cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2224
Views
0
Helpful
3
Replies

Debug help Needed for VPN issue

Thomas Grassi
Level 1
Level 1

Cisco Client 5.0.07.0410 trying to vpn into my 851 using easy vpn to accesws my windows 2003 domain resources

the client fails with 412 error using transport Ipsec over UDP (NAT/ PAT)

tried IPSEC over tcp port 10000

Turned off firewall use Kaspersky Internet suite on or off same results

Here is the debug information

I see Encryption algorithm offered does not match policy and atts are not acceptable. Next payload is 3

Same for Hash algorithm offered does not match policy!

any idea what to look for I am attaching my currently running config also

Jan 20 14:12:00.247: ISAKMP:      hash MD5
Jan 20 14:12:00.247: ISAKMP:      default group 2
Jan 20 14:12:00.247: ISAKMP:      auth XAUTHInitPreShared
Jan 20 14:12:00.247: ISAKMP:      life type in seconds
Jan 20 14:12:00.247: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.247: ISAKMP:      keylength of 128
Jan 20 14:12:00.247: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.247: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.247: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
Jan 20 14:12:00.247: ISAKMP:      encryption AES-CBC
Jan 20 14:12:00.247: ISAKMP:      hash SHA
Jan 20 14:12:00.247: ISAKMP:      default group 2
Jan 20 14:12:00.247: ISAKMP:      auth pre-share
Jan 20 14:12:00.247: ISAKMP:      life type in seconds
Jan 20 14:12:00.247: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.247: ISAKMP:      keylength of 128
Jan 20 14:12:00.247: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.247: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.247: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
Jan 20 14:12:00.247: ISAKMP:      encryption AES-CBC
Jan 20 14:12:00.247: ISAKMP:      hash MD5
Jan 20 14:12:00.247: ISAKMP:      default group 2
Jan 20 14:12:00.247: ISAKMP:      auth pre-share
Jan 20 14:12:00.247: ISAKMP:      life type in seconds
Jan 20 14:12:00.247: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.247: ISAKMP:      keylength of 128
Jan 20 14:12:00.247: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.247: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.247: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy
Jan 20 14:12:00.247: ISAKMP:      encryption 3DES-CBC
Jan 20 14:12:00.247: ISAKMP:      hash SHA
Jan 20 14:12:00.247: ISAKMP:      default group 2
Jan 20 14:12:00.247: ISAKMP:      auth XAUTHInitPreShared
Jan 20 14:12:00.247: ISAKMP:      life type in seconds
Jan 20 14:12:00.251: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.251: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
Jan 20 14:12:00.251: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.251: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1 policy
Jan 20 14:12:00.251: ISAKMP:      encryption 3DES-CBC
Jan 20 14:12:00.251: ISAKMP:      hash MD5
Jan 20 14:12:00.251: ISAKMP:      default group 2
Jan 20 14:12:00.251: ISAKMP:      auth XAUTHInitPreShared
Jan 20 14:12:00.251: ISAKMP:      life type in seconds
Jan 20 14:12:00.251: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.251: ISAKMP:(0):Hash algorithm offered does not match policy!
Jan 20 14:12:00.251: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.251: ISAKMP:(0):Checking ISAKMP transform 11 against priority 1 policy
Jan 20 14:12:00.251: ISAKMP:      encryption 3DES-CBC
Jan 20 14:12:00.251: ISAKMP:      hash SHA
Jan 20 14:12:00.251: ISAKMP:      default group 2
Jan 20 14:12:00.251: ISAKMP:      auth pre-share
Jan 20 14:12:00.251: ISAKMP:      life type in seconds
Jan 20 14:12:00.251: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.251: ISAKMP:(0):Preshared authentication offered but does not match policy!
Jan 20 14:12:00.251: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.251: ISAKMP:(0):Checking ISAKMP transform 12 against priority 1 policy
Jan 20 14:12:00.251: ISAKMP:      encryption 3DES-CBC
Jan 20 14:12:00.251: ISAKMP:      hash MD5
Jan 20 14:12:00.251: ISAKMP:      default group 2
Jan 20 14:12:00.251: ISAKMP:      auth pre-share
Jan 20 14:12:00.251: ISAKMP:      life type in seconds
Jan 20 14:12:00.251: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.251: ISAKMP:(0):Hash algorithm offered does not match policy!
Jan 20 14:12:00.251: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.251: ISAKMP:(0):Checking ISAKMP transform 13 against priority 1 policy
Jan 20 14:12:00.251: ISAKMP:      encryption DES-CBC
