconds

*Apr  8 10:56:47.022: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80

*Apr  8 10:56:47.022: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Apr  8 10:56:47.022: ISAKMP:(0):atts are not acceptable. Next payload is 0

*Apr  8 10:56:47.022: ISAKMP:(0):Checking ISAKMP transform 1 against priority 20 policy

*Apr  8 10:56:47.022: ISAKMP:      encryption AES-CBC

*Apr  8 10:56:47.022: ISAKMP:      keylength of 256

*Apr  8 10:56:47.022: ISAKMP:      hash SHA

*Apr  8 10:56:47.022: ISAKMP:      default group 20

*Apr  8 10:56:47.022: ISAKMP:      auth pre-share

*Apr  8 10:56:47.022: ISAKMP:      life type in seconds

*Apr  8 10:56:47.022: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80

*Apr  8 10:56:47.022: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Apr  8 10:56:47.022: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Apr  8 10:56:47.022: ISAKMP:(0):Checking ISAKMP transform 2 against priority 20 policy

*Apr  8 10:56:47.022: ISAKMP:      encryption AES-CBC

*Apr  8 10:56:47.022: ISAKMP:      keylength of 128

*Apr  8 10:56:47.022: ISAKMP:      hash SHA

*Apr  8 10:56:47.022: ISAKMP:      default group 19

*Apr  8 10:56:47.022: ISAKMP:      auth pre-share

*Apr  8 10:56:47.022: ISAKMP:      life type in seconds

*Apr  8 10:56:47.022: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80

*Apr  8 10:56:47.022: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Apr  8 10:56:47.022: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Apr  8 10:56:47.022: ISAKMP:(0):Checking ISAKMP transform 3 against priority 20 policy

*Apr  8 10:56:47.022: ISAKMP:      encryption AES-CBC

*Apr  8 10:56:47.022: ISAKMP:      keylength of 256

*Apr  8 10:56:47.022: ISAKMP:      hash SHA

*Apr  8 10:56:47.022: ISAKMP:      default group 14

*Apr  8 10:56:47.022: ISAKMP:      auth pre-share

*Apr  8 10:56:47.022: ISAKMP:      life type in seconds

*Apr  8 10:56:47.022: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80

*Apr  8 10:56:47.022: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Apr  8 10:56:47.022: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Apr  8 10:56:47.022: ISAKMP:(0):Checking ISAKMP transform 4 against priority 20 policy

*Apr  8 10:56:47.022: ISAKMP:      encryption 3DES-CBC

*Apr  8 10:56:47.022: ISAKMP:      hash SHA

*Apr  8 10:56:47.022: ISAKMP:      default group 14

*Apr  8 10:56:47.022: ISAKMP:      auth pre-share

*Apr  8 10:56:47.022: ISAKMP:      life type in seconds

*Apr  8 10:56:47.022: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80

*Apr  8 10:56:47.022: ISAKMP:(0):Diffie-Hellman group offered does not match policy!

*Apr  8 10:56:47.022: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Apr  8 10:56:47.022: ISAKMP:(0):Checking ISAKMP transform 5 against priority 20 policy

*Apr  8 10:56:47.022: ISAKMP:      encryption 3DES-CBC

*Apr  8 10:56:47.022: ISAKMP:      hash SHA

*Apr  8 10:56:47.022: ISAKMP:      default group 2

*Apr  8 10:56:47.022: ISAKMP:      auth pre-share

*Apr  8 10:56:47.022: ISAKMP:      life type in seconds

*Apr  8 10:56:47.022: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80

*Apr  8 10:56:47.022: ISAKMP:(0):atts are acceptable. Next payload is 0

*Apr  8 10:56:47.022: ISAKMP:(0):Acceptable atts:actual life: 0

*Apr  8 10:56:47.022: ISAKMP:(0):Acceptable atts:life: 0

*Apr  8 10:56:47.022: ISAKMP:(0):Fill atts in sa vpi_length:4

*Apr  8 10:56:47.022: ISAKMP:(0):Fill atts in sa life_in_seconds:28800

*Apr  8 10:56:47.022: ISAKMP:(0):Returning Actual lifetime: 28800

*Apr  8 10:56:47.022: ISAKMP:(0)::Started lifetime timer: 28800.

*Apr  8 10:56:47.022: ISAKMP:(0): processing vendor id payload

*Apr  8 10:56:47.022: ISAKMP:(0): processing IKE frag vendor id payload

*Apr  8 10:56:47.022: ISAKMP:(0):Support for IKE Fragmentation not enabled

*Apr  8 10:56:47.022: ISAKMP:(0): processing vendor id payload

*Apr  8 10:56:47.022: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Apr  8 10:56:47.022: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Apr  8 10:56:47.022: ISAKMP:(0): processing vendor id payload

*Apr  8 10:56:47.022: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Apr  8 10:56:47.022: ISAKMP:(0): vendor ID is NAT-T v2

*Apr  8 10:56:47.022: ISAKMP:(0): processing vendor id payload

*Apr  8 10:56:47.022: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch

*Apr  8 10:56:47.022: ISAKMP:(0): processing vendor id payload

*Apr  8 10:56:47.022: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch

*Apr  8 10:56:47.022: ISAKMP:(0): processing vendor id payload

*Apr  8 10:56:47.022: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch

*Apr  8 10:56:47.022: ISAKMP:(0): processing vendor id payload

*Apr  8 10:56:47.022: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch

*Apr  8 10:56:47.022: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Apr  8 10:56:47.022: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Apr  8 10:56:47.026: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Apr  8 10:56:47.026: ISAKMP:(0): sending packet to 186.51.43.137 my_port 500 peer_port 987 (R) MM_SA_SETUP

*Apr  8 10:56:47.026: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Apr  8 10:56:47.026: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Apr  8 10:56:47.026: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

*Apr  8 10:56:47.126: ISAKMP (0): received packet from 186.51.43.137 dport 500 sport 987 Global (R) MM_SA_SETUP

*Apr  8 10:56:47.126: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Apr  8 10:56:47.126: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3

*Apr  8 10:56:47.126: ISAKMP:(0): processing KE payload. message ID = 0

*Apr  8 10:56:47.154: ISAKMP:(0): processing NONCE payload. message ID = 0

*Apr  8 10:56:47.154: ISAKMP:(0):found peer pre-shared key matching 186.51.43.137

*Apr  8 10:56:47.158: ISAKMP:received payload type 20

*Apr  8 10:56:47.158: ISAKMP (1092): His hash no match - this node outside NAT

*Apr  8 10:56:47.158: ISAKMP:received payload type 20

*Apr  8 10:56:47.158: ISAKMP (1092): His hash no match - this node outside NAT

*Apr  8 10:56:47.158: ISAKMP:(1092):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Apr  8 10:56:47.158: ISAKMP:(1092):Old State = IKE_R_MM3  New State = IKE_R_MM3

*Apr  8 10:56:47.158: ISAKMP:(1092): sending packet to 186.51.43.137 my_port 500 peer_port 987 (R) MM_KEY_EXCH

*Apr  8 10:56:47.158: ISAKMP:(1092):Sending an IKE IPv4 Packet.

*Apr  8 10:56:47.158: ISAKMP:(1092):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Apr  8 10:56:47.158: ISAKMP:(1092):Old State = IKE_R_MM3  New State = IKE_R_MM4

*Apr  8 10:56:47.282: ISAKMP (1092): received packet from 186.51.43.137 dport 4500 sport 19947 Global (R) MM_KEY_EXCH

*Apr  8 10:56:47.282: ISAKMP:(1092):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Apr  8 10:56:47.282: ISAKMP:(1092):Old State = IKE_R_MM4  New State = IKE_R_MM5

*Apr  8 10:56:47.282: ISAKMP:(1092): processing ID payload. message ID = 0

*Apr  8 10:56:47.282: ISAKMP (1092): ID payload

        next-payload : 8

        type         : 1

        address      : 192.168.1.100

        protocol     : 0

        port         : 0

        length       : 12

*Apr  8 10:56:47.282: ISAKMP:(0):: peer matches *none* of the profiles

*Apr  8 10:56:47.282: ISAKMP:(1092): processing HASH payload. message ID = 0

*Apr  8 10:56:47.282: ISAKMP:(1092):SA authentication status:

        authenticated

*Apr  8 10:56:47.282: ISAKMP:(1092):SA has been authenticated with 186.51.43.137

*Apr  8 10:56:47.282: ISAKMP:(1092):Detected port floating to port = 19947

*Apr  8 10:56:47.282: ISAKMP: Trying to insert a peer 82.14.177.83/186.51.43.137/19947/,  and inserted successfully 3296C24C.

