Installing VPN capability on a Cisco 891.
Config is from snippets used on a prior working install.
Getting the following debug output when trying to connec the Client VPN.
Jun 28 02:58:10.356: ISAKMP:(0):Proposed key length does not match policy
Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jun 28 02:58:10.356: ISAKMP:(0):Hash algorithm offered does not match policy!
Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jun 28 02:58:10.356: ISAKMP:(0):Proposed key length does not match policy
Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jun 28 02:58:10.356: ISAKMP:(0):Hash algorithm offered does not match policy!
Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jun 28 02:58:10.356: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jun 28 02:58:10.356: ISAKMP:(0):Hash algorithm offered does not match policy!
Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jun 28 02:58:10.356: ISAKMP:(0):Preshared authentication offered but does not match policy!
Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jun 28 02:58:10.356: ISAKMP:(0):Hash algorithm offered does not match policy!
Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jun 28 02:58:10.356: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jun 28 02:58:10.356: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jun 28 02:58:10.356: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jun 28 02:58:10.356: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jun 28 02:58:10.356: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jun 28 02:58:10.356: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jun 28 02:58:10.356: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jun 28 02:58:10.356: ISAKMP:(0):no offers accepted!
Jun 28 02:58:10.356: ISAKMP:(0): phase 1 SA policy not acceptable! (local 71.13.69.138 remote 97.83.99.146)
Jun 28 02:58:10.356: ISAKMP:(0): Failed to construct AG informational message.
Jun 28 02:58:10.356: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 97.83.99.146)
Jun 28 02:58:10.360: ISAKMP:(0): group size changed! Should be 0, is 128
Jun 28 02:58:10.360: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY
Jun 28 02:58:10.360: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 97.83.99.146
Jun 28 02:58:10.360: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 97.83.99.146)
Client eventually fails and indicates Error 412 - The remote peer is no longer responding
Unsure of issue.
Config on the VPN router is as follows:
aaa new-model
!
!
aaa authentication login default local
aaa authentication login USER local
aaa authorization network GROUP local
!
username [Omitted]
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 7200
crypto isakmp key CiscoVPN address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local EZVPN_POOL
!
crypto isakmp client configuration group EZVPN
key [Omitted]
dns 4.2.2.2
wins 4.2.2.2
pool EZVPN_POOL
acl VPN-InterestingTraffic
save-password
netmask 255.255.255.0
crypto isakmp profile EZVPN_PROFILE
match identity group EZVPN
client authentication list USER
isakmp authorization list GROUP
client configuration address respond
virtual-template 1
!
crypto ipsec transform-set EZVPN_SET esp-aes esp-sha-hmac
!
crypto ipsec profile EZVPN_PROFILE
set transform-set EZVPN_SET
set isakmp-profile EZVPN_PROFILE
!
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile EZVPN_PROFILE
!
ip local pool EZVPN_POOL 10.0.0.10 10.0.0.20
!
ip access-list extended VPN-InterestingTraffic
permit ip 192.168.248.0 0.0.0.255 10.0.0.0 0.0.0.255
!
! Addition to ACL to allow VPN
7 permit udp any host 71.13.69.138 eq isakmp
8 permit udp any host 71.13.69.138 eq non500-isakmp
9 permit esp any host 71.13.69.138
I'm using a snippet that worked some months ago (had to troubleshoot it for a long time).
Unsure of the problem.
Thanks
Fixed it.
Came down to a mistake in the Group/Secret.
Finally realized that I had mis-interpretted where the VPN Group was configured.
Thought I had made the Group = CiscoVPN
by looking at
crypto isakmp key CiscoVPN address 0.0.0.0 0.0.0.0
But really the Group = EZVPN
Can see this at
crypto isakmp client configuration group EZVPN
The
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 97.83.99.146
message ended up being a simple mismatch of the Phase 1 Group/Secret combination.
Thanks for posting back to the forum and telling us that you have fixed it and what the problem was. This will be a reminder to some of us about the importance of checking basic things like matching group ID and shared secret.
HTH
Rick
Right.
If only the computer could just tell me that in a way that isn't a half page of unclear log messages.
The programmer training in college is suggesting the message could have been better...
But yes.
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed
=
Group/Secret do not match