Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1362
Views
0
Helpful
3
Replies

IPSec VPN Remote Access not working - ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch

danielmaisu
Level 1
Level 1

‎09-01-2017 08:13 PM - edited ‎03-12-2019 04:31 AM

I have been trying to get IPSec VPN access on our internet facing router without success for over a month now. Please can someone help.

 

Our internet router is CISCO881-SEC-K9 , Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.2(4)M3, RELEASE SOFTWARE (fc2)

I am using Cisco VPN Client Version 5 for the remote access dial up.

 

I have run the debugs

debug crypto isakmp

debug crypto isakmp error

debug crypto ipsec      

 debug crypto ipsec error

 

 

Attached are the debug results

 

I have the same configs working through our other internet link

 

Labels:
Preview file
52 KB
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎09-02-2017 03:40 AM

Hi,

 

From the logs I can see that you are not matching the isakmp policies. It is processing each of the policies but failing due to mismatched for various reasons - e.g hash or encryption algorthim etc.

 

If it works on your other router with the same configuration, are you using the same IOS version on both routers? Same VPN client? Can you run a debug of a successful authentication on the other router and send over?

 

Can you send over a sanitised copy of the configuration?

 

I don't believe Cisco VPN Client Version 5 is even supported anymore.

0 Helpful

danielmaisu
Level 1
Level 1
In response to Rob Ingram

‎09-04-2017 11:05 PM

Hi, Thanks for pointing me in the right direction. I can now understand the logs. Yes, you are correct that it is failing due to mismatched for various reasons - e.g hash or encryption algorthim etc.

 

My other internet router is a Cisco CISCO1941/K9 router with Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(1)T1, RELEASE SOFTWARE (fc1)
(c1900-universalk9-mz.SPA.152-1.T1.bin)

 

I am using same VPN Client

 

Attached is debug of a successful authentication on the 1941 router

Preview file
76 KB
0 Helpful

GioGonza
Level 4
Level 4
In response to danielmaisu

‎09-05-2017 07:33 AM

Hello @danielmaisu,

I checked the logs and you need to check for the Phase 1 proposals:

Encryption: AES-CBC
Hash: SHA
DH: Group 2
Authentication: PSK

Based on the logs for the non-working one, this proposal is not present and this is the one that is using the working Router.

HTH

Gio
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents