01-20-2012 07:19 AM
Cisco Client 5.0.07.0410 trying to vpn into my 851 using easy vpn to accesws my windows 2003 domain resources
the client fails with 412 error using transport Ipsec over UDP (NAT/ PAT)
tried IPSEC over tcp port 10000
Turned off firewall use Kaspersky Internet suite on or off same results
Here is the debug information
I see Encryption algorithm offered does not match policy and atts are not acceptable. Next payload is 3
Same for Hash algorithm offered does not match policy!
any idea what to look for I am attaching my currently running config also
Jan 20 14:12:00.247: ISAKMP: hash MD5
Jan 20 14:12:00.247: ISAKMP: default group 2
Jan 20 14:12:00.247: ISAKMP: auth XAUTHInitPreShared
Jan 20 14:12:00.247: ISAKMP: life type in seconds
Jan 20 14:12:00.247: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.247: ISAKMP: keylength of 128
Jan 20 14:12:00.247: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.247: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.247: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
Jan 20 14:12:00.247: ISAKMP: encryption AES-CBC
Jan 20 14:12:00.247: ISAKMP: hash SHA
Jan 20 14:12:00.247: ISAKMP: default group 2
Jan 20 14:12:00.247: ISAKMP: auth pre-share
Jan 20 14:12:00.247: ISAKMP: life type in seconds
Jan 20 14:12:00.247: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.247: ISAKMP: keylength of 128
Jan 20 14:12:00.247: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.247: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.247: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
Jan 20 14:12:00.247: ISAKMP: encryption AES-CBC
Jan 20 14:12:00.247: ISAKMP: hash MD5
Jan 20 14:12:00.247: ISAKMP: default group 2
Jan 20 14:12:00.247: ISAKMP: auth pre-share
Jan 20 14:12:00.247: ISAKMP: life type in seconds
Jan 20 14:12:00.247: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.247: ISAKMP: keylength of 128
Jan 20 14:12:00.247: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.247: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.247: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy
Jan 20 14:12:00.247: ISAKMP: encryption 3DES-CBC
Jan 20 14:12:00.247: ISAKMP: hash SHA
Jan 20 14:12:00.247: ISAKMP: default group 2
Jan 20 14:12:00.247: ISAKMP: auth XAUTHInitPreShared
Jan 20 14:12:00.247: ISAKMP: life type in seconds
Jan 20 14:12:00.251: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.251: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
Jan 20 14:12:00.251: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.251: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1 policy
Jan 20 14:12:00.251: ISAKMP: encryption 3DES-CBC
Jan 20 14:12:00.251: ISAKMP: hash MD5
Jan 20 14:12:00.251: ISAKMP: default group 2
Jan 20 14:12:00.251: ISAKMP: auth XAUTHInitPreShared
Jan 20 14:12:00.251: ISAKMP: life type in seconds
Jan 20 14:12:00.251: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.251: ISAKMP:(0):Hash algorithm offered does not match policy!
Jan 20 14:12:00.251: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.251: ISAKMP:(0):Checking ISAKMP transform 11 against priority 1 policy
Jan 20 14:12:00.251: ISAKMP: encryption 3DES-CBC
Jan 20 14:12:00.251: ISAKMP: hash SHA
Jan 20 14:12:00.251: ISAKMP: default group 2
Jan 20 14:12:00.251: ISAKMP: auth pre-share
Jan 20 14:12:00.251: ISAKMP: life type in seconds
Jan 20 14:12:00.251: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.251: ISAKMP:(0):Preshared authentication offered but does not match policy!
Jan 20 14:12:00.251: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.251: ISAKMP:(0):Checking ISAKMP transform 12 against priority 1 policy
Jan 20 14:12:00.251: ISAKMP: encryption 3DES-CBC
Jan 20 14:12:00.251: ISAKMP: hash MD5
Jan 20 14:12:00.251: ISAKMP: default group 2
Jan 20 14:12:00.251: ISAKMP: auth pre-share
Jan 20 14:12:00.251: ISAKMP: life type in seconds
Jan 20 14:12:00.251: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.251: ISAKMP:(0):Hash algorithm offered does not match policy!