Jan 20 14:12:00.251: ISAKMP:      hash MD5
Jan 20 14:12:00.251: ISAKMP:      default group 2
Jan 20 14:12:00.251: ISAKMP:      auth XAUTHInitPreShared
Jan 20 14:12:00.251: ISAKMP:      life type in seconds
Jan 20 14:12:00.251: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.251: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.255: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.255: ISAKMP:(0):Checking ISAKMP transform 14 against priority 1 policy
Jan 20 14:12:00.255: ISAKMP:      encryption DES-CBC
Jan 20 14:12:00.255: ISAKMP:      hash MD5
Jan 20 14:12:00.255: ISAKMP:      default group 2
Jan 20 14:12:00.255: ISAKMP:      auth pre-share
Jan 20 14:12:00.255: ISAKMP:      life type in seconds
Jan 20 14:12:00.255: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.255: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.255: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jan 20 14:12:00.255: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65535 policy
Jan 20 14:12:00.255: ISAKMP:      encryption AES-CBC
Jan 20 14:12:00.255: ISAKMP:      hash SHA
Jan 20 14:12:00.255: ISAKMP:      default group 2
Jan 20 14:12:00.255: ISAKMP:      auth XAUTHInitPreShared
Jan 20 14:12:00.255: ISAKMP:      life type in seconds
Jan 20 14:12:00.255: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.255: ISAKMP:      keylength of 256
Jan 20 14:12:00.255: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.255: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.255: ISAKMP:(0):Checking ISAKMP transform 2 against priority 65535 policy
Jan 20 14:12:00.255: ISAKMP:      encryption AES-CBC
Jan 20 14:12:00.255: ISAKMP:      hash MD5
Jan 20 14:12:00.255: ISAKMP:      default group 2
Jan 20 14:12:00.255: ISAKMP:      auth XAUTHInitPreShared
Jan 20 14:12:00.255: ISAKMP:      life type in seconds
Jan 20 14:12:00.255: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.255: ISAKMP:      keylength of 256
Jan 20 14:12:00.255: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.255: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.255: ISAKMP:(0):Checking ISAKMP transform 3 against priority 65535 policy
Jan 20 14:12:00.255: ISAKMP:      encryption AES-CBC
Jan 20 14:12:00.255: ISAKMP:      hash SHA
Jan 20 14:12:00.255: ISAKMP:      default group 2
Jan 20 14:12:00.255: ISAKMP:      auth pre-share
Jan 20 14:12:00.255: ISAKMP:      life type in seconds
Jan 20 14:12:00.255: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.255: ISAKMP:      keylength of 256
Jan 20 14:12:00.255: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.255: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.255: ISAKMP:(0):Checking ISAKMP transform 4 against priority 65535 policy
Jan 20 14:12:00.259: ISAKMP:      encryption AES-CBC
Jan 20 14:12:00.259: ISAKMP:      hash MD5
Jan 20 14:12:00.259: ISAKMP:      default group 2
Jan 20 14:12:00.259: ISAKMP:      auth pre-share
Jan 20 14:12:00.259: ISAKMP:      life type in seconds
Jan 20 14:12:00.259: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.259: ISAKMP:      keylength of 256
Jan 20 14:12:00.259: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.259: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.259: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65535 policy
Jan 20 14:12:00.259: ISAKMP:      encryption AES-CBC
Jan 20 14:12:00.259: ISAKMP:      hash SHA
Jan 20 14:12:00.259: ISAKMP:      default group 2
Jan 20 14:12:00.259: ISAKMP:      auth XAUTHInitPreShared
Jan 20 14:12:00.259: ISAKMP:      life type in seconds
Jan 20 14:12:00.259: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.259: ISAKMP:      keylength of 128
Jan 20 14:12:00.259: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.259: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.259: ISAKMP:(0):Checking ISAKMP transform 6 against priority 65535 policy
Jan 20 14:12:00.259: ISAKMP:      encryption AES-CBC
Jan 20 14:12:00.259: ISAKMP:      hash MD5
Jan 20 14:12:00.259: ISAKMP:      default group 2
Jan 20 14:12:00.259: ISAKMP:      auth XAUTHInitPreShared
Jan 20 14:12:00.259: ISAKMP:      life type in seconds
Jan 20 14:12:00.259: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.259: ISAKMP:      keylength of 128
Jan 20 14:12:00.259: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.259: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.259: ISAKMP:(0):Checking ISAKMP transform 7 against priority 65535 policy
Jan 20 14:12:00.259: ISAKMP:      encryption AES-CBC
Jan 20 14:12:00.259: ISAKMP:      hash SHA
