Preshared authentication offered but does not match policy

zaherhamiyah · ‎09-29-2018

My vpn connection fails with the following debug messages:

ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 14
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 
ISAKMP:(0):Preshared authentication offered but does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3

I have the following VPN configuration:

aaa new-model
!
aaa authentication login VPN_CLIENT_LOGIN local
aaa authorization network VPN_CLIENT_GROUP local
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN_CLIENT
key <removed>
pool VPN_CLIENT_POOL
acl 110
!
!
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
!
crypto dynamic-map EXT_DYNAMIC_MAP 10
set transform-set TRANS_3DES_SHA
!
!
crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
crypto map EXT_MAP client configuration address respond
crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
!
ip local pool VPN_CLIENT_POOL 192.168.50.100 192.168.50.200
!
!
access-list 110 permit ip 192.168.100.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255

Is there something wrong with my configuration?

Thanks.

Rob Ingram · ‎09-29-2018

Hi,
I notice from the error output it mentions "default group 14" but your configuration is only using group 2
Can you provide the configuration of the other device please?

zaherhamiyah · ‎09-29-2018

Here is the full configuration of vpn:

aaa new-model
aaa authentication login VPN_CLIENT_LOGIN local
aaa authorization network VPN_CLIENT_GROUP local
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN_CLIENT
key <removed>
pool VPN_CLIENT_POOL
acl 110
!
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
!
crypto dynamic-map EXT_DYNAMIC_MAP 10
set transform-set TRANS_3DES_SHA
!
!
crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
crypto map EXT_MAP client configuration address respond
crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
!
ip local pool VPN_CLIENT_POOL 192.168.50.100 192.168.50.200
!
!
access-list 110 permit ip 192.168.100.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
!
crypto pki token default removal timeout 0
!
! 
no crypto isakmp default policy
!
crypto isakmp policy 1
 group 2
!
crypto isakmp policy 3
 hash md5
 authentication pre-share
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp fragmentation
crypto isakmp client configuration address-pool local VPN_CLIENT_POOL
!
crypto isakmp client configuration group VPN_CLIENT
 key ibc
 pool VPN_CLIENT_POOL
 acl 110
 save-password
!
crypto isakmp client configuration group default
 key ibc
 pool VPN_CLIENT_POOL
 acl 110
!
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac 
no crypto ipsec default transform-set

Rob Ingram · ‎09-29-2018

What is the other device that is attempting to establish a VPN? What's it's configuration?
Please provide the full debug output

zaherhamiyah · ‎09-29-2018

I am using two:

1) Windows 8>>>L2tp vpn connection

2) iPad...with cisco vpn client installed

I got the same debug messages when trying to connect

zaherhamiyah · ‎09-29-2018