Jan 20 14:12:00.251: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.251: ISAKMP:(0):Checking ISAKMP transform 13 against priority 1 policy
Jan 20 14:12:00.251: ISAKMP: encryption DES-CBC
Jan 20 14:12:00.251: ISAKMP: hash MD5
Jan 20 14:12:00.251: ISAKMP: default group 2
Jan 20 14:12:00.251: ISAKMP: auth XAUTHInitPreShared
Jan 20 14:12:00.251: ISAKMP: life type in seconds
Jan 20 14:12:00.251: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.251: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.255: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.255: ISAKMP:(0):Checking ISAKMP transform 14 against priority 1 policy
Jan 20 14:12:00.255: ISAKMP: encryption DES-CBC
Jan 20 14:12:00.255: ISAKMP: hash MD5
Jan 20 14:12:00.255: ISAKMP: default group 2
Jan 20 14:12:00.255: ISAKMP: auth pre-share
Jan 20 14:12:00.255: ISAKMP: life type in seconds
Jan 20 14:12:00.255: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.255: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.255: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jan 20 14:12:00.255: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65535 policy
Jan 20 14:12:00.255: ISAKMP: encryption AES-CBC
Jan 20 14:12:00.255: ISAKMP: hash SHA
Jan 20 14:12:00.255: ISAKMP: default group 2
Jan 20 14:12:00.255: ISAKMP: auth XAUTHInitPreShared
Jan 20 14:12:00.255: ISAKMP: life type in seconds
Jan 20 14:12:00.255: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.255: ISAKMP: keylength of 256
Jan 20 14:12:00.255: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.255: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.255: ISAKMP:(0):Checking ISAKMP transform 2 against priority 65535 policy
Jan 20 14:12:00.255: ISAKMP: encryption AES-CBC
Jan 20 14:12:00.255: ISAKMP: hash MD5
Jan 20 14:12:00.255: ISAKMP: default group 2
Jan 20 14:12:00.255: ISAKMP: auth XAUTHInitPreShared
Jan 20 14:12:00.255: ISAKMP: life type in seconds
Jan 20 14:12:00.255: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.255: ISAKMP: keylength of 256
Jan 20 14:12:00.255: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.255: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.255: ISAKMP:(0):Checking ISAKMP transform 3 against priority 65535 policy
Jan 20 14:12:00.255: ISAKMP: encryption AES-CBC
Jan 20 14:12:00.255: ISAKMP: hash SHA
Jan 20 14:12:00.255: ISAKMP: default group 2
Jan 20 14:12:00.255: ISAKMP: auth pre-share
Jan 20 14:12:00.255: ISAKMP: life type in seconds
Jan 20 14:12:00.255: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.255: ISAKMP: keylength of 256
Jan 20 14:12:00.255: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.255: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.255: ISAKMP:(0):Checking ISAKMP transform 4 against priority 65535 policy
Jan 20 14:12:00.259: ISAKMP: encryption AES-CBC
Jan 20 14:12:00.259: ISAKMP: hash MD5
Jan 20 14:12:00.259: ISAKMP: default group 2
Jan 20 14:12:00.259: ISAKMP: auth pre-share
Jan 20 14:12:00.259: ISAKMP: life type in seconds
Jan 20 14:12:00.259: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.259: ISAKMP: keylength of 256
Jan 20 14:12:00.259: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.259: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.259: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65535 policy
Jan 20 14:12:00.259: ISAKMP: encryption AES-CBC
Jan 20 14:12:00.259: ISAKMP: hash SHA
Jan 20 14:12:00.259: ISAKMP: default group 2
Jan 20 14:12:00.259: ISAKMP: auth XAUTHInitPreShared
Jan 20 14:12:00.259: ISAKMP: life type in seconds
Jan 20 14:12:00.259: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.259: ISAKMP: keylength of 128
Jan 20 14:12:00.259: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.259: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.259: ISAKMP:(0):Checking ISAKMP transform 6 against priority 65535 policy
Jan 20 14:12:00.259: ISAKMP: encryption AES-CBC
Jan 20 14:12:00.259: ISAKMP: hash MD5