*Apr  8 10:56:47.282: ISAKMP:(1092):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Apr  8 10:56:47.282: ISAKMP:(1092):Old State = IKE_R_MM5  New State = IKE_R_MM5

*Apr  8 10:56:47.282: ISAKMP:(1092):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Apr  8 10:56:47.282: ISAKMP (1092): ID payload

        next-payload : 8

        type         : 1

        address      : 82.14.177.83

        protocol     : 17

        port         : 0

        length       : 12

*Apr  8 10:56:47.282: ISAKMP:(1092):Total payload length: 12

*Apr  8 10:56:47.282: ISAKMP:(1092): sending packet to 186.51.43.137 my_port 4500 peer_port 19947 (R) MM_KEY_EXCH

*Apr  8 10:56:47.282: ISAKMP:(1092):Sending an IKE IPv4 Packet.

*Apr  8 10:56:47.282: ISAKMP:(1092):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Apr  8 10:56:47.282: ISAKMP:(1092):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

*Apr  8 10:56:47.282: ISAKMP:(1092):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Apr  8 10:56:47.282: ISAKMP:(1092):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Apr  8 10:56:47.378: ISAKMP (1092): received packet from 186.51.43.137 dport 4500 sport 19947 Global (R) QM_IDLE

*Apr  8 10:56:47.378: ISAKMP: set new node 1 to QM_IDLE

*Apr  8 10:56:47.378: ISAKMP:(1092): processing HASH payload. message ID = 1

*Apr  8 10:56:47.378: ISAKMP:(1092): processing SA payload. message ID = 1

*Apr  8 10:56:47.378: ISAKMP (1092): processing NAT-OAi payload. addr = 192.168.1.100, message ID = 1

*Apr  8 10:56:47.378: ISAKMP (1092): processing NAT-OAr payload. addr = 82.14.177.83, message ID = 1

*Apr  8 10:56:47.378: ISAKMP:(1092):Checking IPSec proposal 1

*Apr  8 10:56:47.378: ISAKMP: transform 1, ESP_AES

*Apr  8 10:56:47.378: ISAKMP:   attributes in transform:

*Apr  8 10:56:47.378: ISAKMP:      encaps is 4 (Transport-UDP)

*Apr  8 10:56:47.378: ISAKMP:      key length is 128

*Apr  8 10:56:47.378: ISAKMP:      authenticator is HMAC-SHA

*Apr  8 10:56:47.378: ISAKMP:      SA life type in seconds

*Apr  8 10:56:47.378: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10

*Apr  8 10:56:47.378: ISAKMP:      SA life type in kilobytes

*Apr  8 10:56:47.378: ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xD0 0x90

*Apr  8 10:56:47.378: ISAKMP:(1092):atts are acceptable.

*Apr  8 10:56:47.378: ISAKMP:(1092): processing NONCE payload. message ID = 1

*Apr  8 10:56:47.378: ISAKMP:(1092): processing ID payload. message ID = 1

*Apr  8 10:56:47.378: ISAKMP:(1092): processing ID payload. message ID = 1

*Apr  8 10:56:47.378: ISAKMP:received payload type 21

*Apr  8 10:56:47.378: ISAKMP:received payload type 21

*Apr  8 10:56:47.378: ISAKMP:(1092):QM Responder gets spi

*Apr  8 10:56:47.378: ISAKMP:(1092):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Apr  8 10:56:47.378: ISAKMP:(1092):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE

*Apr  8 10:56:47.378: ISAKMP:(1092):Node 1, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI

*Apr  8 10:56:47.378: ISAKMP:(1092):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_IPSEC_INSTALL_AWAIT

*Apr  8 10:56:47.378:  ISAKMP: Failed to find peer index node to update peer_info_list

*Apr  8 10:56:47.378: ISAKMP:(1092):Received IPSec Install callback... proceeding with the negotiation

*Apr  8 10:56:47.382: ISAKMP:(1092): sending packet to 186.51.43.137 my_port 4500 peer_port 19947 (R) QM_IDLE

*Apr  8 10:56:47.382: ISAKMP:(1092):Sending an IKE IPv4 Packet.

*Apr  8 10:56:47.382: ISAKMP:(1092):Node 1, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE

*Apr  8 10:56:47.382: ISAKMP:(1092):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2

*Apr  8 10:56:47.462: ISAKMP (1092): received packet from 186.51.43.137 dport 4500 sport 19947 Global (R) QM_IDLE

*Apr  8 10:56:47.462: ISAKMP: set new node 1372764693 to QM_IDLE

*Apr  8 10:56:47.462: ISAKMP:(1092): processing HASH payload. message ID = 1372764693

*Apr  8 10:56:47.462: ISAKMP:(1092): processing DELETE payload. message ID = 1372764693

*Apr  8 10:56:47.462: ISAKMP:(1092):peer does not do paranoid keepalives.

