Preshared authentication offered but does not match policy

cgeorgiev · ‎03-08-2011

The bellow config is set up on my router, running 12.4. When the client initiates a connection the error states preshared authentication does not match the policy, which to me is clearly false. Any ideas?

Config:

aaa authentication login userauthen local
aaa authorization network groupauthor local

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2

crypto isakmp client configuration group myvpn
key myVPN
domain mydomain.local
pool myvpnpool

crypto ipsec transform-set myvpnset esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10
set transform-set myvpnset

crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap

int fa0/0
crypto map clientmap

ip local pool myvpnpool 10.16.20.1 10.16.20.32

Error:

002474: *Mar 8 11:26:38.775 GMT: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10 policy
002475: *Mar 8 11:26:38.775 GMT: ISAKMP:      encryption 3DES-CBC
002476: *Mar 8 11:26:38.775 GMT: ISAKMP:      hash SHA
002477: *Mar 8 11:26:38.775 GMT: ISAKMP:      default group 2
002478: *Mar 8 11:26:38.775 GMT: ISAKMP:      auth pre-share
002479: *Mar 8 11:26:38.775 GMT: ISAKMP:      life type in seconds
002480: *Mar 8 11:26:38.775 GMT: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
002481: *Mar 8 11:26:38.775 GMT: ISAKMP:(0):Preshared authentication offered but does not match policy!
002482: *Mar 8 11:26:38.775 GMT: ISAKMP:(0):atts are not acceptable. Next payload is 3

Federico Coto Fajardo · ‎03-08-2011

Krastin,

You're right.

If the pre-shared key is correct then you should not get the error but...

What happens sometimes is that you get that message when you have more than one defined policy in the configuration and the system reports there's not a match when checking against a non-matching policy (even though you do have a matching policy).

My question will be... what is the end of the messages?

Does it finally accept the policy? What's the status of the tunnel?

Federico.

cgeorgiev · ‎03-08-2011

Unfortunately it doesnt and it bombs out;

004797: *Mar 8 17:24:47.642 GMT: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10 policy

004798: *Mar 8 17:24:47.642 GMT: ISAKMP:      encryption 3DES-CBC
004799: *Mar 8 17:24:47.642 GMT: ISAKMP:      hash SHA
004800: *Mar 8 17:24:47.642 GMT: ISAKMP:      default group 2
004801: *Mar 8 17:24:47.642 GMT: ISAKMP:      auth pre-share
004802: *Mar 8 17:24:47.642 GMT: ISAKMP:      life type in seconds
004803: *Mar 8 17:24:47.642 GMT: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
004804: *Mar 8 17:24:47.642 GMT: ISAKMP:(0):Preshared authentication offered but does not match policy!
004805: *Mar 8 17:24:47.642 GMT: ISAKMP:(0):atts are not acceptable. Next payload is 3
005101: *Mar 8 17:24:47.670 GMT: ISAKMP:(0):no offers accepted!
005102: *Mar 8 17:24:47.670 GMT: ISAKMP:(0): phase 1 SA policy not acceptable! (local 85.130.104.229 remote 192.168.69.65)
005103: *Mar 8 17:24:47.670 GMT: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
005104: *Mar 8 17:24:47.670 GMT: ISAKMP:(0): sending packet to 192.168.69.65 my_port 500 peer_port 43293 (R) AG_NO_STATE
005105: *Mar 8 17:24:47.670 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.
005106: *Mar 8 17:24:47.670 GMT: ISAKMP:(0):peer does not do paranoid keepalives.