Jan 20 14:12:00.259: ISAKMP:      default group 2
Jan 20 14:12:00.259: ISAKMP:      auth pre-share
Jan 20 14:12:00.259: ISAKMP:      life type in seconds
Jan 20 14:12:00.259: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.259: ISAKMP:      keylength of 128
Jan 20 14:12:00.263: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.263: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.263: ISAKMP:(0):Checking ISAKMP transform 8 against priority 65535 policy
Jan 20 14:12:00.263: ISAKMP:      encryption AES-CBC
Jan 20 14:12:00.263: ISAKMP:      hash MD5
Jan 20 14:12:00.263: ISAKMP:      default group 2
Jan 20 14:12:00.263: ISAKMP:      auth pre-share
Jan 20 14:12:00.263: ISAKMP:      life type in seconds
Jan 20 14:12:00.263: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.263: ISAKMP:      keylength of 128
Jan 20 14:12:00.263: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.263: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.263: ISAKMP:(0):Checking ISAKMP transform 9 against priority 65535 policy
Jan 20 14:12:00.263: ISAKMP:      encryption 3DES-CBC
Jan 20 14:12:00.263: ISAKMP:      hash SHA
Jan 20 14:12:00.263: ISAKMP:      default group 2
Jan 20 14:12:00.263: ISAKMP:      auth XAUTHInitPreShared
Jan 20 14:12:00.263: ISAKMP:      life type in seconds
Jan 20 14:12:00.263: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.263: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.263: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.263: ISAKMP:(0):Checking ISAKMP transform 10 against priority 65535 policy
Jan 20 14:12:00.263: ISAKMP:      encryption 3DES-CBC
Jan 20 14:12:00.263: ISAKMP:      hash MD5
Jan 20 14:12:00.263: ISAKMP:      default group 2
Jan 20 14:12:00.263: ISAKMP:      auth XAUTHInitPreShared
Jan 20 14:12:00.263: ISAKMP:      life type in seconds
Jan 20 14:12:00.263: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.263: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.263: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.263: ISAKMP:(0):Checking ISAKMP transform 11 against priority 65535 policy
Jan 20 14:12:00.263: ISAKMP:      encryption 3DES-CBC
Jan 20 14:12:00.263: ISAKMP:      hash SHA
Jan 20 14:12:00.263: ISAKMP:      default group 2
Jan 20 14:12:00.263: ISAKMP:      auth pre-share
Jan 20 14:12:00.263: ISAKMP:      life type in seconds
Jan 20 14:12:00.263: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.263: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.263: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.263: ISAKMP:(0):Checking ISAKMP transform 12 against priority 65535 policy
Jan 20 14:12:00.267: ISAKMP:      encryption 3DES-CBC
Jan 20 14:12:00.267: ISAKMP:      hash MD5
Jan 20 14:12:00.267: ISAKMP:      default group 2
Jan 20 14:12:00.267: ISAKMP:      auth pre-share
Jan 20 14:12:00.267: ISAKMP:      life type in seconds
Jan 20 14:12:00.267: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.267: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.267: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.267: ISAKMP:(0):Checking ISAKMP transform 13 against priority 65535 policy
Jan 20 14:12:00.267: ISAKMP:      encryption DES-CBC
Jan 20 14:12:00.267: ISAKMP:      hash MD5
Jan 20 14:12:00.267: ISAKMP:      default group 2
Jan 20 14:12:00.267: ISAKMP:      auth XAUTHInitPreShared
Jan 20 14:12:00.267: ISAKMP:      life type in seconds
Jan 20 14:12:00.267: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.267: ISAKMP:(0):Hash algorithm offered does not match policy!
Jan 20 14:12:00.267: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.267: ISAKMP:(0):Checking ISAKMP transform 14 against priority 65535 policy
Jan 20 14:12:00.267: ISAKMP:      encryption DES-CBC
Jan 20 14:12:00.267: ISAKMP:      hash MD5
Jan 20 14:12:00.267: ISAKMP:      default group 2
Jan 20 14:12:00.267: ISAKMP:      auth pre-share
Jan 20 14:12:00.267: ISAKMP:      life type in seconds
Jan 20 14:12:00.267: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.267: ISAKMP:(0):Hash algorithm offered does not match policy!
Jan 20 14:12:00.267: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jan 20 14:12:00.267: ISAKMP:(0):no offers accepted!
Jan 20 14:12:00.267: ISAKMP:(0): phase 1 SA policy not acceptable! (local 72.88.223.20 remote 192.168.69.101)
Jan 20 14:12:00.267: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
Jan 20 14:12:00.267: ISAKMP:(0): sending packet to 192.168.69.101 my_port 500 peer_port 61527 (R) AG_NO_STATE
Jan 20 14:12:00.267: ISAKMP:(0):peer does not do paranoid keepalives.