*Apr  8 10:56:47.462: ISAKMP:(1092):deleting SA reason "No reason" state (R) QM_IDLE       (peer 186.51.43.137)

*Apr  8 10:56:47.462: ISAKMP:(1092):deleting node 1372764693 error FALSE reason "Informational (in) state 1"

*Apr  8 10:56:47.462: ISAKMP: set new node -625494474 to QM_IDLE

*Apr  8 10:56:47.462: ISAKMP:(1092): sending packet to 186.51.43.137 my_port 4500 peer_port 19947 (R) QM_IDLE

*Apr  8 10:56:47.462: ISAKMP:(1092):Sending an IKE IPv4 Packet.

*Apr  8 10:56:47.462: ISAKMP:(1092):purging node -625494474

*Apr  8 10:56:47.462: ISAKMP:(1092):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Apr  8 10:56:47.462: ISAKMP:(1092):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Apr  8 10:56:47.462: ISAKMP:(1092):deleting SA reason "No reason" state (R) QM_IDLE       (peer 186.51.43.137)

*Apr  8 10:56:47.462: ISAKMP: Unlocking peer struct 0x3296C24C for isadb_mark_sa_deleted(), count 0

*Apr  8 10:56:47.462: ISAKMP:(1092):deleting node 1 error FALSE reason "IKE deleted"

*Apr  8 10:56:47.466: ISAKMP:(1092):peer does not do paranoid keepalives.

*Apr  8 10:56:47.466: ISAKMP:(1092):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Apr  8 10:56:47.466: ISAKMP:(1092):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*Apr  8 10:56:47.466:  ISAKMP: Failed to find peer index node to update peer_info_list

*Apr  8 10:56:47.466: ISAKMP: Deleting peer node by peer_reap for 186.51.43.137: 3296C24C

*Apr  8 10:57:37.462: ISAKMP:(1092):purging node 1372764693

*Apr  8 10:57:37.466: ISAKMP:(1092):purging node 1

*Apr  8 10:57:47.466: ISAKMP:(1092):purging SA., sa=30E00938, delme=30E00938

4 Replies 4

Herman Skubic
Level 1
Level 1

I've managed to solve this problem.

how did u fix this problem ? I am trying to figureout which encryption, hash and DH group combination is accepted by WIndows

-------

May 23 04:21:41.549: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not ma

tch policy!

May 23 04:21:41.549: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is

3

May 23 04:21:41.549: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not ma

tch policy!

May 23 04:21:41.549: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is

0

May 23 04:21:41.553: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not ma

tch policy!

May 23 04:21:41.553: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is

3

May 23 04:21:41.553: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not ma

tch policy!

May 23 04:21:41.553: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is

3

May 23 04:21:41.553: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not ma

tch policy!

May 23 04:21:41.553: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is

3

May 23 04:21:41.553: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match po

licy!

May 23 04:21:41.557: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is

3

May 23 04:21:41.557: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match po

licy!

May 23 04:21:41.557: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is

0

May 23 04:21:41.557: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not ma

tch policy!

May 23 04:21:41.557: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is

3

May 23 04:21:41.557: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not ma

tch policy!

May 23 04:21:41.561: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is

3

May 23 04:21:41.561: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not ma

tch policy!

May 23 04:21:41.561: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is

3

May 23 04:21:41.561: ISAKMP:(0:0:N/A:0):Diffie-Hellman group offered does not ma

tch policy!

May 23 04:21:41.561: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is

3

R1#

May 23 04:22:42.589: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec

request to it. (local 114.30.122.119, remote 121.44.73.70)

May 23 04:23:12.594: ISAKMP:(0:0:N/A:0):deleting SA reason "Death by retransmiss

ion P1" state (I) MM_NO_STATE (peer 121.44.73.70)

May 23 04:23:12.598: ISAKMP:(0:0:N/A:0):deleting SA reason "Death by retransmiss

ion P1" state (I) MM_NO_STATE (peer 121.44.73.70)

Post your running config or just VPDN part of it.

I removed this command: crypto ipsec security-association lifetime seconds 900