Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
18639
Views
5
Helpful
3
Replies

Client VPN failing to connect - Processing of Aggressive mode failed

lotten1981
Level 1
Level 1

‎06-27-2013 08:16 PM - edited ‎02-21-2020 06:59 PM

Installing VPN capability on a Cisco 891.

Config is from snippets used on a prior working install.

Getting the following debug output when trying to connec the Client VPN.

Jun 28 02:58:10.356: ISAKMP:(0):Proposed key length does not match policy

Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3

Jun 28 02:58:10.356: ISAKMP:(0):Hash algorithm offered does not match policy!

Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3

Jun 28 02:58:10.356: ISAKMP:(0):Proposed key length does not match policy

Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3

Jun 28 02:58:10.356: ISAKMP:(0):Hash algorithm offered does not match policy!

Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3

Jun 28 02:58:10.356: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!

Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3

Jun 28 02:58:10.356: ISAKMP:(0):Hash algorithm offered does not match policy!

Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3

Jun 28 02:58:10.356: ISAKMP:(0):Preshared authentication offered but does not match policy!

Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3

Jun 28 02:58:10.356: ISAKMP:(0):Hash algorithm offered does not match policy!

Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3

Jun 28 02:58:10.356: ISAKMP:(0):Encryption algorithm offered does not match policy!

Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3

Jun 28 02:58:10.356: ISAKMP:(0):Encryption algorithm offered does not match policy!

Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3

Jun 28 02:58:10.356: ISAKMP:(0):Encryption algorithm offered does not match policy!

Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3

Jun 28 02:58:10.356: ISAKMP:(0):Encryption algorithm offered does not match policy!

Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3

Jun 28 02:58:10.356: ISAKMP:(0):Encryption algorithm offered does not match policy!

Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3

Jun 28 02:58:10.356: ISAKMP:(0):Encryption algorithm offered does not match policy!

Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 0

Jun 28 02:58:10.356: ISAKMP:(0):no offers accepted!

Jun 28 02:58:10.356: ISAKMP:(0): phase 1 SA policy not acceptable! (local 71.13.69.138 remote 97.83.99.146)

Jun 28 02:58:10.356: ISAKMP:(0): Failed to construct AG informational message.

Jun 28 02:58:10.356: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 97.83.99.146)

Jun 28 02:58:10.360: ISAKMP:(0): group size changed! Should be 0, is 128

Jun 28 02:58:10.360: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY

Jun 28 02:58:10.360: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 97.83.99.146

Jun 28 02:58:10.360: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 97.83.99.146)

Client eventually fails and indicates Error 412 - The remote peer is no longer responding

Unsure of issue.

Config on the VPN router is as follows:

aaa new-model

!

!

aaa authentication login default local

aaa authentication login USER local

aaa authorization network GROUP local

!

username [Omitted]

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

lifetime 7200

crypto isakmp key CiscoVPN address 0.0.0.0 0.0.0.0

crypto isakmp client configuration address-pool local EZVPN_POOL

!

crypto isakmp client configuration group EZVPN

key [Omitted]

dns 4.2.2.2

wins 4.2.2.2

pool EZVPN_POOL

acl VPN-InterestingTraffic

save-password

netmask 255.255.255.0

crypto isakmp profile EZVPN_PROFILE

   match identity group EZVPN

   client authentication list USER

   isakmp authorization list GROUP

   client configuration address respond

   virtual-template 1

!

crypto ipsec transform-set EZVPN_SET esp-aes esp-sha-hmac

!

crypto ipsec profile EZVPN_PROFILE

set transform-set EZVPN_SET

set isakmp-profile EZVPN_PROFILE

!

!

interface Virtual-Template1 type tunnel

ip unnumbered GigabitEthernet0

tunnel mode ipsec ipv4

tunnel path-mtu-discovery

tunnel protection ipsec profile EZVPN_PROFILE

!

ip local pool EZVPN_POOL 10.0.0.10 10.0.0.20

!

ip access-list extended VPN-InterestingTraffic

permit ip 192.168.248.0 0.0.0.255 10.0.0.0 0.0.0.255

!

! Addition to ACL to allow VPN

7 permit udp any host 71.13.69.138 eq isakmp

8 permit udp any host 71.13.69.138 eq non500-isakmp

9 permit esp any host 71.13.69.138

I'm using a snippet that worked some months ago (had to troubleshoot it for a long time).

Unsure of the problem.

Thanks

1 person had this problem
Labels:
0 Helpful
3 Replies 3

lotten1981
Level 1
Level 1

‎06-27-2013 08:48 PM

Fixed it.

Came down to a mistake in the Group/Secret.

Finally realized that I had mis-interpretted where the VPN Group was configured.

Thought I had made the Group = CiscoVPN

by looking at

crypto isakmp key CiscoVPN address 0.0.0.0 0.0.0.0

But really the Group = EZVPN

Can see this at

crypto isakmp client configuration group EZVPN

The

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 97.83.99.146

message ended up being a simple mismatch of the Phase 1 Group/Secret combination.

Richard Burts
Hall of Fame
Hall of Fame
In response to lotten1981

‎06-29-2013 06:14 PM

Thanks for posting back to the forum and telling us that you have fixed it and what the problem was. This will be a reminder to some of us about the importance of checking basic things like matching group ID and shared secret.

HTH

Rick

HTH

Rick
0 Helpful

lotten1981
Level 1
Level 1
In response to Richard Burts

‎07-01-2013 10:14 AM

Right.

If only the computer could just tell me that in a way that isn't a half page of unclear log messages.

The programmer training in college is suggesting the message could have been better...

But yes.

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed

=

Group/Secret do not match

0 Helpful
Customers Also Viewed These Support Documents