Hello,

I am trying using an Easy VPN connection on Cisco 800 router from a remote Cisco VPN client on a laptop. I don't know if it's important but I get some error debuging isakmp and ipsec that I would like to know why they appear when connecting through EZVPN.

This router is configured with several site-to-site VPN connections and should use isakmp profile to use both types of VPN. The config I finally have used, from read posts and docs, is,

aaa new-model

!

!

aaa authentication login RAVPNAUTH local

aaa authorization network RAVPNAUTH local

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 20

encr aes

authentication pre-share

group 2

lifetime 3600

!

##### crypto isakmp keys of site-to-site VPNs #####

crypto isakmp key ********** address **********

...

crypto isakmp key ********** address **********

!

!

crypto isakmp client configuration group RAVPNGRPRD

key RAVPNkey

pool RAVPNPoolRD

acl RAVPNRDACL

crypto isakmp profile RAVPNRD

   match identity group RAVPNGRPRD

   client authentication list RAVPNAUTH

   isakmp authorization list RAVPNAUTH

   client configuration address respond

!

!

#### crypto ipsec transforms ####

crypto ipsec transform-set vpn000 esp-3des esp-md5-hmac

crypto ipsec transform-set vpn001 esp-3des esp-md5-hmac

crypto ipsec transform-set vpn002 esp-3des esp-md5-hmac

crypto ipsec transform-set RAVPNRD esp-aes esp-sha-hmac

!

!

crypto dynamic-map DYNRAVPNRD 10

set transform-set RAVPNRD

set isakmp-profile RAVPNRD

reverse-route

!

!

#### site-to-site crypto map tunnels ####

crypto map tunel 10 ipsec-isakmp

set peer peer-ip00

set transform-set vpn000

set pfs group2

match address 106

crypto map tunel 20 ipsec-isakmp

set peer peer-ip01

set transform-set vpn001

match address 161

!

crypto map tunel 1000 ipsec-isakmp dynamic DYNRAVPNRD

!

username USR password ....

!

interface ATM0.1 point-to-point

...

crypto map tunel

!

ip local pool RAVPNPoolRD 192.168.120.1 192.168.120.6

...

and the errors presented on debugging,

These occurs when connecting from Cisco VPN Client, connects OK and asks for user and password.

.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!

.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3

.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!

.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3

.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!

.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3

.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!

.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3

.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!

.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3

.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!

.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3

.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!

.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3

.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!

.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3

.Mar 12 13:06:24: ISAKMP:(0):Hash algorithm offered does not match policy!

.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3 Unknown Attr: 0x700C Unknown Attr: 0x7005

.Mar 12 13:06:28: ISAKMP (0/2290): Unknown Attr: CONFIG_MODE_UNKNOWN (0x700C)

.Mar 12 13:06:28: ISAKMP (0/2290): Unknown Attr: MODECFG_HOSTNAME (0x700A)

.Mar 12 13:06:28: ISAKMP (0/2290): Unknown Attr: CONFIG_MODE_UNKNOWN (0x7005)

.Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:

    {esp-aes 256 esp-md5-hmac comp-lzs }

.Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256

.Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:

    {esp-aes 256 esp-sha-hmac comp-lzs }

.Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256

.Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:

    {esp-aes esp-md5-hmac comp-lzs }

.Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256

.Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:

    {esp-aes esp-sha-hmac comp-lzs }

.Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256

.Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:

    {esp-aes 256 esp-md5-hmac }

.Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256

.Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:

    {esp-aes 256 esp-sha-hmac }

.Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256

.Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:

    {esp-aes esp-md5-hmac }

.Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256

Is this a normal process of matching isakmp and ipsec policies or am I missing anything?

Regards