cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4231
Views
0
Helpful
3
Replies

IPSEC VPN with pre-shared key not working under Windows 10

erikenwall
Level 1
Level 1

Hi all,

I have lovingly adopted a decommissioned 1841 to use as a personal VPN router; it works great for everything BUT Windows 10.

Here is a snippet from the debugs:

*Sep 30 16:19:19.259: ISAKMP (0): received packet from 98.24.16.25 dport 500 sport 1 Global (N) NEW SA
*Sep 30 16:19:19.259: ISAKMP: Created a peer struct for 98.24.16.25, peer port 1
*Sep 30 16:19:19.259: ISAKMP: New peer created peer = 0x65D97C78 peer_handle = 0x8000000A
*Sep 30 16:19:19.259: ISAKMP: Locking peer struct 0x65D97C78, refcount 1 for crypto_isakmp_process_block
*Sep 30 16:19:19.259: ISAKMP: local port 500, remote port 1
*Sep 30 16:19:19.259: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 65E42430
*Sep 30 16:19:19.259: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 30 16:19:19.259: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

*Sep 30 16:19:19.263: ISAKMP:(0): processing SA payload. message ID = 0
*Sep 30 16:19:19.263: ISAKMP:(0): processing vendor id payload
*Sep 30 16:19:19.263: ISAKMP:(0): processing IKE frag vendor id payload
*Sep 30 16:19:19.263: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Sep 30 16:19:19.263: ISAKMP:(0): processing vendor id payload
*Sep 30 16:19:19.263: ISAKMP:(0): processing IKE frag vendor id payload
*Sep 30 16:19:19.263: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Sep 30 16:19:19.263: ISAKMP:(0): processing vendor id payload
*Sep 30 16:19:19.263: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Sep 30 16:19:19.263: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Sep 30 16:19:19.263: ISAKMP:(0): processing vendor id payload
*Sep 30 16:19:19.263: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Sep 30 16:19:19.263: ISAKMP:(0): vendor ID is NAT-T v2
*Sep 30 16:19:19.263: ISAKMP:(0): processing vendor id payload
*Sep 30 16:19:19.263: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Sep 30 16:19:19.263: ISAKMP:(0): processing vendor id payload
*Sep 30 16:19:19.263: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch
*Sep 30 16:19:19.263: ISAKMP:(0): processing vendor id payload
*Sep 30 16:19:19.263: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch
*Sep 30 16:19:19.263: ISAKMP:(0): processing vendor id payload
*Sep 30 16:19:19.263: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch
*Sep 30 16:19:19.263: ISAKMP:(0):No pre-shared key with 98.24.16.25!
*Sep 30 16:19:19.263: ISAKMP : Scanning profiles for xauth ... ciscocp-ike-profile-1
*Sep 30 16:19:19.263: ISAKMP:(0): Authentication by xauth preshared
*Sep 30 16:19:19.263: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Sep 30 16:19:19.263: ISAKMP: encryption AES-CBC
*Sep 30 16:19:19.263: ISAKMP: keylength of 256
*Sep 30 16:19:19.263: ISAKMP: hash SHA
*Sep 30 16:19:19.263: ISAKMP: unknown DH group 20
*Sep 30 16:19:19.263: ISAKMP: auth pre-share
*Sep 30 16:19:19.263: ISAKMP: life type in seconds
*Sep 30 16:19:19.263: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 30 16:19:19.263: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Sep 30 16:19:19.263: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Sep 30 16:19:19.263: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Sep 30 16:19:19.263: ISAKMP: encryption AES-CBC
*Sep 30 16:19:19.263: ISAKMP: keylength of 128
*Sep 30 16:19:19.263: ISAKMP: hash SHA
*Sep 30 16:19:19.267: ISAKMP: unknown DH group 19
*Sep 30 16:19:19.267: ISAKMP: auth pre-share
*Sep 30 16:19:19.267: ISAKMP: life type in seconds
*Sep 30 16:19:19.267: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 30 16:19:19.267: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Sep 30 16:19:19.267: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Sep 30 16:19:19.267: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Sep 30 16:19:19.267: ISAKMP: encryption AES-CBC
*Sep 30 16:19:19.267: ISAKMP: keylength of 256
*Sep 30 16:19:19.267: ISAKMP: hash SHA
*Sep 30 16:19:19.267: ISAKMP: default group 14
*Sep 30 16:19:19.267: ISAKMP: auth pre-share
*Sep 30 16:19:19.267: ISAKMP: life type in seconds
*Sep 30 16:19:19.267: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 30 16:19:19.267: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Sep 30 16:19:19.267: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Sep 30 16:19:19.267: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Sep 30 16:19:19.267: ISAKMP: encryption 3DES-CBC
*Sep 30 16:19:19.267: ISAKMP: hash SHA
*Sep 30 16:19:19.267: ISAKMP: default group 14
*Sep 30 16:19:19.267: ISAKMP: auth pre-share
*Sep 30 16:19:19.267: ISAKMP: life type in seconds
*Sep 30 16:19:19.267: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 30 16:19:19.267: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Sep 30 16:19:19.267: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Sep 30 16:19:19.267: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Sep 30 16:19:19.267: ISAKMP: encryption 3DES-CBC
*Sep 30 16:19:19.267: ISAKMP: hash SHA
*Sep 30 16:19:19.267: ISAKMP: default group 2
*Sep 30 16:19:19.267: ISAKMP: auth pre-share
*Sep 30 16:19:19.267: ISAKMP: life type in seconds
*Sep 30 16:19:19.267: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 30 16:19:19.267: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Sep 30 16:19:19.267: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Sep 30 16:19:19.267: ISAKMP:(0):no offers accepted!
*Sep 30 16:19:19.267: ISAKMP:(0): phase 1 SA policy not acceptable! (local 10.0.1.2 remote 98.24.16.25)
*Sep 30 16:19:19.267: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Sep 30 16:19:19.267: ISAKMP:(0): Failed to construct AG informational message.
*Sep 30 16:19:19.267: ISAKMP:(0): sending packet to 98.24.16.25 my_port 500 peer_port 1 (R) MM_NO_STATE
*Sep 30 16:19:19.271: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 30 16:19:19.271: ISAKMP:(0):peer does not do paranoid keepalives.

*Sep 30 16:19:19.271: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 98.24.16.25)
*Sep 30 16:19:19.271: ISAKMP:(0): processing vendor id payload
*Sep 30 16:19:19.271: ISAKMP:(0): processing IKE frag vendor id payload
*Sep 30 16:19:19.271: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Sep 30 16:19:19.271: ISAKMP:(0): processing vendor id payload
*Sep 30 16:19:19.271: ISAKMP:(0): processing IKE frag vendor id payload
*Sep 30 16:19:19.271: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Sep 30 16:19:19.271: ISAKMP:(0): processing vendor id payload
*Sep 30 16:19:19.271: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Sep 30 16:19:19.271: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Sep 30 16:19:19.271: ISAKMP:(0): processing vendor id payload
*Sep 30 16:19:19.271: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Sep 30 16:19:19.271: ISAKMP:(0): vendor ID is NAT-T v2
*Sep 30 16:19:19.271: ISAKMP:(0): processing vendor id payload
*Sep 30 16:19:19.271: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Sep 30 16:19:19.271: ISAKMP:(0): processing vendor id payload
*Sep 30 16:19:19.271: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismatch
*Sep 30 16:19:19.271: ISAKMP:(0): processing vendor id payload
*Sep 30 16:19:19.271: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch
*Sep 30 16:19:19.271: ISAKMP:(0): processing vendor id payload
*Sep 30 16:19:19.271: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismatch
*Sep 30 16:19:19.271: ISAKMP (0): FSM action returned error: 2
*Sep 30 16:19:19.271: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 30 16:19:19.271: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*Sep 30 16:19:19.275: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 98.24.16.25)
*Sep 30 16:19:19.275: ISAKMP: Unlocking peer struct 0x65D97C78 for isadb_mark_sa_deleted(), count 0
*Sep 30 16:19:19.275: ISAKMP: Deleting peer node by peer_reap for 98.24.16.25: 65D97C78
*Sep 30 16:19:19.275: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Sep 30 16:19:19.275: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA

*Sep 30 16:19:19.275: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Sep 30 16:19:19.275: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 98.24.16.25)
*Sep 30 16:19:19.275: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
*Sep 30 16:19:19.275: ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_SA

*Sep 30 16:19:20.247: ISAKMP (0): received packet from 98.24.16.25 dport 500 sport 1 Global (R) MM_NO_STATE
*Sep 30 16:19:21.251: ISAKMP (0): received packet from 98.24.16.25 dport 500 sport 1 Global (R) MM_NO_STATE
*Sep 30 16:19:24.247: ISAKMP (0): received packet from 98.24.16.25 dport 500 sport 1 Global (R) MM_NO_STATE
*Sep 30 16:19:55.383: ISAKMP:(0):purging SA., sa=647145D8, delme=647145D8
*Sep 30 16:20:19.275: ISAKMP:(0):purging SA., sa=65E42430, delme=65E42430

So.. the following stands out to me:

Preshared authentication offered but does not match policy!

I have entered the pre-shared key in to the Windows 10 VPN settings manually, copied and pasted it direct from the router config, had my dog enter it, all of which has been fruitless.

Am I missing something here? There are a handful of posts of people complaining about Windows 10 with the same issue (and one gent solved it but didn't bother to post the solution) but then again it has been years since I've been on the data side of things so I could be pretty dense.

Here is the running-config if it helps:

Current configuration : 4890 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ewigw01
!
boot-start-marker
boot system flash:/c1841-advsecurityk9-mz.124-24.T3.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login clientauth local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization network groupauthor local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name theenwalls.com
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-3402832213
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3402832213
revocation-check none
rsakeypair TP-self-signed-3402832213
!
!
crypto pki certificate chain TP-self-signed-3402832213
certificate self-signed 01
<snip>
quit
!
!
username admin privilege 15 secret 5 <thereisnodana>
username user privilege 2 secret 5 <onlyzuul>
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group home
key <supersecretextrasecurekey>
pool SDM_POOL_1
acl 100
save-password
include-local-lan
max-users 2
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group home
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
no ip ftp passive
!
!
!
interface FastEthernet0/0
ip address 10.0.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
ip local pool SDM_POOL_1 10.0.1.11 10.0.1.14
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.0.1.1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
!
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
end

Help me, Obi-Wan Kenobi. You're my only hope.

Thanks!

3 Replies 3

cwhite0013
Level 1
Level 1

If you're using the built in Windows VPN software, it will not work. "unknown DH group 20" makes me think you're using L2TP in the Windows VPN software but Cisco only supports IPSec. The old Cisco VPN Client does not work on Windows 10 but there are third party alternatives such as ShrewSoft. The AnyConnect client is supported on Windows 10 but I think that's more for ASAs and does require licensing. 

We frequently do associate AnyConnect with ASA but there is support for AnyConnect on IOS routers. I configured that for a customer and it did work.

HTH

Rick

HTH

Rick

Thanks guys, I'll try that.