cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
969
Views
0
Helpful
16
Replies
Highlighted
Participant

Need a second pair of eyes for REMOTE-ACCESS VPN deployment

Hi all,

          I am about to deploy a Remote access VPN, I have generated the config with SDM. And I need some guidance before i jump to the testing phase. There are my goal, I need 3 groups(office,travelers and Guess). For now I only have one group set up and I want to start testing with it. I want to log all the users using Radius server, and I want my radius server to provide them their Network configuration(IP,DNS..) and I want to tie them to their group. There is the config for the office group, please let me know if it will meet my goal..... Thanks a lot..

Any guidance will be really really appreciate....


hostname trans_Atlas_VPN
!
boot-start-marker
boot-end-marker
!
logging buffered 20000
enable secret 5 $1$ktbl$QwO4ELmnsnfYAkcdiLsyO.
!
aaa new-model
!
!
aaa authentication login ssh group radius local
aaa authentication login vpn_authen group radius local
aaa authentication login sdm_vpn_xauth_ml_1 group radius local
aaa authorization network sdm_vpn_group_ml_1 group radius local
!
!
aaa session-id common
memory-size iomem 25
ip cef
!
!
no ip dhcp conflict logging
!
!
no ip domain lookup
ip domain name trans.Atl.com
!
multilink bundle-name authenticated
!
!
!
crypto isakmp policy 3
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group OFFICE
key Ru$i055@CC$55
dns 10.11.a.b 10.11.c.d
domain trans.Atl.com
pool OFFICE_POOL
acl 100
group-lock
netmask 255.255.255.224
crypto isakmp profile sdm-ike-profile-1
   match identity group OFFICE
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set OFFICE_SET esp-aes esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set OFFICE_SET
set isakmp-profile sdm-ike-profile-1
!
!

interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface FastEthernet0/0
description DMZ9_Connection
ip address 10.1x.xx.5 255.255.255.0
no ip redirects
no ip unreachables
no ip mroute-cache
speed auto
full-duplex
no cdp enable
!
interface Ethernet1/0
description DMZ6_Connection
ip address 10.1x.x.45 255.255.254.0
no ip redirects
no ip unreachables
no ip mroute-cache
full-duplex
no cdp enable
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
ip route 0.0.0.0 0.0.0.0 Ethernet1/0
ip route 1.1.1.1 255.255.255.255 Null0
!
!
ip http server
ip http secure-server
ip dns server
!
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 10.11.0.0 0.0.255.255 any
!
!
radius-server configure-nas
radius-server host 10.1xx.x.8 auth-port 1645 acct-port 1646 key 7 075870181E
!
control-plane
!

16 REPLIES 16
Highlighted
Beginner

Re: Need a second pair of eyes for REMOTE-ACCESS VPN deployment

Hi Jean,

You haven't created a pool named office pool.

Please add that.

That should be good.


Cheers,


Nash.

Highlighted
Participant

Re: Need a second pair of eyes for REMOTE-ACCESS VPN deployment

Hi Nash,

              Thanks for the reply and I really appreciate it. The pool was in the config.but I didn't add it in the "cut/paste". However, today I had a little of time to test the configuration, thing didn't go as I expected. When I use the VPN client(5.0.06.10) on a WIN XP with SP 3, I got the error message: "Secure VPN connection terminated locally by the client./ Reason 412: The remote peer is no longer responding."

My remote VPN server is behind the ASA in a DMZ for VPN devices, ASA does have have a global IP translated to internal IP for the VPN router(Ex. 185.20.1.2  ---> 10.10.2.23). When the XP client initiate the tunnel, the HIT count for ISAKMP in the ASA increase,but the tunnel still failed.

VPN server is running IOS 12.4(15)T ---> Nat Transversal enable by default.

Do I need to config NAT transversal in the ASA. ASA is running 8.0.(4)32?

From the config above, nothing has changed. Except, that I added a new group, I use the SDM to add this group as well.

If you have any question or want me to post the config one more time, please let me know.

Thanks a million,

Jean Paul.

Highlighted
Beginner

Re: Need a second pair of eyes for REMOTE-ACCESS VPN deployment

Hi Jean,

If possible add a static translation for the VPN server DMZ IP on the ASA. That would be the best way to go, considering negotiations for VPN take place on UDP 500, 4500 and ESP traffic is passed through between the VPN server and client.


Also, yeah, please add NAT traversal on the Cisco ASA.

Allow, UDP 500, 4500 and ESP traffic for the translated IP on the outside interface of the ASA and the DMZ IP on the DMZ interface.

Let me know if you face any other issues.


CHeers,


Nash.

Highlighted
Participant

Re: Need a second pair of eyes for REMOTE-ACCESS VPN deployment

Hi Nash,

               Once again a million thanks for your replies. As per the output below, your suggestion have been configured prior to the testing phase. The only thing that I not sure about is if the ASA has NAT transversal enable by default. If no, HOW CAN I GO TO ENABLE IT?

static (DMZ19,Outside) 208.xx.255.aa  10.1aa.b.c netmask 255.255.255.255
access-list Outside_access_in remark  VPN ACCESS
access-list Outside_access_in extended permit esp any host 208.xx.255.aa
access-list Outside_access_in remark ah Access  VPN
access-list Outside_access_in extended permit ah any host 208.xx.255.aa 
access-list Outside_access_in remark ISAKMP ACCESS TO  VPN
access-list Outside_access_in extended permit udp any host 208.xx.255.aa  eq isakmp
access-list Outside_access_in extended permit udp any host 208.xx.255.aa  eq 4500

Thanks,

Jean Paul

Highlighted
Beginner

Re: Need a second pair of eyes for REMOTE-ACCESS VPN deployment

NAT Transersal is disabled by default unless specified in the ISAKMP policies.  Here is a link for you to look at to give you a better explanation of its features and how to use it.

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ike.html#wp1052899


Hope this helps.

2WJ

Highlighted
Beginner

Re: Need a second pair of eyes for REMOTE-ACCESS VPN deployment

Hi Jean,

The configuration on the ASA looks clean.

Hope the DMZ ACL is not blocking any traffic.

You can enable NAT traversal using the command,

crypto isakmp                 nat-traversal on the cisco ASA in the configuration prompt.

Let me know the results.


Cheers,

Nash.

Highlighted
Participant

Re: Need a second pair of eyes for REMOTE-ACCESS VPN deployment

In that I just figured out that I don't have an ACL in the DZM interface to allow the VPN traffic coming from the out. As you know the out sec level is Zero and my DMZ is 40(low to high denies). So  I do need an ACL in the DMZ to allow the VPN traffic! How that ACL looks like? Is it just an acl to allow ISAKMP AND esp?

access-list DMZ19_access_in line 1 remark Permit isamkp traffic to  VPN SERVER
      access-list DMZ19_access_in line 2 extended permit udp any host 10.15X.A.B eq isakmp
      access-group DMZ19_access_in in interface DMZ19

Thanks,

Jean Paul,

Highlighted
Participant

Re: Need a second pair of eyes for REMOTE-ACCESS VPN deployment

Hi Nash,

              I did enable NAT-T and even add a few ACL in the DMZ19, but still no luck. I keep getting the same error. But one change that I did figure out though, I have syslog enable on the ASA, but i can't see any ISAKMP packet in the log, but the HIT count keeps on increase in each try. Wireshark on the XP client shows that the client keeps send ISAKMP agressive mode, but never get a response back to establish the tunnel!

Below is the final config, I only changed the IP and other info for sec and privacy. If you need for info, just let me know.

******************acl on DMZ19 Interface to permit tunnel***************************************
access-list DMZ19_access_in line 1 remark Permit ESP traffic to  VNP SERVER
      access-list DMZ19_access_in line 2 extended permit esp any host 10.10.10.254
      access-list DMZ19_access_in line 3 remark Permit AH traffic to  VNP SERVER
      access-list DMZ19_access_in line 4 extended permit ah any host 10.10.10.254 
      access-list DMZ19_access_in line 5 remark Permit IKE traffic to  VPN SERVER to form TUNNEL
      access-list DMZ19_access_in line 6 extended permit udp any host 10.10.10.254  eq isakmp
      access-list DMZ19_access_in line 7 extended permit udp any host 10.10.10.254  eq 4500
      access-group DMZ19_access_in in interface DMZ19
**********************************************************************************************************

boot-start-marker
boot-end-marker
!
logging buffered 20000
!
aaa new-model
!
!
aaa group server radius sdm-vpn-server-group-1
server 10.x.a.c auth-port 1645 acct-port 1646
!
aaa group server radius sdm-vpn-server-group-2
server 10.x.a.c  auth-port 1645 acct-port 1646
!
aaa group server radius sdm-vpn-server-group-3
server 10.x.a.c  auth-port 1645 acct-port 1646
!
aaa authentication login ssh group radius local
aaa authentication login vpn_authen group radius local
aaa authentication login sdm_vpn_xauth_ml_3 group sdm-vpn-server-group-2 local
aaa authentication login sdm_vpn_xauth_ml_4 group sdm-vpn-server-group-3 local
aaa authorization network sdm_vpn_group_ml_3 group sdm-vpn-server-group-2 local
aaa authorization network sdm_vpn_group_ml_4 group sdm-vpn-server-group-3 local
!
!
aaa session-id common
memory-size iomem 25
ip cef
!
crypto isakmp keepalive 3600
!
crypto isakmp client configuration group Office
key ******
dns 10.aa.bb.c 10.d.e.f
wins 10.aa.bb.c 10.d.e.f
domain mycompany.com
pool SDM_POOL_1
acl 101
group-lock
netmask 255.255.255.224
banner ^C********** THIS IS A PRIVATE NETWORK, ACCESS TO THIS DEVICE IS RESTRICTED TO
AUTHORIZE USERS ONLY.*********  ^C
!
crypto isakmp client configuration group CONTRACTOR
key *****
dns 10.aa.bb.c 10.d.e.f
wins 10.aa.bb.c 10.d.e.f
domain mycompany.com
pool SDM_POOL_2
group-lock
max-logins 3
netmask 255.255.255.224
banner ^C***********[This is a private network, Access to this device is restricted to authorise users ONLY! DISCONNECT
IMMEDIATELY IF YOU DO NOT HAVE AN AUTHORIZATION!!!!]********  ^C
crypto isakmp profile sdm-ike-profile-1
   match identity group Office
   client authentication list sdm_vpn_xauth_ml_3
   isakmp authorization list sdm_vpn_group_ml_3
   client configuration address respond
   virtual-template 3
crypto isakmp profile sdm-ike-profile-2
   match identity group CONTRACTOR
   client authentication list sdm_vpn_xauth_ml_4
   isakmp authorization list sdm_vpn_group_ml_4
   client configuration address respond
   virtual-template 4
!
!
crypto ipsec profile SDM_Profile1
set security-association idle-time 3600
set isakmp-profile sdm-ike-profile-1
!
crypto ipsec profile SDM_Profile2
set security-association idle-time 7200
set isakmp-profile sdm-ike-profile-2
!
!
interface Ethernet0/0
description Management Access only
ip address 10.g.h.y 255.255.254.0
no ip redirects
no ip unreachables
no ip mroute-cache
full-duplex
!
interface FastEthernet0/0 -----> Connected to the ASA
description DMZ19_Connection OUTSIDE
ip address 10.1xx.z.y 255.255.255.0
no ip redirects
no ip unreachables
no ip mroute-cache
speed auto
full-duplex
no cdp enable
!
interface Ethernet1/0
description Connection INSIDE
ip address 10.1ww.r.t 255.255.255.0
no ip redirects
no ip unreachables
no ip mroute-cache
full-duplex
no cdp enable
!
interface Virtual-Template3 type tunnel
  ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Virtual-Template4 type tunnel
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile2
!
ip local pool SDM_POOL_1 10.11.26.0 10.11.26.30 ---> This is pool are also set under the group in ACS
ip local pool SDM_POOL_2 10.11.26.33 10.11.26.61 ---> This is pool are also set under the group in ACS
ip route 0.0.0.0 0.0.0.0 Ethernet1/0
ip route 1.1.1.1 255.255.255.255 Null0
ip route 10.xx.0.0 255.255.0.0 Ethernet0/0
!
radius-server configure-nas
radius-server host 10.x.a.c auth-port 1645 acct-port 1646 key 7 075870181E
radius-server host 10.x.a.b auth-port 1645 acct-port 1646 key 7 06515E751C
!
Thanks a million,

Jean Paul

Highlighted
Beginner

Re: Need a second pair of eyes for REMOTE-ACCESS VPN deployment

Hi Jean,

I think a TAC case would be the way to go.


We can have a better look at things and run debugs and captures and see where we are having the problem.

Cheers,


Nash.

Highlighted
Participant

Re: Need a second pair of eyes for REMOTE-ACCESS VPN deployment

Hi Nash/all,

                  Can you guys this one last shot. I have made some changes and I have  a debug out put. The connection has passed phase 1,but stopped there. There is the debug....