005107: *Mar 8 17:24:47.670 GMT: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.69.65)
005108: *Mar 8 17:24:47.670 GMT: ISAKMP:(0): processing KE payload. message ID = 0
005109: *Mar 8 17:24:47.670 GMT: ISAKMP:(0): group size changed! Should be 0, is 128
005110: *Mar 8 17:24:47.670 GMT: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
005111: *Mar 8 17:24:47.670 GMT: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY
005112: *Mar 8 17:24:47.670 GMT: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
005113: *Mar 8 17:24:47.670 GMT: ISAKMP:(0):Old State = IKE_READY New State = IKE_READY

005114: *Mar 8 17:24:47.670 GMT: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.69.65
005115: *Mar 8 17:24:47.674 GMT: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.69.65)
005116: *Mar 8 17:24:47.674 GMT: ISAKMP: Unlocking peer struct 0x6549DD18 for isadb_mark_sa_deleted(), count 0
005117: *Mar 8 17:24:47.674 GMT: ISAKMP: Deleting peer node by peer_reap for 192.168.69.65: 6549DD18
005118: *Mar 8 17:24:47.674 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
005119: *Mar 8 17:24:47.674 GMT: ISAKMP:(0):Old State = IKE_READY New State = IKE_DEST_SA

005120: *Mar 8 17:24:47.674 GMT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
005121: *Mar 8 17:24:52.826 GMT: ISAKMP (0:0): received packet from 192.168.69.65 dport 500 sport 43293 Global (R) MM_NO_STATE

andamani · ‎03-08-2011

Hi,

Could try configuring the following:

crypto isakmp policy 5
encr des
authentication pre-share
group 2

hash sha

crypto isakmp policy 10
encr des
authentication pre-share
group 2

hash md5

Try and test after this. let me know the results.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

cgeorgiev · ‎03-08-2011

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 30
authentication pre-share
group 2
!
crypto isakmp policy 40
hash md5
authentication pre-share
group 2
!

Yields the same error. Btw des/sha are defaults for encr and hash.

Federico Coto Fajardo · ‎03-08-2011

Krastin,

Just a question.

Do you have a configured policy (prior to policy 5) configured for certificate authentication?

Federico.

cgeorgiev · ‎03-08-2011

Federico,

I dont, the whole config with reference to ipsec is the one above. Its very simple and this is what is even more puzzling.

What i do notice is the fact that policy 10 is being traversed, the router is accepting the encr and hash but then it is rejecting the preshared authentication as if policy 10 specifies something different than pre-shared. I've verified the group name and key over 50 times and retyped them to no avail.

Federico Coto Fajardo · ‎03-08-2011

Just to take another view of the configured policies can you paste the output of:

sh cry isa pol

Also, what's the status of the tunnel when the error happens?

sh cry isa sa

Federico.

cgeorgiev · ‎03-08-2011

Federico,

#sh cry isa pol

Global IKE policy
Protection suite of priority 10
        encryption algorithm:   Three key triple DES
        hash algorithm:         Secure Hash Standard
        authentication method: Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method: Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit

#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
85.xxx.xxx.xxx 192.168.69.65 MM_NO_STATE 0 0 ACTIVE (deleted)

Federico Coto Fajardo · ‎03-08-2011

I think that's the problem.

The default policy where I have two policies configured:

Router#sh cry isa pol

Global IKE policy
Protection suite of priority 1
        encryption algorithm:   Three key triple DES
        hash algorithm:         Secure Hash Standard
        authentication method: Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Protection suite of priority 2
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Message Digest 5
        authentication method: Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit

No default policy showing (which in your case shows authentication rsa-signatures).

Federico.

cgeorgiev · ‎03-08-2011

Federico,

I'm not able to shut it off, it seems 'default' is unrecognized commant for isakmp. At least in my version.

Also, would it not match 10 and stop traversing?

Federico Coto Fajardo · ‎03-08-2011

Krastin,

Sorry if I'm completely wrong here but is my understanding that it is not possible for VPN clients to use main mode to authenticate to the VPN Server with pre-shared keys. Is aggressive mode disabled?

Aggressive Mode is the default and the only mode available for Pre-shared key and Main Mode is only available for the Cert authentication.

Maybe this is not the problem, but you can always check just in case.

Federico.

cgeorgiev · ‎03-08-2011

Federico,

Aggressive mode is turned on. You are correct that turning it off would kill authentication for VPN clients.

cgeorgiev · ‎03-09-2011

Federico,

If you can test the config I have on a device without the default policy that would be great.

Honestly at this point i'm not sure how to go about this.

Federico Coto Fajardo · ‎03-09-2011

Krastin,

I will (today or tomorrow).

Stay tuned!

Federico.