cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
252
Views
0
Helpful
0
Replies

Problems with PPTP and Cisco VPN

Dear All,

 

I have a problem with my cisco configuration that I can’t seem to be able to crack, and would appreciate is someone would kindly advise from my configuration (see attached) what's going wrong :-)

I have two cisco routers:

RTR01 Cisco 887W with Public Static IP  81.149.136.XXX   Network 192.168.2.0/24. Router Name SilkR1

RTR02 Cisco881 with Dynamic Public IP and DDNS             Network 192.168.20.0/24 Router Name VirgandinR1

RTR03 Mikrotik 433 with Dynamic Public IP and DDNS         Network 192.168.211.0/24

 

I have 3 IPSEC VPNs UP between:

RTR01,RTR02,RTR03

Communication works both ways between RTR01 and RTR03 via the L2L VPN

RTR01-->RTR03 L2L VPN (can access the 192.168.211.0/24 from 192.168.2.0/24) Working

RTR03-->RTR01 L2L VPN (can access the 192.168.2.0/24 from 192.168.211.0/24) Working

Communication does not work between RTR01 and RTR03 via the L2L VPN

RTR01-->RTR02 L2L VPN (can't access the 192.168.20.0/24 from 192.168.2.0/24) Not Working

RTR02-->RTR01 L2L VPN (can't access the 192.168.2.0/24 from 192.168.20.0/24) Not Working

I would like to fix the above VPN issue and have both PPTP VPN connectivity and IPSEC VPN using the Cisco VPN client software to access the internal network on RTR02. PPTP VPN to RTR01 is fully functional (however can't seem to get it working on RTR02)

Currently the problems are as follows:

I can establish a PPTP VPN tunnel however I am not able to access the internal network 192.168.20.0/24, on RTR02 I can ping the RTR02's internal interface however nothing else!

The L2L IPSEC VPN between the 2 RTR's is up however I am not able to reach the inside network 192.168.20.0/24, I can only access the routers interface 192.168.20.254

I can’t establish an IPSEC VPN using the Cisco VPN client software, keep getting the below Phase 1 errors in the logs: (see attached Full Log and running config)

.Dec 14 10:40:01.931 zone: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Dec 14 10:40:01.931 zone: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Dec 14 10:40:01.931 zone: ISAKMP:(0):Checking ISAKMP transform 14 against priority 10 policy
.Dec 14 10:40:01.931 zone: ISAKMP:      encryption DES-CBC
.Dec 14 10:40:01.931 zone: ISAKMP:      hash MD5
.Dec 14 10:40:01.931 zone: ISAKMP:      default group 2
.Dec 14 10:40:01.931 zone: ISAKMP:      auth pre-share
.Dec 14 10:40:01.931 zone: ISAKMP:      life type in seconds
.Dec 14 10:40:01.931 zone: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
.Dec 14 10:40:01.931 zone: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Dec 14 10:40:01.931 zone: ISAKMP:(0):atts are not acceptable. Next payload is 0
.Dec 14 10:40:01.931 zone: ISAKMP:(0):no offers accepted!
Dec 14 10:40:01.931 zone: ISAKMP:(0): phase 1 SA policy not acceptable! (local 85.232.217.10 remote 92.251.98.5)
.Dec 14 10:40:01.931 zone: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
.Dec 14 10:40:01.931 zone: ISAKMP:(0): Failed to construct AG informational message.
.Dec 14 10:40:01.931 zone: ISAKMP:(0): sending packet to 92.251.98.5 my_port 500 peer_port 54763 (R) AG_NO_STATE
.Dec 14 10:40:01.931 zone: ISAKMP:(0):Sending an IKE IPv4 Packet.
.Dec 14 10:40:01.931 zone: ISAKMP:(0):peer does not do paranoid keepalives.

.Dec 14 10:40:01.931 zone: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 92.251.98.5)
.Dec 14 10:40:01.931 zone: ISAKMP:(0): processing KE payload. message ID = 0
.Dec 14 10:40:01.931 zone: ISAKMP:(0): group size changed! Should be 0, is 128
.Dec 14 10:40:01.931 zone: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
.Dec 14 10:40:01.935 zone: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY
.Dec 14 10:40:01.935 zone: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
.Dec 14 10:40:01.935 zone: ISAKMP:(0):Old State = IKE_READY  New State = IKE_READY

  

Would someone kindly assist/shed some light as to the problem?

Regards

James

0 REPLIES 0
Content for Community-Ad