<189>99: Nov 22 16:35:02.302: %SYS-5-CONFIG_I: Configured from console by efleuzinord on vty0 (10.11.10.50) 10.11.2.25 22/11 09:35:04.292
<190>100: Nov 22 16:35:03.304: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 10.11.25.102 port 514 started - CLI initiated 10.11.2.25 22/11 09:35:04.323
<191>101: Nov 22 16:35:06.553: ISAKMP (0:0): received packet from 74.210.10.26 dport 500 sport 3091 Global (N) NEW SA 10.11.2.25 22/11 09:35:06.850
<191>102: Nov 22 16:35:06.553: ISAKMP: Created a peer struct for 74.210.10.26, peer port 3091 10.11.2.25 22/11 09:35:06.850
<191>103: Nov 22 16:35:06.553: ISAKMP: New peer created peer = 0x8336A4BC peer_handle = 0x80000051 10.11.2.25 22/11 09:35:06.944
<191>104: Nov 22 16:35:06.553: ISAKMP: Locking peer struct 0x8336A4BC, refcount 1 for crypto_isakmp_process_block 10.11.2.25 22/11 09:35:06.944
<191>105: Nov 22 16:35:06.557: ISAKMP: local port 500, remote port 3091 10.11.2.25 22/11 09:35:06.944
<191>106: Nov 22 16:35:06.557: insert sa successfully sa = 828DCD58 10.11.2.25 22/11 09:35:06.944
<191>107: Nov 22 16:35:06.557: ISAKMP:(0): processing SA payload. message ID = 0 10.11.2.25 22/11 09:35:06.944
<191>108: Nov 22 16:35:06.557: ISAKMP:(0): processing ID payload. message ID = 0 10.11.2.25 22/11 09:35:06.944
<191>109: Nov 22 16:35:06.557: ISAKMP (0:0): ID payload  10.11.2.25 22/11 09:35:06.944
<191>110:  next-payload : 13 10.11.2.25 22/11 09:35:06.944
<191>111:  type         : 11  10.11.2.25 22/11 09:35:06.944
<191>112:  group id     : CONTRACTOR  10.11.2.25 22/11 09:35:06.944
<191>113:  protocol     : 17  10.11.2.25 22/11 09:35:06.944
<191>114:  port         : 500  10.11.2.25 22/11 09:35:06.959
<191>115:  length       : 18 10.11.2.25 22/11 09:35:06.959
<191>116: Nov 22 16:35:06.557: ISAKMP:(0):: peer matches sdm-ike-profile-2 profile 10.11.2.25 22/11 09:35:06.959
<191>117: Nov 22 16:35:06.561: ISAKMP:(0):Setting client config settings 833757C0 10.11.2.25 22/11 09:35:06.959
<191>118: Nov 22 16:35:06.561: ISAKMP:(0):(Re)Setting client xauth list  and state 10.11.2.25 22/11 09:35:06.959
<191>119: Nov 22 16:35:06.561: ISAKMP/xauth: initializing AAA request 10.11.2.25 22/11 09:35:06.959
<191>120: Nov 22 16:35:06.561: ISAKMP:(0): processing vendor id payload 10.11.2.25 22/11 09:35:06.959
<191>121: Nov 22 16:35:06.561: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch 10.11.2.25 22/11 09:35:06.959
<191>122: Nov 22 16:35:06.561: ISAKMP:(0): vendor ID is XAUTH 10.11.2.25 22/11 09:35:06.959
<191>123: Nov 22 16:35:06.561: ISAKMP:(0): processing vendor id payload 10.11.2.25 22/11 09:35:06.959
<191>124: Nov 22 16:35:06.565: ISAKMP:(0): vendor ID is DPD 10.11.2.25 22/11 09:35:06.959
<191>125: Nov 22 16:35:06.565: ISAKMP:(0): processing vendor id payload 10.11.2.25 22/11 09:35:06.959
<191>126: Nov 22 16:35:06.565: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch 10.11.2.25 22/11 09:35:06.959
<191>127: Nov 22 16:35:06.565: ISAKMP:(0): processing vendor id payload 10.11.2.25 22/11 09:35:06.959
<191>128: Nov 22 16:35:06.565: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch 10.11.2.25 22/11 09:35:06.959
<191>129: Nov 22 16:35:06.565: ISAKMP:(0): vendor ID is NAT-T v2 10.11.2.25 22/11 09:35:06.959
<191>130: Nov 22 16:35:06.565: ISAKMP:(0): processing vendor id payload 10.11.2.25 22/11 09:35:06.990
<191>131: Nov 22 16:35:06.565: ISAKMP:(0): vendor ID is Unity 10.11.2.25 22/11 09:35:06.990
<191>132: Nov 22 16:35:06.565: ISAKMP:(0): Authentication by xauth preshared 10.11.2.25 22/11 09:35:06.990
<191>133: Nov 22 16:35:06.565: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy 10.11.2.25 22/11 09:35:06.990
<191>134: Nov 22 16:35:06.569: ISAKMP:      encryption AES-CBC 10.11.2.25 22/11 09:35:07.006
<191>135: Nov 22 16:35:06.569: ISAKMP:      hash SHA 10.11.2.25 22/11 09:35:07.006
<191>136: Nov 22 16:35:06.569: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.006
<191>137: Nov 22 16:35:06.569: ISAKMP:      auth XAUTHInitPreShared 10.11.2.25 22/11 09:35:07.006
<191>138: Nov 22 16:35:06.569: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.006
<191>139: Nov 22 16:35:06.569: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.022
<191>140: Nov 22 16:35:06.569: ISAKMP:      keylength of 256 10.11.2.25 22/11 09:35:07.022
<191>141: Nov 22 16:35:06.569: ISAKMP:(0):Encryption algorithm offered does not match policy! 10.11.2.25 22/11 09:35:07.022
<191>142: Nov 22 16:35:06.569: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.022
<191>143: Nov 22 16:35:06.569: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy 10.11.2.25 22/11 09:35:07.022
<191>144: Nov 22 16:35:06.569: ISAKMP:      encryption AES-CBC 10.11.2.25 22/11 09:35:07.022
<191>145: Nov 22 16:35:06.569: ISAKMP:      hash MD5 10.11.2.25 22/11 09:35:07.037
<191>146: Nov 22 16:35:06.569: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.037
<191>147: Nov 22 16:35:06.569: ISAKMP:      auth XAUTHInitPreShared 10.11.2.25 22/11 09:35:07.037
<191>148: Nov 22 16:35:06.573: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.037
<191>149: Nov 22 16:35:06.573: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.037
<191>150: Nov 22 16:35:06.573: ISAKMP:      keylength of 256 10.11.2.25 22/11 09:35:07.037
<191>151: Nov 22 16:35:06.573: ISAKMP:(0):Encryption algorithm offered does not match policy! 10.11.2.25 22/11 09:35:07.037
<191>152: Nov 22 16:35:06.573: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.053
<191>153: Nov 22 16:35:06.573: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy 10.11.2.25 22/11 09:35:07.053
<191>154: Nov 22 16:35:06.573: ISAKMP:      encryption AES-CBC 10.11.2.25 22/11 09:35:07.053
<191>155: Nov 22 16:35:06.573: ISAKMP:      hash SHA 10.11.2.25 22/11 09:35:07.053
<191>156: Nov 22 16:35:06.573: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.053
<191>157: Nov 22 16:35:06.573: ISAKMP:      auth pre-share 10.11.2.25 22/11 09:35:07.053
<191>158: Nov 22 16:35:06.573: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.053
<191>159: Nov 22 16:35:06.573: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.053
<191>160: Nov 22 16:35:06.577: ISAKMP:      keylength of 256 10.11.2.25 22/11 09:35:07.068
<191>161: Nov 22 16:35:06.577: ISAKMP:(0):Encryption algorithm offered does not match policy! 10.11.2.25 22/11 09:35:07.068
<191>162: Nov 22 16:35:06.577: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.068
<191>163: Nov 22 16:35:06.577: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy 10.11.2.25 22/11 09:35:07.068
<191>164: Nov 22 16:35:06.577: ISAKMP:      encryption AES-CBC 10.11.2.25 22/11 09:35:07.068
<191>165: Nov 22 16:35:06.577: ISAKMP:      hash MD5 10.11.2.25 22/11 09:35:07.068
<191>166: Nov 22 16:35:06.577: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.068
<191>167: Nov 22 16:35:06.577: ISAKMP:      auth pre-share 10.11.2.25 22/11 09:35:07.068
<191>168: Nov 22 16:35:06.577: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.068
<191>169: Nov 22 16:35:06.577: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.068
<191>170: Nov 22 16:35:06.577: ISAKMP:      keylength of 256 10.11.2.25 22/11 09:35:07.084
<191>171: Nov 22 16:35:06.577: ISAKMP:(0):Encryption algorithm offered does not match policy! 10.11.2.25 22/11 09:35:07.084
<191>172: Nov 22 16:35:06.581: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.084
<191>173: Nov 22 16:35:06.581: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy 10.11.2.25 22/11 09:35:07.084
<191>174: Nov 22 16:35:06.581: ISAKMP:      encryption AES-CBC 10.11.2.25 22/11 09:35:07.084
<191>175: Nov 22 16:35:06.581: ISAKMP:      hash SHA 10.11.2.25 22/11 09:35:07.084
<191>176: Nov 22 16:35:06.581: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.084
<191>177: Nov 22 16:35:06.581: ISAKMP:      auth XAUTHInitPreShared 10.11.2.25 22/11 09:35:07.084
<191>178: Nov 22 16:35:06.581: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.084
<191>179: Nov 22 16:35:06.581: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.084
<191>180: Nov 22 16:35:06.581: ISAKMP:      keylength of 128 10.11.2.25 22/11 09:35:07.100
<191>181: Nov 22 16:35:06.581: ISAKMP:(0):Encryption algorithm offered does not match policy! 10.11.2.25 22/11 09:35:07.100
<191>182: Nov 22 16:35:06.581: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.100
<191>183: Nov 22 16:35:06.581: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy 10.11.2.25 22/11 09:35:07.100
<191>184: Nov 22 16:35:06.581: ISAKMP:      encryption AES-CBC 10.11.2.25 22/11 09:35:07.100
<191>185: Nov 22 16:35:06.585: ISAKMP:      hash MD5 10.11.2.25 22/11 09:35:07.100
<191>186: Nov 22 16:35:06.585: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.100
<191>187: Nov 22 16:35:06.585: ISAKMP:      auth XAUTHInitPreShared 10.11.2.25 22/11 09:35:07.100
<191>188: Nov 22 16:35:06.585: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.100
<191>189: Nov 22 16:35:06.585: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.100
<191>190: Nov 22 16:35:06.585: ISAKMP:      keylength of 128 10.11.2.25 22/11 09:35:07.115
<191>191: Nov 22 16:35:06.585: ISAKMP:(0):Encryption algorithm offered does not match policy! 10.11.2.25 22/11 09:35:07.115
<191>192: Nov 22 16:35:06.585: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.115
<191>193: Nov 22 16:35:06.585: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy 10.11.2.25 22/11 09:35:07.115
<191>194: Nov 22 16:35:06.585: ISAKMP:      encryption AES-CBC 10.11.2.25 22/11 09:35:07.115
<191>195: Nov 22 16:35:06.585: ISAKMP:      hash SHA 10.11.2.25 22/11 09:35:07.115
<191>196: Nov 22 16:35:06.585: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.115
<191>197: Nov 22 16:35:06.585: ISAKMP:      auth pre-share 10.11.2.25 22/11 09:35:07.115
<191>198: Nov 22 16:35:06.585: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.115
<191>199: Nov 22 16:35:06.585: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.115
<191>200: Nov 22 16:35:06.590: ISAKMP:      keylength of 128 10.11.2.25 22/11 09:35:07.131
<191>203: Nov 22 16:35:06.590: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy 10.11.2.25 22/11 09:35:07.131
<191>204: Nov 22 16:35:06.590: ISAKMP:      encryption AES-CBC 10.11.2.25 22/11 09:35:07.131
<191>205: Nov 22 16:35:06.590: ISAKMP:      hash MD5 10.11.2.25 22/11 09:35:07.131
<191>206: Nov 22 16:35:06.590: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.131
<191>207: Nov 22 16:35:06.590: ISAKMP:      auth pre-share 10.11.2.25 22/11 09:35:07.131
<191>208: Nov 22 16:35:06.590: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.131
<191>209: Nov 22 16:35:06.590: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.131
<191>210: Nov 22 16:35:06.590: ISAKMP:      keylength of 128 10.11.2.25 22/11 09:35:07.131
<191>211: Nov 22 16:35:06.590: ISAKMP:(0):Encryption algorithm offered does not match policy! 10.11.2.25 22/11 09:35:07.131
<191>212: Nov 22 16:35:06.590: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.146
<191>213: Nov 22 16:35:06.590: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy 10.11.2.25 22/11 09:35:07.146
<191>214: Nov 22 16:35:06.590: ISAKMP:      encryption 3DES-CBC 10.11.2.25 22/11 09:35:07.146
<191>215: Nov 22 16:35:06.594: ISAKMP:      hash SHA 10.11.2.25 22/11 09:35:07.146
<191>216: Nov 22 16:35:06.594: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.146
<191>217: Nov 22 16:35:06.594: ISAKMP:      auth XAUTHInitPreShared 10.11.2.25 22/11 09:35:07.146
<191>218: Nov 22 16:35:06.594: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.162
<191>219: Nov 22 16:35:06.594: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.162
<191>220: Nov 22 16:35:06.594: ISAKMP:(0):Diffie-Hellman group offered does not match policy! 10.11.2.25 22/11 09:35:07.162
<191>221: Nov 22 16:35:06.594: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.162
<191>222: Nov 22 16:35:06.594: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1 policy 10.11.2.25 22/11 09:35:07.162
<191>223: Nov 22 16:35:06.594: ISAKMP:      encryption 3DES-CBC 10.11.2.25 22/11 09:35:07.162
<191>224: Nov 22 16:35:06.594: ISAKMP:      hash MD5 10.11.2.25 22/11 09:35:07.209
<191>225: Nov 22 16:35:06.594: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.209
<191>226: Nov 22 16:35:06.594: ISAKMP:      auth XAUTHInitPreShared 10.11.2.25 22/11 09:35:07.224
<191>227: Nov 22 16:35:06.594: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.224
<191>228: Nov 22 16:35:06.594: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.224
<191>229: Nov 22 16:35:06.598: ISAKMP:(0):Hash algorithm offered does not match policy! 10.11.2.25 22/11 09:35:07.224
<191>230: Nov 22 16:35:06.598: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.240
<191>231: Nov 22 16:35:06.598: ISAKMP:(0):Checking ISAKMP transform 11 against priority 1 policy 10.11.2.25 22/11 09:35:07.240
<191>232: Nov 22 16:35:06.598: ISAKMP:      encryption 3DES-CBC 10.11.2.25 22/11 09:35:07.240
<191>233: Nov 22 16:35:06.598: ISAKMP:      hash SHA 10.11.2.25 22/11 09:35:07.240
<191>234: Nov 22 16:35:06.598: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.256
<191>235: Nov 22 16:35:06.598: ISAKMP:      auth pre-share 10.11.2.25 22/11 09:35:07.256
<191>236: Nov 22 16:35:06.598: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.256
<191>237: Nov 22 16:35:06.598: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.256
<191>238: Nov 22 16:35:06.598: ISAKMP:(0):Diffie-Hellman group offered does not match policy! 10.11.2.25 22/11 09:35:07.256
<191>239: Nov 22 16:35:06.598: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.271
<191>240: Nov 22 16:35:06.598: ISAKMP:(0):Checking ISAKMP transform 12 against priority 1 policy 10.11.2.25 22/11 09:35:07.271
<191>241: Nov 22 16:35:06.598: ISAKMP:      encryption 3DES-CBC 10.11.2.25 22/11 09:35:07.271
<191>242: Nov 22 16:35:06.598: ISAKMP:      hash MD5 10.11.2.25 22/11 09:35:07.271
<191>243: Nov 22 16:35:06.598: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.287
<191>244: Nov 22 16:35:06.598: ISAKMP:      auth pre-share 10.11.2.25 22/11 09:35:07.287
<191>245: Nov 22 16:35:06.602: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.287
<191>246: Nov 22 16:35:06.602: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.287
<191>247: Nov 22 16:35:06.602: ISAKMP:(0):Hash algorithm offered does not match policy! 10.11.2.25 22/11 09:35:07.287
<191>248: Nov 22 16:35:06.602: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.287
<191>249: Nov 22 16:35:06.602: ISAKMP:(0):Checking ISAKMP transform 13 against priority 1 policy 10.11.2.25 22/11 09:35:07.302
<191>250: Nov 22 16:35:06.602: ISAKMP:      encryption DES-CBC 10.11.2.25 22/11 09:35:07.302
<191>251: Nov 22 16:35:06.602: ISAKMP:      hash MD5 10.11.2.25 22/11 09:35:07.302
<191>252: Nov 22 16:35:06.602: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.302
<191>253: Nov 22 16:35:06.602: ISAKMP:      auth XAUTHInitPreShared 10.11.2.25 22/11 09:35:07.302
<191>254: Nov 22 16:35:06.602: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.302
<191>255: Nov 22 16:35:06.602: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.302
<191>256: Nov 22 16:35:06.602: ISAKMP:(0):Encryption algorithm offered does not match policy! 10.11.2.25 22/11 09:35:07.302
<191>257: Nov 22 16:35:06.602: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.302
<191>258: Nov 22 16:35:06.606: ISAKMP:(0):Checking ISAKMP transform 14 against priority 1 policy 10.11.2.25 22/11 09:35:07.318
<191>259: Nov 22 16:35:06.606: ISAKMP:      encryption DES-CBC 10.11.2.25 22/11 09:35:07.318
<191>260: Nov 22 16:35:06.606: ISAKMP:      hash MD5 10.11.2.25 22/11 09:35:07.318
<191>261: Nov 22 16:35:06.606: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.318
<191>262: Nov 22 16:35:06.606: ISAKMP:      auth pre-share 10.11.2.25 22/11 09:35:07.318
<191>263: Nov 22 16:35:06.606: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.318
<191>264: Nov 22 16:35:06.606: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.334
<191>265: Nov 22 16:35:06.606: ISAKMP:(0):Encryption algorithm offered does not match policy! 10.11.2.25 22/11 09:35:07.334
<191>266: Nov 22 16:35:06.606: ISAKMP:(0):atts are not acceptable. Next payload is 0 10.11.2.25 22/11 09:35:07.334
<191>267: Nov 22 16:35:06.606: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy 10.11.2.25 22/11 09:35:07.334
<191>268: Nov 22 16:35:06.606: ISAKMP:      encryption AES-CBC 10.11.2.25 22/11 09:35:07.334
<191>269: Nov 22 16:35:06.606: ISAKMP:      hash SHA 10.11.2.25 22/11 09:35:07.334
<191>270: Nov 22 16:35:06.606: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.334
<191>271: Nov 22 16:35:06.606: ISAKMP:      auth XAUTHInitPreShared 10.11.2.25 22/11 09:35:07.334
<191>272: Nov 22 16:35:06.606: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.349
<191>273: Nov 22 16:35:06.606: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.349
<191>274: Nov 22 16:35:06.610: ISAKMP:      keylength of 256 10.11.2.25 22/11 09:35:07.349
<191>275: Nov 22 16:35:06.610: ISAKMP:(0):Proposed key length does not match policy 10.11.2.25 22/11 09:35:07.349
<191>276: Nov 22 16:35:06.610: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.349
<191>277: Nov 22 16:35:06.610: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy 10.11.2.25 22/11 09:35:07.349
<191>278: Nov 22 16:35:06.610: ISAKMP:      encryption AES-CBC 10.11.2.25 22/11 09:35:07.365
<191>279: Nov 22 16:35:06.610: ISAKMP:      hash MD5 10.11.2.25 22/11 09:35:07.365
<191>280: Nov 22 16:35:06.610: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.365
<191>281: Nov 22 16:35:06.610: ISAKMP:      auth XAUTHInitPreShared 10.11.2.25 22/11 09:35:07.365
<191>282: Nov 22 16:35:06.610: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.365
<191>283: Nov 22 16:35:06.610: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.365
<191>284: Nov 22 16:35:06.610: ISAKMP:      keylength of 256 10.11.2.25 22/11 09:35:07.365
<191>285: Nov 22 16:35:06.610: ISAKMP:(0):Hash algorithm offered does not match policy! 10.11.2.25 22/11 09:35:07.365
<191>286: Nov 22 16:35:06.610: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.365
<191>287: Nov 22 16:35:06.610: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy 10.11.2.25 22/11 09:35:07.380
<191>288: Nov 22 16:35:06.614: ISAKMP:      encryption AES-CBC 10.11.2.25 22/11 09:35:07.380
<191>289: Nov 22 16:35:06.614: ISAKMP:      hash SHA 10.11.2.25 22/11 09:35:07.380
<191>290: Nov 22 16:35:06.614: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.380
<191>291: Nov 22 16:35:06.614: ISAKMP:      auth pre-share 10.11.2.25 22/11 09:35:07.380
<191>292: Nov 22 16:35:06.614: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.380
<191>293: Nov 22 16:35:06.614: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.380
<191>294: Nov 22 16:35:06.614: ISAKMP:      keylength of 256 10.11.2.25 22/11 09:35:07.396
<191>295: Nov 22 16:35:06.614: ISAKMP:(0):Proposed key length does not match policy 10.11.2.25 22/11 09:35:07.396
<191>296: Nov 22 16:35:06.614: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.396
<191>297: Nov 22 16:35:06.614: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy 10.11.2.25 22/11 09:35:07.396
<191>298: Nov 22 16:35:06.614: ISAKMP:      encryption AES-CBC 10.11.2.25 22/11 09:35:07.396
<191>299: Nov 22 16:35:06.614: ISAKMP:      hash MD5 10.11.2.25 22/11 09:35:07.396
<191>300: Nov 22 16:35:06.614: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.396
<191>301: Nov 22 16:35:06.614: ISAKMP:      auth pre-share 10.11.2.25 22/11 09:35:07.396
<191>302: Nov 22 16:35:06.614: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.396
<191>305: Nov 22 16:35:06.618: ISAKMP:(0):Hash algorithm offered does not match policy! 10.11.2.25 22/11 09:35:07.396
<191>306: Nov 22 16:35:06.618: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.396
<191>307: Nov 22 16:35:06.618: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy 10.11.2.25 22/11 09:35:07.412
<191>308: Nov 22 16:35:06.618: ISAKMP:      encryption AES-CBC 10.11.2.25 22/11 09:35:07.412
<191>309: Nov 22 16:35:06.618: ISAKMP:      hash SHA 10.11.2.25 22/11 09:35:07.412
<191>310: Nov 22 16:35:06.618: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.412
<191>311: Nov 22 16:35:06.618: ISAKMP:      auth XAUTHInitPreShared 10.11.2.25 22/11 09:35:07.412
<191>312: Nov 22 16:35:06.618: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.412
<191>313: Nov 22 16:35:06.618: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.427
<191>314: Nov 22 16:35:06.618: ISAKMP:      keylength of 128 10.11.2.25 22/11 09:35:07.427
<191>315: Nov 22 16:35:06.618: ISAKMP:(0):Diffie-Hellman group offered does not match policy! 10.11.2.25 22/11 09:35:07.427
<191>316: Nov 22 16:35:06.618: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.427
<191>317: Nov 22 16:35:06.622: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy 10.11.2.25 22/11 09:35:07.427
<191>318: Nov 22 16:35:06.622: ISAKMP:      encryption AES-CBC 10.11.2.25 22/11 09:35:07.427
<191>319: Nov 22 16:35:06.622: ISAKMP:      hash MD5 10.11.2.25 22/11 09:35:07.427
<191>320: Nov 22 16:35:06.622: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.427
<191>321: Nov 22 16:35:06.622: ISAKMP:      auth XAUTHInitPreShared 10.11.2.25 22/11 09:35:07.427
<191>322: Nov 22 16:35:06.622: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.443
<191>323: Nov 22 16:35:06.622: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.443
<191>324: Nov 22 16:35:06.622: ISAKMP:      keylength of 128 10.11.2.25 22/11 09:35:07.443
<191>325: Nov 22 16:35:06.622: ISAKMP:(0):Hash algorithm offered does not match policy! 10.11.2.25 22/11 09:35:07.443
<191>326: Nov 22 16:35:06.622: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.443
<191>327: Nov 22 16:35:06.622: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy 10.11.2.25 22/11 09:35:07.443
<191>328: Nov 22 16:35:06.622: ISAKMP:      encryption AES-CBC 10.11.2.25 22/11 09:35:07.458
<191>329: Nov 22 16:35:06.622: ISAKMP:      hash SHA 10.11.2.25 22/11 09:35:07.458
<191>330: Nov 22 16:35:06.622: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.458
<191>331: Nov 22 16:35:06.622: ISAKMP:      auth pre-share 10.11.2.25 22/11 09:35:07.458
<191>332: Nov 22 16:35:06.622: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.458
<191>333: Nov 22 16:35:06.626: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.458
<191>334: Nov 22 16:35:06.626: ISAKMP:      keylength of 128 10.11.2.25 22/11 09:35:07.458
<191>335: Nov 22 16:35:06.626: ISAKMP:(0):Diffie-Hellman group offered does not match policy! 10.11.2.25 22/11 09:35:07.458
<191>336: Nov 22 16:35:06.626: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.458
<191>337: Nov 22 16:35:06.626: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy 10.11.2.25 22/11 09:35:07.474
<191>338: Nov 22 16:35:06.626: ISAKMP:      encryption AES-CBC 10.11.2.25 22/11 09:35:07.474
<191>339: Nov 22 16:35:06.626: ISAKMP:      hash MD5 10.11.2.25 22/11 09:35:07.474
<191>340: Nov 22 16:35:06.626: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.474
<191>341: Nov 22 16:35:06.626: ISAKMP:      auth pre-share 10.11.2.25 22/11 09:35:07.474
<191>342: Nov 22 16:35:06.626: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.474
<191>343: Nov 22 16:35:06.626: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.490
<191>344: Nov 22 16:35:06.626: ISAKMP:      keylength of 128 10.11.2.25 22/11 09:35:07.490
<191>345: Nov 22 16:35:06.626: ISAKMP:(0):Hash algorithm offered does not match policy! 10.11.2.25 22/11 09:35:07.490
<191>346: Nov 22 16:35:06.626: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.490
<191>347: Nov 22 16:35:06.630: ISAKMP:(0):Checking ISAKMP transform 9 against priority 2 policy 10.11.2.25 22/11 09:35:07.490
<191>348: Nov 22 16:35:06.630: ISAKMP:      encryption 3DES-CBC 10.11.2.25 22/11 09:35:07.490
<191>349: Nov 22 16:35:06.630: ISAKMP:      hash SHA 10.11.2.25 22/11 09:35:07.490
<191>350: Nov 22 16:35:06.630: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.490
<191>351: Nov 22 16:35:06.630: ISAKMP:      auth XAUTHInitPreShared 10.11.2.25 22/11 09:35:07.490
<191>352: Nov 22 16:35:06.630: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.505
<191>353: Nov 22 16:35:06.630: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.505
<191>354: Nov 22 16:35:06.630: ISAKMP:(0):Encryption algorithm offered does not match policy! 10.11.2.25 22/11 09:35:07.505
<191>355: Nov 22 16:35:06.630: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.505
<191>356: Nov 22 16:35:06.630: ISAKMP:(0):Checking ISAKMP transform 10 against priority 2 policy 10.11.2.25 22/11 09:35:07.505
<191>357: Nov 22 16:35:06.630: ISAKMP:      encryption 3DES-CBC 10.11.2.25 22/11 09:35:07.505
<191>358: Nov 22 16:35:06.630: ISAKMP:      hash MD5 10.11.2.25 22/11 09:35:07.505
<191>359: Nov 22 16:35:06.630: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.505
<191>360: Nov 22 16:35:06.630: ISAKMP:      auth XAUTHInitPreShared 10.11.2.25 22/11 09:35:07.505
<191>361: Nov 22 16:35:06.630: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.505
<191>362: Nov 22 16:35:06.634: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.521
<191>363: Nov 22 16:35:06.634: ISAKMP:(0):Encryption algorithm offered does not match policy! 10.11.2.25 22/11 09:35:07.521
<191>364: Nov 22 16:35:06.634: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.521
<191>365: Nov 22 16:35:06.634: ISAKMP:(0):Checking ISAKMP transform 11 against priority 2 policy 10.11.2.25 22/11 09:35:07.521
<191>366: Nov 22 16:35:06.634: ISAKMP:      encryption 3DES-CBC 10.11.2.25 22/11 09:35:07.521
<191>367: Nov 22 16:35:06.634: ISAKMP:      hash SHA 10.11.2.25 22/11 09:35:07.521
<191>368: Nov 22 16:35:06.634: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.521
<191>369: Nov 22 16:35:06.634: ISAKMP:      auth pre-share 10.11.2.25 22/11 09:35:07.521
<191>370: Nov 22 16:35:06.634: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.521
<191>371: Nov 22 16:35:06.634: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.521
<191>372: Nov 22 16:35:06.634: ISAKMP:(0):Encryption algorithm offered does not match policy! 10.11.2.25 22/11 09:35:07.521
<191>373: Nov 22 16:35:06.634: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.521
<191>374: Nov 22 16:35:06.634: ISAKMP:(0):Checking ISAKMP transform 12 against priority 2 policy 10.11.2.25 22/11 09:35:07.536
<191>375: Nov 22 16:35:06.634: ISAKMP:      encryption 3DES-CBC 10.11.2.25 22/11 09:35:07.536
<191>376: Nov 22 16:35:06.638: ISAKMP:      hash MD5 10.11.2.25 22/11 09:35:07.536
<191>377: Nov 22 16:35:06.638: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.536
<191>378: Nov 22 16:35:06.638: ISAKMP:      auth pre-share 10.11.2.25 22/11 09:35:07.536
<191>379: Nov 22 16:35:06.638: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.536
<191>380: Nov 22 16:35:06.638: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.536
<191>381: Nov 22 16:35:06.638: ISAKMP:(0):Encryption algorithm offered does not match policy! 10.11.2.25 22/11 09:35:07.536
<191>382: Nov 22 16:35:06.638: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.536
<191>383: Nov 22 16:35:06.638: ISAKMP:(0):Checking ISAKMP transform 13 against priority 2 policy 10.11.2.25 22/11 09:35:07.536
<191>384: Nov 22 16:35:06.638: ISAKMP:      encryption DES-CBC 10.11.2.25 22/11 09:35:07.536
<191>385: Nov 22 16:35:06.638: ISAKMP:      hash MD5 10.11.2.25 22/11 09:35:07.536
<191>386: Nov 22 16:35:06.638: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.552
<191>387: Nov 22 16:35:06.638: ISAKMP:      auth XAUTHInitPreShared 10.11.2.25 22/11 09:35:07.552
<191>388: Nov 22 16:35:06.638: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.552
<191>389: Nov 22 16:35:06.638: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.552
<191>390: Nov 22 16:35:06.638: ISAKMP:(0):Encryption algorithm offered does not match policy! 10.11.2.25 22/11 09:35:07.552
<191>391: Nov 22 16:35:06.642: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.552
<191>392: Nov 22 16:35:06.642: ISAKMP:(0):Checking ISAKMP transform 14 against priority 2 policy 10.11.2.25 22/11 09:35:07.552
<191>393: Nov 22 16:35:06.642: ISAKMP:      encryption DES-CBC 10.11.2.25 22/11 09:35:07.552
<191>394: Nov 22 16:35:06.642: ISAKMP:      hash MD5 10.11.2.25 22/11 09:35:07.552
<191>395: Nov 22 16:35:06.642: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.552
<191>396: Nov 22 16:35:06.642: ISAKMP:      auth pre-share 10.11.2.25 22/11 09:35:07.552
<191>397: Nov 22 16:35:06.642: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.552
<191>398: Nov 22 16:35:06.642: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.568
<191>399: Nov 22 16:35:06.642: ISAKMP:(0):Encryption algorithm offered does not match policy! 10.11.2.25 22/11 09:35:07.568
<191>400: Nov 22 16:35:06.642: ISAKMP:(0):atts are not acceptable. Next payload is 0 10.11.2.25 22/11 09:35:07.568
<191>401: Nov 22 16:35:06.642: ISAKMP:(0):Checking ISAKMP transform 1 against priority 3 policy 10.11.2.25 22/11 09:35:07.568
<191>402: Nov 22 16:35:06.642: ISAKMP:      encryption AES-CBC 10.11.2.25 22/11 09:35:07.568
<191>403: Nov 22 16:35:06.642: ISAKMP:      hash SHA 10.11.2.25 22/11 09:35:07.568
<191>404: Nov 22 16:35:06.642: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.568
<191>407: Nov 22 16:35:06.646: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.568
<191>408: Nov 22 16:35:06.646: ISAKMP:      keylength of 256 10.11.2.25 22/11 09:35:07.568
<191>409: Nov 22 16:35:06.646: ISAKMP:(0):Proposed key length does not match policy 10.11.2.25 22/11 09:35:07.568
<191>410: Nov 22 16:35:06.646: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.568
<191>411: Nov 22 16:35:06.646: ISAKMP:(0):Checking ISAKMP transform 2 against priority 3 policy 10.11.2.25 22/11 09:35:07.568
<191>412: Nov 22 16:35:06.646: ISAKMP:      encryption AES-CBC 10.11.2.25 22/11 09:35:07.583
<191>413: Nov 22 16:35:06.646: ISAKMP:      hash MD5 10.11.2.25 22/11 09:35:07.583
<191>414: Nov 22 16:35:06.646: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.583
<191>415: Nov 22 16:35:06.646: ISAKMP:      auth XAUTHInitPreShared 10.11.2.25 22/11 09:35:07.583
<191>416: Nov 22 16:35:06.646: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.583
<191>417: Nov 22 16:35:06.646: ISAKMP:      life duration (VPI) of   10.11.2.25 22/11 09:35:07.583
<191>418: 0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.583
<191>419: Nov 22 16:35:06.646: ISAKMP:      keylength of 256 10.11.2.25 22/11 09:35:07.583
<191>420: Nov 22 16:35:06.646: ISAKMP:(0):Hash algorithm offered does not match policy! 10.11.2.25 22/11 09:35:07.583
<191>421: Nov 22 16:35:06.650: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.583
<191>422: Nov 22 16:35:06.650: ISAKMP:(0):Checking ISAKMP transform 3 against priority 3 policy 10.11.2.25 22/11 09:35:07.583
<191>423: Nov 22 16:35:06.650: ISAKMP:      encryption AES-CBC 10.11.2.25 22/11 09:35:07.583
<191>424: Nov 22 16:35:06.650: ISAKMP:      hash SHA 10.11.2.25 22/11 09:35:07.599
<191>425: Nov 22 16:35:06.650: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.599
<191>426: Nov 22 16:35:06.650: ISAKMP:      auth pre-share 10.11.2.25 22/11 09:35:07.599
<191>427: Nov 22 16:35:06.650: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.599
<191>428: Nov 22 16:35:06.650: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.599
<191>429: Nov 22 16:35:06.650: ISAKMP:      keylength of 256 10.11.2.25 22/11 09:35:07.599
<191>430: Nov 22 16:35:06.650: ISAKMP:(0):Proposed key length does not match policy 10.11.2.25 22/11 09:35:07.599
<191>431: Nov 22 16:35:06.650: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.599
<191>432: Nov 22 16:35:06.650: ISAKMP:(0):Checking ISAKMP transform 4 against priority 3 policy 10.11.2.25 22/11 09:35:07.599
<191>433: Nov 22 16:35:06.650: ISAKMP:      encryption AES-CBC 10.11.2.25 22/11 09:35:07.599
<191>434: Nov 22 16:35:06.650: ISAKMP:      hash MD5 10.11.2.25 22/11 09:35:07.599
<191>435: Nov 22 16:35:06.650: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.599
<191>436: Nov 22 16:35:06.650: ISAKMP:      auth pre-share 10.11.2.25 22/11 09:35:07.614
<191>437: Nov 22 16:35:06.654: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.614
<191>438: Nov 22 16:35:06.654: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.614
<191>439: Nov 22 16:35:06.654: ISAKMP:      keylength of 256 10.11.2.25 22/11 09:35:07.614
<191>440: Nov 22 16:35:06.654: ISAKMP:(0):Hash algorithm offered does not match policy! 10.11.2.25 22/11 09:35:07.614
<191>441: Nov 22 16:35:06.654: ISAKMP:(0):atts are not acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.614
<191>442: Nov 22 16:35:06.654: ISAKMP:(0):Checking ISAKMP transform 5 against priority 3 policy 10.11.2.25 22/11 09:35:07.614
<191>443: Nov 22 16:35:06.654: ISAKMP:      encryption AES-CBC 10.11.2.25 22/11 09:35:07.614
<191>444: Nov 22 16:35:06.654: ISAKMP:      hash SHA 10.11.2.25 22/11 09:35:07.614
<191>445: Nov 22 16:35:06.654: ISAKMP:      default group 2 10.11.2.25 22/11 09:35:07.614
<191>446: Nov 22 16:35:06.654: ISAKMP:      auth XAUTHInitPreShared 10.11.2.25 22/11 09:35:07.614
<191>447: Nov 22 16:35:06.654: ISAKMP:      life type in seconds 10.11.2.25 22/11 09:35:07.614
<191>448: Nov 22 16:35:06.654: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B  10.11.2.25 22/11 09:35:07.630
<191>449: Nov 22 16:35:06.654: ISAKMP:      keylength of 128 10.11.2.25 22/11 09:35:07.630
<191>450: Nov 22 16:35:06.654: ISAKMP:(0):atts are acceptable. Next payload is 3 10.11.2.25 22/11 09:35:07.661
<191>451: Nov 22 16:35:06.658: ISAKMP:(0): processing KE payload. message ID = 0 10.11.2.25 22/11 09:35:07.661
<191>452: Nov 22 16:35:06.806: ISAKMP:(0): processing NONCE payload. message ID = 0 10.11.2.25 22/11 09:35:07.677
<191>453: Nov 22 16:35:06.806: ISAKMP:(0): vendor ID is NAT-T v2 10.11.2.25 22/11 09:35:07.677
<191>454: Nov 22 16:35:06.806: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH 10.11.2.25 22/11 09:35:07.677
<191>455: Nov 22 16:35:06.806: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_AM_AAA_AWAIT  10.11.2.25 22/11 09:35:07.677
<191>456:  10.11.2.25 22/11 09:35:07.677
<191>457: Nov 22 16:35:11.690: ISAKMP (0:0): received packet from 74.210.10.26 dport 500 sport 3091 Global (R) AG_NO_STATE 10.11.2.25 22/11 09:35:12.684
<191>458: Nov 22 16:35:11.690: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet. 10.11.2.25 22/11 09:35:12.684
<191>459: Nov 22 16:35:11.690: ISAKMP:(0): retransmission skipped (awaiting response from other process) 10.11.2.25 22/11 09:35:12.684
<191>460: Nov 22 16:35:15.721: ISAKMP:(0): constructed NAT-T vendor-02 ID 10.11.2.25 22/11 09:35:15.726
<191>461: Nov 22 16:35:15.721: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR 10.11.2.25 22/11 09:35:15.726
<191>462: Nov 22 16:35:15.721: ISAKMP (0:0): ID payload  10.11.2.25 22/11 09:35:15.726
<191>463:  next-payload : 10 10.11.2.25 22/11 09:35:15.726
<191>464:  type         : 1  10.11.2.25 22/11 09:35:15.742
<191>465:  address      : 10.155.9.5  10.11.2.25 22/11 09:35:15.742
<191>466:  protocol     : 17  10.11.2.25 22/11 09:35:15.742
<191>467:  port         : 0  10.11.2.25 22/11 09:35:15.742
<191>468:  length       : 12 10.11.2.25 22/11 09:35:15.758
<191>469: Nov 22 16:35:15.721: ISAKMP:(0):Total payload length: 12 10.11.2.25 22/11 09:35:15.758
<191>470: Nov 22 16:35:15.725: ISAKMP:(0): sending packet to 74.210.10.26 my_port 500 peer_port 3091 (R) AG_INIT_EXCH 10.11.2.25 22/11 09:35:15.758
<191>471: Nov 22 16:35:15.725: ISAKMP:(0):Sending an IKE IPv4 Packet. 10.11.2.25 22/11 09:35:15.758
<191>472: Nov 22 16:35:15.725: ISAKMP:(0):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY 10.11.2.25 22/11 09:35:15.758
<191>473: Nov 22 16:35:15.725: ISAKMP:(0):Old State = IKE_R_AM_AAA_AWAIT  New State = IKE_R_AM2  10.11.2.25 22/11 09:35:16.709
<191>474:  10.11.2.25 22/11 09:35:16.725
<191>475: Nov 22 16:35:16.698: ISAKMP (0:0): received packet from 74.210.10.26 dport 500 sport 3091 Global (R) AG_INIT_EXCH 10.11.2.25 22/11 09:35:16.725
<191>476: Nov 22 16:35:16.698: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet. 10.11.2.25 22/11 09:35:16.725
<191>477: Nov 22 16:35:16.698: ISAKMP:(0): retransmission skipped for phase 1 (time since last transmission 973) 10.11.2.25 22/11 09:35:16.740
<191>478: Nov 22 16:35:21.702: ISAKMP (0:0): received packet from 74.210.10.26 dport 500 sport 3091 Global (R) AG_INIT_EXCH 10.11.2.25 22/11 09:35:22.216
<191>479: Nov 22 16:35:21.706: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet. 10.11.2.25 22/11 09:35:22.232
<191>480: Nov 22 16:35:21.706: ISAKMP:(0): retransmitting due to retransmit phase 1 10.11.2.25 22/11 09:35:22.232
<191>481: Nov 22 16:35:22.207: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH... 10.11.2.25 22/11 09:35:22.232
<191>482: Nov 22 16:35:22.207: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1 10.11.2.25 22/11 09:35:22.247
<191>483: Nov 22 16:35:22.207: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH 10.11.2.25 22/11 09:35:22.247
<191>484: Nov 22 16:35:22.207: ISAKMP:(0): sending packet to 74.210.10.26 my_port 500 peer_port 3091 (R) AG_INIT_EXCH 10.11.2.25 22/11 09:35:22.247
<191>485: Nov 22 16:35:22.207: ISAKMP:(0):Sending an IKE IPv4 Packet. 10.11.2.25 22/11 09:35:23.199

NOW there is the modify config:....


aaa new-model
!
!
aaa group server radius sdm-vpn-server-group-1
server 10.12.x.x auth-port 1645 acct-port 1646
!
aaa group server radius sdm-vpn-server-group-2
server 10.12.x.x  auth-port 1645 acct-port 1646
!
aaa group server radius sdm-vpn-server-group-3
server 10.12.x.x  auth-port 1645 acct-port 1646
!
aaa authentication login ssh group radius local
aaa authentication login vpn_authen group radius local
aaa authentication login sdm_vpn_xauth_ml_3 group sdm-vpn-server-group-2 local
aaa authentication login sdm_vpn_xauth_ml_4 group sdm-vpn-server-group-3 local
aaa authorization network default group sdm-vpn-server-group-3
aaa authorization network sdm_vpn_group_ml_3 group sdm-vpn-server-group-2 local
aaa authorization network sdm_vpn_group_ml_4 group sdm-vpn-server-group-3 local
!
!
aaa session-id common
memory-size iomem 25
ip cef
!
!
no ip dhcp conflict logging
!
!
no ip domain lookup
ip domain name vancouver.infosatad.com
!
multilink bundle-name authenticated
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
!
crypto isakmp policy 2
encr aes
authentication pre-share
!
crypto isakmp policy 3
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp keepalive 90
!
crypto isakmp client configuration group Office
key ****
dns 10.123.7.254 10.123.7.238
wins 10.123.7.254 10.123.7.238
pool SDM_POOL_1
acl 101
group-lock
max-logins 1
netmask 255.255.255.224

!
crypto isakmp client configuration group CONTRACTOR
key ****
dns 10.123.7.254 10.123.7.238
wins 10.123.7.254 10.123.7.238
pool SDM_POOL_2
group-lock
max-users 4
max-logins 3
netmask 255.255.255.224

crypto isakmp profile sdm-ike-profile-1
   match identity group Office
   client authentication list sdm_vpn_xauth_ml_3
   isakmp authorization list sdm_vpn_group_ml_3
   client configuration address respond
   virtual-template 3
crypto isakmp profile sdm-ike-profile-2
   match identity group CONTRACTOR
   client authentication list sdm_vpn_xauth_ml_4
   isakmp authorization list sdm_vpn_group_ml_4
   client configuration address respond
   virtual-template 4
!
!
crypto ipsec transform-set OFFICE_SET esp-aes esp-sha-hmac
crypto ipsec transform-set CONTRACTOR_SET esp-aes esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set security-association idle-time 3600
set transform-set OFFICE_SET
set isakmp-profile sdm-ike-profile-1
!
crypto ipsec profile SDM_Profile2
set security-association lifetime seconds 7200
set security-association idle-time 7200
set transform-set CONTRACTOR_SET
set isakmp-profile sdm-ike-profile-2
!
!
crypto dynamic-map CONTRACTOR_MAP 1
set security-association idle-time 900
set transform-set CONTRACTOR_SET
!
crypto dynamic-map OFFICE_MAP 1
description Map for Office Group
set security-association idle-time 1800
set transform-set OFFICE_SET
set pfs group1
match address 101
reverse-route
!
interface FastEthernet0/0
description DMZ9_Connection OUTSIDE
ip address 10.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip mroute-cache
speed auto
full-duplex
no cdp enable
!
interface Ethernet1/0
description DMZ6_Connection INSIDE
ip address 10.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip mroute-cache
full-duplex
no cdp enable
!
interface Virtual-Template3 type tunnel
description Infosat Employees working remotely
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Virtual-Template4 type tunnel
description All infosat CONTRACTORS
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile2
!
ip local pool SDM_POOL_1 10.11.26.0 10.11.26.30
ip local pool SDM_POOL_2 10.11.26.33 10.11.26.61
ip route 0.0.0.0 0.0.0.0 Ethernet1/0
ip route 1.1.1.1 255.255.255.255 Null0
!

