03-12-2013 05:27 AM
Hello,
I am trying using an Easy VPN connection on Cisco 800 router from a remote Cisco VPN client on a laptop. I don't know if it's important but I get some error debuging isakmp and ipsec that I would like to know why they appear when connecting through EZVPN.
This router is configured with several site-to-site VPN connections and should use isakmp profile to use both types of VPN. The config I finally have used, from read posts and docs, is,
aaa new-model
!
!
aaa authentication login RAVPNAUTH local
aaa authorization network RAVPNAUTH local
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 20
encr aes
authentication pre-share
group 2
lifetime 3600
!
##### crypto isakmp keys of site-to-site VPNs #####
crypto isakmp key ********** address **********
...
crypto isakmp key ********** address **********
!
!
crypto isakmp client configuration group RAVPNGRPRD
key RAVPNkey
pool RAVPNPoolRD
acl RAVPNRDACL
crypto isakmp profile RAVPNRD
match identity group RAVPNGRPRD
client authentication list RAVPNAUTH
isakmp authorization list RAVPNAUTH
client configuration address respond
!
!
#### crypto ipsec transforms ####
crypto ipsec transform-set vpn000 esp-3des esp-md5-hmac
crypto ipsec transform-set vpn001 esp-3des esp-md5-hmac
crypto ipsec transform-set vpn002 esp-3des esp-md5-hmac
crypto ipsec transform-set RAVPNRD esp-aes esp-sha-hmac
!
!
crypto dynamic-map DYNRAVPNRD 10
set transform-set RAVPNRD
set isakmp-profile RAVPNRD
reverse-route
!
!
#### site-to-site crypto map tunnels ####
crypto map tunel 10 ipsec-isakmp
set peer peer-ip00
set transform-set vpn000
set pfs group2
match address 106
crypto map tunel 20 ipsec-isakmp
set peer peer-ip01
set transform-set vpn001
match address 161
!
crypto map tunel 1000 ipsec-isakmp dynamic DYNRAVPNRD
!
username USR password ....
!
interface ATM0.1 point-to-point
...
crypto map tunel
!
ip local pool RAVPNPoolRD 192.168.120.1 192.168.120.6
...
and the errors presented on debugging,
These occurs when connecting from Cisco VPN Client, connects OK and asks for user and password.
.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Mar 12 13:06:24: ISAKMP:(0):Hash algorithm offered does not match policy!
.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3 Unknown Attr: 0x700C Unknown Attr: 0x7005
.Mar 12 13:06:28: ISAKMP (0/2290): Unknown Attr: CONFIG_MODE_UNKNOWN (0x700C)
.Mar 12 13:06:28: ISAKMP (0/2290): Unknown Attr: MODECFG_HOSTNAME (0x700A)
.Mar 12 13:06:28: ISAKMP (0/2290): Unknown Attr: CONFIG_MODE_UNKNOWN (0x7005)
.Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-md5-hmac comp-lzs }
.Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256
.Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-sha-hmac comp-lzs }
.Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256
.Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes esp-md5-hmac comp-lzs }
.Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256
.Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes esp-sha-hmac comp-lzs }
.Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256
.Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-md5-hmac }
.Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256
.Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-sha-hmac }
.Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256
.Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes esp-md5-hmac }
.Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256
Is this a normal process of matching isakmp and ipsec policies or am I missing anything?
Regards
Solved! Go to Solution.
03-12-2013 09:04 AM
Hi there,
Your IPsec proposal is:
crypto ipsec transform-set RAVPNRD esp-aes esp-sha-hmac
You are not using AES-256, since the client tries all the options available, then you will see these logs in the ASA.
Hope to help.
Portu.
Please rate any helpful posts.
03-12-2013 09:04 AM
Hi there,
Your IPsec proposal is:
crypto ipsec transform-set RAVPNRD esp-aes esp-sha-hmac
You are not using AES-256, since the client tries all the options available, then you will see these logs in the ASA.
Hope to help.
Portu.
Please rate any helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide