Re: Preshared authentication offered but does not match policy - Page 2

cgeorgiev · ‎03-08-2011

The bellow config is set up on my router, running 12.4. When the client initiates a connection the error states preshared authentication does not match the policy, which to me is clearly false. Any ideas?

Config:

aaa authentication login userauthen local
aaa authorization network groupauthor local

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2

crypto isakmp client configuration group myvpn
key myVPN
domain mydomain.local
pool myvpnpool

crypto ipsec transform-set myvpnset esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10
set transform-set myvpnset

crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap

int fa0/0
crypto map clientmap

ip local pool myvpnpool 10.16.20.1 10.16.20.32

Error:

002474: *Mar 8 11:26:38.775 GMT: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10 policy
002475: *Mar 8 11:26:38.775 GMT: ISAKMP:      encryption 3DES-CBC
002476: *Mar 8 11:26:38.775 GMT: ISAKMP:      hash SHA
002477: *Mar 8 11:26:38.775 GMT: ISAKMP:      default group 2
002478: *Mar 8 11:26:38.775 GMT: ISAKMP:      auth pre-share
002479: *Mar 8 11:26:38.775 GMT: ISAKMP:      life type in seconds
002480: *Mar 8 11:26:38.775 GMT: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
002481: *Mar 8 11:26:38.775 GMT: ISAKMP:(0):Preshared authentication offered but does not match policy!
002482: *Mar 8 11:26:38.775 GMT: ISAKMP:(0):atts are not acceptable. Next payload is 3

kaachary · ‎03-09-2011

"no crypto isakmp default policy" is supported since 12.4(20)T to disable the default isakmp suite.

To be honest, router should still use the configured policy first, as the default has the least priority. What exact IOS version you are running? Let us know if disabling the default policy work.

cgeorgiev · ‎03-09-2011

kaachary,

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(15)T4, RELEASE SOFTWARE (fc2)

I just cant figure out why the router says preshared is not in the policy when it clearly is.

As you can see from the version I cannot disable default policy.

kaachary · ‎03-09-2011

By any chance, you do not have this statement in the config?

crypto isakmp key address 0.0.0.0 0.0.0.0 no-xauth

Since by default the IOS requires client to have xauth, so this no-xauth keyword will cause IOS not to accept the coinnection without xauth. Removing the statement or just the "no-xauth: keyword should work. But, if you you have dynamic L2L tunnel terminating on this router, they will fail. The correct way of configuring both is to use Iskamp profiles.

cgeorgiev · ‎03-09-2011

kaachary,

There is no other configuration with reference to isakmp other than the config shown in the initial post.

The only other crypto config is the following;

crypto pki trustpoint TP-self-signed-3282012444
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3282012444
revocation-check none
rsakeypair TP-self-signed-3282012444
!
!
crypto pki certificate chain TP-self-signed-3282012444
certificate self-signed 01

--- cert ---
quit

kaachary · ‎03-09-2011

I see..I tried your configuration with the default policy in there, on 12.4.15T4, and it worked for me. So, it doesn't seem to be a software version issue. Have you tried reloading this router? Is it possible for you to attach the full configuration of the router after hiding the addresses?

cgeorgiev · ‎03-09-2011

kaachary,

The config is attached.

Connection is being tested from one of the internal networks so the firewall is out of the equation.

Obviously something is wrong with the pre-share, quesiton is what.

cgeorgiev · ‎03-09-2011

kaachary,

I have reloaded the router a few times, been at this for 2 days.

cgeorgiev · ‎03-11-2011

kaachary,

Any luck?