Thanks,

Jean Paul

Highlighted
Cisco Employee

Re: Need a second pair of eyes for REMOTE-ACCESS VPN deployment

Hi Jean Paul,

Based on the debugs, it looks like the router's reply never reaches the VPN client.

Once thing i noticed from the ocnfiguration is your default route is pointing out Eth1/0 which based on the description is the INSIDE interface while Fa0/0 is the outside interface.


Are you sure that the way it should be? Is the VPN connection coming in Eth1/0 or fa0/0?

Cheers,

Prapanch

Highlighted
Cisco Employee

Re: Need a second pair of eyes for REMOTE-ACCESS VPN deployment

Also, please ensure you have the command "crypto ipsec nat-t udp-enc" on the router.

Highlighted
Participant

Re: Need a second pair of eyes for REMOTE-ACCESS VPN deployment

Hi all,

          I have changed the default route to point to the outside interface and I added the command below as suggested, but nothing changed. However, by looking closely the debug output, I have seen that the router try to reach the peer(vpn client) on a wrong port? Isn't the twot devices, remote_vpn_server and the client,  supposed to communicate on port 500?

.Nov 23 21:15:17.153: ISAKMP:(1021): retransmitting phase 1 AG_INIT_EXCH
.Nov 23 21:15:17.153: ISAKMP:(1021): sending packet to 74.210.10.26 my_port 500 peer_port 1071 (R) AG_INIT_EXCH

Highlighted
Cisco Employee

Re: Need a second pair of eyes for REMOTE-ACCESS VPN deployment

Hi,

That happens because the VPN client is behind a NAT device which NATs the source port UDP/500 to a random port. I guess that's what is happening in your case also. That is nothing to worry about.

Did you enable the nat-t command on thr router?

Cheers,

Prapanch