Jan 20 14:12:00.267: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.69.101)
Jan 20 14:12:00.271: ISAKMP:(0): processing KE payload. message ID = 0
Jan 20 14:12:00.271: ISAKMP:(0): group size changed! Should be 0, is 128
Jan 20 14:12:00.271: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY
Jan 20 14:12:00.271: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Jan 20 14:12:00.271: ISAKMP:(0):Old State = IKE_READY  New State = IKE_READY

Jan 20 14:12:00.271: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.69.101
Jan 20 14:12:00.271: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.69.101)
Jan 20 14:12:00.271: ISAKMP: Unlocking peer struct 0x822B57E0 for isadb_mark_sa_deleted(), count 0
Jan 20 14:12:00.271: ISAKMP: Deleting peer node by peer_reap for 192.168.69.101: 822B57E0
Jan 20 14:12:00.271: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jan 20 14:12:00.271: ISAKMP:(0):Old State = IKE_READY  New State = IKE_DEST_SA

Jan 20 14:12:00.271: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jan 20 14:12:05.382: ISAKMP (0:0): received packet from 192.168.69.101 dport 500 sport 61527 Global (R) MM_NO_STATE
Jan 20 14:12:10.456: ISAKMP (0:0): received packet from 192.168.69.101 dport 500 sport 61527 Global (R) MM_NO_STATE
Jan 20 14:12:15.523: ISAKMP (0:0): received packet from 192.168.69.101 dport 500 sport 61527 Global (R) MM_NO_STATE


IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
72.88.223.20    192.168.69.101  MM_NO_STATE          0    0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

MyRouter#

Thomas R Grassi Jr
3 Replies 3

Shilpa Gupta
Cisco Employee
Cisco Employee

Hi Thomas,

As per the config i see that you have the following crypto map:-

crypto dynamic-map dynmap 1

set transform-set ESP-3DES-SHA

reverse-route

!

!

!

crypto map dynmap client authentication list tgcsradius

crypto map dynmap isakmp authorization list tgcsvpn

crypto map dynmap client configuration address respond

crypto map dynmap 1 ipsec-isakmp dynamic dynmap

!

Could you please create a static map and then bind a dynamic map to it. For eg:-

crypto dynamic-map dynmap 10
set transform-set myset

!



crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap


Then apply this clientmap to interface.

Please use the following link for more details:-

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800946b7.shtml

Thanks,

Shilpa

thank you will give it a try

question

do you mean apply to interface this???

interface FastEthernet4

description ** WAN **

ip address 72.88.223.20 255.255.255.0

ip access-group 101 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map dynmap

add

crypto map clientmap

also I need to add

crypto ipsec transform-set myset esp-3des esp-sha-hmac??????????

I have the article that you refereanced and taliored my config to that but it did not work

thats why I am using debug to see what the real issue is

Thanks

Thomas R Grassi Jr

Hi Thomas,

Yes I want  you to create static map entry for eg "clientmap"  as it is their in the  link. As in your configuration, you have kept the same  name for static and dynamic map.

Not sure, if this will resolve the issue. But for testing , make the above change and collect new debugs again.

Also you do not need to make change for transform set as it is already their with name as

ESP-3DES-SHA in your configuration.

Thanks,

Shilpa

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: