Hi,

I hope someone can help me with my problem. I can't seem to get a Windows 2000 client talking to a 3620 router over IPSec. I have cut and pasted the debug from the router below. When I ping the router's internal address the IPSec tried to establish but can't. I used the documents from Microsoft and Cisco to get this working with no luck. I also include the Router config below.

Version 12.1(17). Is there something blindingly obvious I'm missing?

Thanks!

crypto isakmp policy 1

hash md5

authentication pre-share

lifetime 3600

!

crypto isakmp policy 2

authentication pre-share

crypto isakmp key cisco123 address 0.0.0.0

crypto isakmp client configuration address-pool local vpn-pool

!

!

crypto ipsec transform-set vpn-transform ah-sha-hmac esp-des

crypto ipsec transform-set vpn-transform2 ah-sha-hmac esp-des esp-sha-hmac

!

crypto dynamic-map vpn-dynamic 1

set transform-set vpn-transform

crypto dynamic-map vpn-dynamic 2

set transform-set vpn-transform2

!

!

crypto map vpnclient client configuration address respond

crypto map vpnclient 1 ipsec-isakmp dynamic vpn-dynamic

interface Ethernet0/0

description Private LAN interface

ip address 192.168.1.1 255.255.255.0

ip nat inside

ntp disable

no cdp enable

crypto map vpnclient

!

interface Serial0/0

ip address 212.38.84.182 255.255.255.252

no ip redirects

ip nat outside

encapsulation ppp

ntp disable

no fair-queue

no cdp enable

crypto map vpnclient

00:41:17: ISAKMP (0): received packet from y.y.y.y (N) NEW SA

00:41:17: ISAKMP: local port 500, remote port 500

00:41:17: ISAKMP (0:1): processing SA payload. message ID = 0

00:41:17: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy

00:41:17: ISAKMP: encryption DES-CBC

00:41:17: ISAKMP: hash SHA

00:41:17: ISAKMP: default group 1

00:41:17: ISAKMP: auth pre-share

00:41:17: ISAKMP: life type in seconds

00:41:17: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

00:41:17: ISAKMP (0:1): atts are not acceptable. Next payload is 3

00:41:17: ISAKMP (0:1): Checking ISAKMP transform 2 against priority 1 policy

00:41:17: ISAKMP: encryption DES-CBC

00:41:17: ISAKMP: hash MD5

00:41:17: ISAKMP: default group 1

00:41:17: ISAKMP: auth pre-share

00:41:17: ISAKMP: life type in seconds

00:41:17: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

00:41:17: ISAKMP (0:1): atts are not acceptable. Next payload is 3

00:41:17: ISAKMP (0:1): Checking ISAKMP transform 3 against priority 1 policy

00:41:17: ISAKMP: encryption 3DES-CBC

00:41:17: ISAKMP: hash SHA

00:41:17: ISAKMP: default group 2

00:41:17: ISAKMP: auth pre-share

00:41:17: ISAKMP: life type in seconds

00:41:17: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

00:41:17: ISAKMP (0:1): atts are not acceptable. Next payload is 3

00:41:17: ISAKMP (0:1): Checking ISAKMP transform 4 against priority 1 policy

00:41:17: ISAKMP: encryption 3DES-CBC

00:41:17: ISAKMP: hash MD5

00:41:17: ISAKMP: default group 2

00:41:17: ISAKMP: auth pre-share

00:41:17: ISAKMP: life type in seconds

00:41:17: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

00:41:17: ISAKMP (0:1): atts are not acceptable. Next payload is 0

00:41:17: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 2 policy

00:41:17: ISAKMP: encryption DES-CBC

00:41:17: ISAKMP: hash SHA

00:41:17: ISAKMP: default group 1

00:41:17: ISAKMP: auth pre-share

00:41:17: ISAKMP: life type in seconds

00:41:17: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

00:41:17: ISAKMP (0:1): atts are acceptable. Next payload is 3

00:41:17: CryptoEngine0: generate alg parameter

00:41:17: CRYPTO_ENGINE: Dh phase 1 status: 0

00:41:17: CRYPTO_ENGINE: Dh phase 1 status: 0

00:41:17: ISAKMP (0:1): processing vendor id payload

00:41:17: ISAKMP (0:1): SA is doing pre-shared key authentication

00:41:17: ISAKMP (1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

00:41:17: ISAKMP (1): sending packet to y.y.y.y (R) MM_SA_SETUP

00:41:17: ISAKMP (1): received packet from y.y.y.y (R) MM_SA_SETUP

00:41:17: ISAKMP (0:1): processing KE payload. message ID = 0

00:41:17: CryptoEngine0: generate alg parameter

00:41:17: ISAKMP (0:1): processing NONCE payload. message ID = 0

00:41:17: CryptoEngine0: create ISAKMP SKEYID for conn id 1

00:41:17: ISAKMP (0:1): SKEYID state generated

00:41:17: ISAKMP (1): sending packet to y.y.y.y (R) MM_KEY_EXCH

00:41:17: ISAKMP (1): received packet from y.y.y.y (R) MM_KEY_EXCH

00:41:17: ISAKMP (0:1): processing ID payload. message ID = 0

00:41:17: ISAKMP (0:1): processing HASH payload. message ID = 0

00:41:17: CryptoEngine0: generate hmac context for conn id 1

00:41:17: ISAKMP (0:1): SA has been authenticated with y.y.y.y

00:41:17: ISAKMP (1): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

00:41:17: ISAKMP (1): Total payload length: 12

00:41:17: CryptoEngine0: generate hmac context for conn id 1

00:41:17: CryptoEngine0: clear dh number for conn id 1

00:41:17: ISAKMP (1): sending packet to y.y.y.y (R) QM_IDLE

00:41:17: ISAKMP (1): received packet from y.y.y.y (R) QM_IDLE

00:41:17: ISAKMP: Created a peer node for y.y.y.y

00:41:17: ISAKMP (0:1): Locking struct 61C0C098 on allocation

00:41:17: ISAKMP (0:1): allocating address 192.168.2.2

00:41:17: CryptoEngine0: generate hmac context for conn id 1

00:41:17: ISAKMP (0:1): initiating peer config to y.y.y.y. message ID = -122730977

6

00:41:17: ISAKMP (1): sending packet to y.y.y.y (R) CONF_ADDR

00:41:18: ISAKMP (1): received packet from y.y.y.y (R) CONF_ADDR

00:41:18: ISAKMP (0:1): phase 2 packet is a duplicate of a previous packet.

00:41:20: ISAKMP (1): received packet from y.y.y.y (R) CONF_ADDR

00:41:20: ISAKMP (0:1): phase 2 packet is a duplicate of a previous packet.

00:41:22: ISAKMP (0:1): src y.y.y.y dst x.x.x.x

00:41:22: ISAKMP (0:1): processing saved QM.

00:41:22: CryptoEngine0: generate hmac context for conn id 1

00:41:22: ISAKMP (0:1): processing SA payload. message ID = -154066718

00:41:22: ISAKMP (0:1): Checking IPSec proposal 1

00:41:22: ISAKMP: transform 1, AH_SHA

00:41:22: ISAKMP: attributes in transform:

00:41:22: ISAKMP: encaps is 1

00:41:22: ISAKMP: authenticator is HMAC-SHA

00:41:22: validate proposal 0

00:41:22: ISAKMP (0:1): atts are acceptable.

00:41:22: ISAKMP (0:1): Checking IPSec proposal 1

00:41:22: ISAKMP: transform 1, ESP_DES

00:41:22: ISAKMP: attributes in transform:

00:41:22: ISAKMP: encaps is 1

00:41:22: validate proposal 0

00:41:22: ISAKMP (0:1): atts are acceptable.

00:41:22: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= x.x.x.x, src= y.y.y.7,

dest_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

src_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

protocol= AH, transform= ah-sha-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

00:41:22: IPSEC(validate_proposal_request): proposal part #2,

(key eng. msg.) dest= x.x.x.x, src= y.y.y.y,

dest_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

src_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

protocol= ESP, transform= esp-des ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

00:41:22: validate proposal request 0

00:41:22: IPSEC(validate_transform_proposal): proxy identities not supported

00:41:22: ISAKMP: IPSec policy invalidated proposal

00:41:22: ISAKMP (0:1): SA not acceptable!

00:41:22: CryptoEngine0: generate hmac context for conn id 1

00:41:22: ISAKMP (1): sending packet to y.y.y.y (R) QM_IDLE

00:41:22: ISAKMP (0:1): purging node -989732546

*Mar 1 00:41:22: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer a

t y.y.y.y

00:41:22: ISAKMP (0:1): returning IP addr to the address pool: 192.168.2.2

00:41:22: ISAKMP (0:1): returning address 192.168.2.2 to pool

00:41:22: ISAKMP (0:1): deleting node -1227309776 error FALSE reason ""

00:41:24: ISAKMP (1): received packet from y.y.y.y (R) QM_IDLE

00:41:24: ISAKMP (0:1): phase 2 packet is a duplicate of a previous packet.

00:41:24: ISAKMP (0:1): retransmitting due to retransmit phase 2

00:41:24: ISAKMP (0:1): time remaining never

00:41:24: ISAKMP (0:1): current time 00:00:00

00:41:24: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -154066718 ...

00:41:25: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -154066718 ...

00:41:25: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

00:41:25: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

00:41:25: ISAKMP (1): sending packet to y.y.y.y (R) QM_IDLE

00:41:32: ISAKMP (1): received packet from y.y.y.y (R) QM_IDLE

00:41:32: ISAKMP (0:1): phase 2 packet is a duplicate of a previous packet.

00:41:32: ISAKMP (0:1): retransmitting due to retransmit phase 2

00:41:32: ISAKMP (0:1): time remaining never

00:41:32: ISAKMP (0:1): current time 00:00:00

00:41:32: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -154066718 ...

00:41:33: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -154066718 ...

00:41:33: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

00:41:33: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

00:41:33: ISAKMP (1): sending packet to y.y.y.y (R) QM_IDLE

00:41:43: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -154066718 ...

00:41:43: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

00:41:43: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

00:41:43: ISAKMP (1): sending packet to y.y.y.y (R) QM_IDLE

00:41:49: ISAKMP (1): received packet from y.y.y.y (R) QM_IDLE

00:41:49: ISAKMP (0:1): phase 2 packet is a duplicate of a previous packet.

00:41:49: ISAKMP (0:1): retransmitting due to retransmit phase 2

00:41:49: ISAKMP (0:1): time remaining never

00:41:49: ISAKMP (0:1): current time 00:00:00

00:41:49: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -154066718 ...

00:41:49: ISAKMP (0:1): retransmitting phase 2 QM_IDLE -154066718 ...

00:41:49: ISAKMP (0:1): phase 1 going away; let's be paranoid.

00:41:49: ISAKMP (0:1): Bring down phase 2's

00:41:49: ISAKMP (0:1): That phase 1 was the last one of its kind. Taking phase 2's with u

s.

00:41:49: ISAKMP (0:1): peer does not do paranoid keepalives.

00:41:49: ISAKMP (0:1): deleting SA reason "death by retransmission P2" state (R) QM_IDLE

(peer y.y.y.y) input queue 0

00:41:49: ISAKMP (0:1): returning address 192.168.2.2 to pool

00:41:49: ISAKMP (0:1): Unlocking struct 61C0C098 on return of attributes

00:41:49: CryptoEngine0: generate hmac context for conn id 1

00:41:49: ISAKMP (0:1): phase 1 going away; let's be paranoid.

00:41:49: ISAKMP (0:1): Bring down phase 2's

00:41:49: ISAKMP (0:1): That phase 1 was the last one of its kind. Taking phase 2's with u

s.

00:41:49: ISAKMP (0:1): peer does not do paranoid keepalives.

00:41:49: ISAKMP (0:1): deleting node -154066718 error TRUE reason "death by retransmissio

n P2"

00:41:49: ISAKMP (0:1): deleting node 1293135644 error TRUE reason "death by retransmissio

n P2"

00:41:49: IPSEC(key_engine): got a queue event...

00:41:49: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

00:41:49: IPSEC(key_engine_delete_sas): delete all SAs shared with y.y.y.y

00:41:49: IPSEC(key_engine): got a queue event...

00:41:49: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

00:41:49: IPSEC(key_engine_delete_sas): delete all SAs shared with y.y.y.y

00:42:12: ISAKMP (0:1): purging node -1227309776

00:42:39: ISAKMP (0:1): purging node -154066718

00:42:39: ISAKMP (0:1): purging node 1293135644

00:42:49: ISAKMP (0:1): purging SA.

00:42:49: CryptoEngine0: delete connection 1

00:42:55: ISAKMP: Deleting peer node for y.y.y.y