Jan 20 14:12:00.259: ISAKMP: default group 2
Jan 20 14:12:00.259: ISAKMP: auth XAUTHInitPreShared
Jan 20 14:12:00.259: ISAKMP: life type in seconds
Jan 20 14:12:00.259: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.259: ISAKMP: keylength of 128
Jan 20 14:12:00.259: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.259: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.259: ISAKMP:(0):Checking ISAKMP transform 7 against priority 65535 policy
Jan 20 14:12:00.259: ISAKMP: encryption AES-CBC
Jan 20 14:12:00.259: ISAKMP: hash SHA
Jan 20 14:12:00.259: ISAKMP: default group 2
Jan 20 14:12:00.259: ISAKMP: auth pre-share
Jan 20 14:12:00.259: ISAKMP: life type in seconds
Jan 20 14:12:00.259: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.259: ISAKMP: keylength of 128
Jan 20 14:12:00.263: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.263: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.263: ISAKMP:(0):Checking ISAKMP transform 8 against priority 65535 policy
Jan 20 14:12:00.263: ISAKMP: encryption AES-CBC
Jan 20 14:12:00.263: ISAKMP: hash MD5
Jan 20 14:12:00.263: ISAKMP: default group 2
Jan 20 14:12:00.263: ISAKMP: auth pre-share
Jan 20 14:12:00.263: ISAKMP: life type in seconds
Jan 20 14:12:00.263: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.263: ISAKMP: keylength of 128
Jan 20 14:12:00.263: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.263: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.263: ISAKMP:(0):Checking ISAKMP transform 9 against priority 65535 policy
Jan 20 14:12:00.263: ISAKMP: encryption 3DES-CBC
Jan 20 14:12:00.263: ISAKMP: hash SHA
Jan 20 14:12:00.263: ISAKMP: default group 2
Jan 20 14:12:00.263: ISAKMP: auth XAUTHInitPreShared
Jan 20 14:12:00.263: ISAKMP: life type in seconds
Jan 20 14:12:00.263: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.263: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.263: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.263: ISAKMP:(0):Checking ISAKMP transform 10 against priority 65535 policy
Jan 20 14:12:00.263: ISAKMP: encryption 3DES-CBC
Jan 20 14:12:00.263: ISAKMP: hash MD5
Jan 20 14:12:00.263: ISAKMP: default group 2
Jan 20 14:12:00.263: ISAKMP: auth XAUTHInitPreShared
Jan 20 14:12:00.263: ISAKMP: life type in seconds
Jan 20 14:12:00.263: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.263: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.263: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.263: ISAKMP:(0):Checking ISAKMP transform 11 against priority 65535 policy
Jan 20 14:12:00.263: ISAKMP: encryption 3DES-CBC
Jan 20 14:12:00.263: ISAKMP: hash SHA
Jan 20 14:12:00.263: ISAKMP: default group 2
Jan 20 14:12:00.263: ISAKMP: auth pre-share
Jan 20 14:12:00.263: ISAKMP: life type in seconds
Jan 20 14:12:00.263: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.263: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.263: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.263: ISAKMP:(0):Checking ISAKMP transform 12 against priority 65535 policy
Jan 20 14:12:00.267: ISAKMP: encryption 3DES-CBC
Jan 20 14:12:00.267: ISAKMP: hash MD5
Jan 20 14:12:00.267: ISAKMP: default group 2
Jan 20 14:12:00.267: ISAKMP: auth pre-share
Jan 20 14:12:00.267: ISAKMP: life type in seconds
Jan 20 14:12:00.267: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.267: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jan 20 14:12:00.267: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.267: ISAKMP:(0):Checking ISAKMP transform 13 against priority 65535 policy
Jan 20 14:12:00.267: ISAKMP: encryption DES-CBC
Jan 20 14:12:00.267: ISAKMP: hash MD5
Jan 20 14:12:00.267: ISAKMP: default group 2
Jan 20 14:12:00.267: ISAKMP: auth XAUTHInitPreShared
Jan 20 14:12:00.267: ISAKMP: life type in seconds
Jan 20 14:12:00.267: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.267: ISAKMP:(0):Hash algorithm offered does not match policy!
Jan 20 14:12:00.267: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 20 14:12:00.267: ISAKMP:(0):Checking ISAKMP transform 14 against priority 65535 policy
Jan 20 14:12:00.267: ISAKMP: encryption DES-CBC
Jan 20 14:12:00.267: ISAKMP: hash MD5
Jan 20 14:12:00.267: ISAKMP: default group 2
Jan 20 14:12:00.267: ISAKMP: auth pre-share
Jan 20 14:12:00.267: ISAKMP: life type in seconds
Jan 20 14:12:00.267: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jan 20 14:12:00.267: ISAKMP:(0):Hash algorithm offered does not match policy!
Jan 20 14:12:00.267: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jan 20 14:12:00.267: ISAKMP:(0):no offers accepted!
Jan 20 14:12:00.267: ISAKMP:(0): phase 1 SA policy not acceptable! (local 72.88.223.20 remote 192.168.69.101)
Jan 20 14:12:00.267: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
Jan 20 14:12:00.267: ISAKMP:(0): sending packet to 192.168.69.101 my_port 500 peer_port 61527 (R) AG_NO_STATE
Jan 20 14:12:00.267: ISAKMP:(0):peer does not do paranoid keepalives.
Jan 20 14:12:00.267: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.69.101)
Jan 20 14:12:00.271: ISAKMP:(0): processing KE payload. message ID = 0
Jan 20 14:12:00.271: ISAKMP:(0): group size changed! Should be 0, is 128
Jan 20 14:12:00.271: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY
Jan 20 14:12:00.271: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Jan 20 14:12:00.271: ISAKMP:(0):Old State = IKE_READY New State = IKE_READY
Jan 20 14:12:00.271: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.69.101
Jan 20 14:12:00.271: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.69.101)
Jan 20 14:12:00.271: ISAKMP: Unlocking peer struct 0x822B57E0 for isadb_mark_sa_deleted(), count 0
Jan 20 14:12:00.271: ISAKMP: Deleting peer node by peer_reap for 192.168.69.101: 822B57E0
Jan 20 14:12:00.271: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jan 20 14:12:00.271: ISAKMP:(0):Old State = IKE_READY New State = IKE_DEST_SA
Jan 20 14:12:00.271: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jan 20 14:12:05.382: ISAKMP (0:0): received packet from 192.168.69.101 dport 500 sport 61527 Global (R) MM_NO_STATE
Jan 20 14:12:10.456: ISAKMP (0:0): received packet from 192.168.69.101 dport 500 sport 61527 Global (R) MM_NO_STATE
Jan 20 14:12:15.523: ISAKMP (0:0): received packet from 192.168.69.101 dport 500 sport 61527 Global (R) MM_NO_STATE
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
72.88.223.20 192.168.69.101 MM_NO_STATE 0 0 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
MyRouter#
01-20-2012 08:11 AM
Hi Thomas,
As per the config i see that you have the following crypto map:-
crypto dynamic-map dynmap 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
!
crypto map dynmap client authentication list tgcsradius
crypto map dynmap isakmp authorization list tgcsvpn
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
Could you please create a static map and then bind a dynamic map to it. For eg:-
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
Then apply this clientmap to interface.
Please use the following link for more details:-
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800946b7.shtml
Thanks,
Shilpa
01-20-2012 09:06 AM
thank you will give it a try
question
do you mean apply to interface this???
interface FastEthernet4
description ** WAN **
ip address 72.88.223.20 255.255.255.0
ip access-group 101 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map dynmap
add
crypto map clientmap
also I need to add
crypto ipsec transform-set myset esp-3des esp-sha-hmac??????????
I have the article that you refereanced and taliored my config to that but it did not work
thats why I am using debug to see what the real issue is
Thanks
01-20-2012 09:24 AM
Hi Thomas,
Yes I want you to create static map entry for eg "clientmap" as it is their in the link. As in your configuration, you have kept the same name for static and dynamic map.
Not sure, if this will resolve the issue. But for testing , make the above change and collect new debugs again.
Also you do not need to make change for transform set as it is already their with name as
ESP-3DES-SHA in your configuration.
Thanks,
Shilpa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide