08-12-2015 05:43 AM - edited 02-21-2020 08:23 PM
Good morning all,
I have an 1841 that I've setup at home that I'm playing around on. I am trying to get remote access VPN working but cannot get past this bump in the road.
I set the config back to ground 0 for this problem and yes it is messy (keep in mind, I'm just playing around on it).
*Aug 12 01:10:10.831: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Aug 12 01:10:10.831: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Aug 12 01:10:10.831: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Aug 12 01:10:10.831: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Aug 12 01:10:10.831: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Aug 12 01:10:10.831: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Aug 12 01:10:10.831: ISAKMP:(0):Hash algorithm offered does not match policy!
*Aug 12 01:10:10.831: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Aug 12 01:10:11.115: AAA/BIND(000029C7): Bind i/f
*Aug 12 01:10:13.935: AAA/AUTHEN/LOGIN (000029C7): Pick method list 'default'
*Aug 12 01:10:14.175: ISAKMP (1008): Unknown Attr: MODECFG_HOSTNAME (0x700A)
*Aug 12 01:10:14.179: ISAKMP:FSM error - Message from AAA grp/user.
*Aug 12 01:10:14.343: IPSEC(ipsec_process_proposal): invalid local address <my external IP>
*Aug 12 01:10:14.343: ISAKMP:(1008): IPSec policy invalidated proposal with error 8
*Aug 12 01:10:14.343: IPSEC(ipsec_process_proposal): invalid local address <my external IP>
*Aug 12 01:10:14.343: ISAKMP:(1008): IPSec policy invalidated proposal with error 8
*Aug 12 01:10:14.343: IPSEC(ipsec_process_proposal): invalid local address <my external IP>
*Aug 12 01:10:14.343: ISAKMP:(1008): IPSec policy invalidated proposal with error 8
*Aug 12 01:10:14.343: IPSEC(ipsec_process_proposal): invalid local address <my external IP>
*Aug 12 01:10:14.343: ISAKMP:(1008): IPSec policy invalidated proposal with error 8
*Aug 12 01:10:14.343: IPSEC(ipsec_process_proposal): invalid local address <my external IP>
*Aug 12 01:10:14.343: ISAKMP:(1008): IPSec policy invalidated proposal with error 8
*Aug 12 01:10:14.343: IPSEC(ipsec_process_proposal): invalid local address <my external IP>
*Aug 12 01:10:14.343: ISAKMP:(1008): IPSec policy invalidated proposal with error 8
*Aug 12 01:10:14.343: IPSEC(ipsec_process_proposal): invalid local address <my external IP>
*Aug 12 01:10:14.343: ISAKMP:(1008): IPSec policy invalidated proposal with error 8
*Aug 12 01:10:14.347: IPSEC(ipsec_process_proposal): invalid local address <my external IP>
*Aug 12 01:10:14.347: ISAKMP:(1008): IPSec policy invalidated proposal with error 8
*Aug 12 01:10:14.347: IPSEC(ipsec_process_proposal): invalid local address <my external IP>
*Aug 12 01:10:14.347: ISAKMP:(1008): IPSec policy invalidated proposal with error 8
*Aug 12 01:10:14.347: IPSEC(ipsec_process_proposal): invalid local address <my external IP>
*Aug 12 01:10:14.347: ISAKMP:(1008): IPSec policy invalidated proposal with error 8
*Aug 12 01:10:14.347: IPSEC(ipsec_process_proposal): invalid local address <my external IP>
*Aug 12 01:10:14.347: ISAKMP:(1008): IPSec policy invalidated proposal with error 8
*Aug 12 01:10:14.347: IPSEC(ipsec_process_proposal): invalid local address <my external IP>
*Aug 12 01:10:14.347: ISAKMP:(1008): IPSec policy invalidated proposal with error 8
*Aug 12 01:10:14.347: IPSEC(ipsec_process_proposal): invalid local address <my external IP>
*Aug 12 01:10:14.347: ISAKMP:(1008): IPSec policy invalidated proposal with error 8
*Aug 12 01:10:14.347: IPSEC(ipsec_process_proposal): invalid local address <my external IP>
*Aug 12 01:10:14.347: ISAKMP:(1008): IPSec policy invalidated proposal with error 8
*Aug 12 01:10:14.347: IPSEC(ipsec_process_proposal): invalid local address <my external IP>
*Aug 12 01:10:14.347: ISAKMP:(1008): IPSec policy invalidated proposal with error 8
*Aug 12 01:10:14.347: IPSEC(ipsec_process_proposal): invalid local address <my external IP>
*Aug 12 01:10:14.347: ISAKMP:(1008): IPSec policy invalidated proposal with error 8
*Aug 12 01:10:14.347: ISAKMP:(1008): phase 2 SA policy not acceptable! (local <my external IP> remote 172.56.35.152)
*Aug 12 01:10:14.351: ISAKMP:(1008):deleting node -2006709112 error TRUE reason "QM rejected"
Any and all help appreciated!
Thanks.
08-12-2015 08:47 AM
Hello Richard,
You have over killed your remote-access setup on your router.
Please delete your remote-access config potion and follow the link below in the Cisco doc.
http://www.cisco.com/c/en/us/support/docs/routers/3600-series-multiservice-platforms/91193-rtr-ipsec-internet-connect.html
Remove these line from your Interface Fa0/0, since your Dialer0 interface is acutal routed interface and so your crypto map must be applied on Dialer0 interface instead.
interface FastEthernet0/0
no ip access-group Outside_Access in
no ip access-group Inside_Access out
no ip accounting output-packets
no crypto map VPNMAP
Thanks
Rizwan Rafeek
08-24-2015 10:12 AM
Apologies. Was out on vacation.
Got that cleaned up, we connect, but DNS is not working.
Also maybe something wrong with the ACLs? Cannot RDP to any hosts on the 10.0.0.1 segment. I don't want to split tunnel. Just messing around with a spare DSL line I have at home.
Updated config attached.
08-24-2015 10:39 AM
what is not working for DNS ?
Inside is your secure interface, please apply your inspection on outside instead and inspection for tcp as well.
ip inspect name firewall tcp
interface FastEthernet0/1
no ip inspect firewall in
interface Dialer0
ip inspect firewall in
Make the below deny line as the very first entry in the ACL 101 and then your permit line as second entry.
access-list 101 deny ip 10.0.0.0 0.0.0.255 192.168.120.0 0.0.0.255
Try it and let me know.
thanks
08-24-2015 10:51 AM
Done, and can now hit local resources! Thank you!
For example, I cannot get to www.google.com or whatever from VPN. When local, works fine.
08-24-2015 12:02 PM
Your VPN-client is Cisco vpn-client?
08-24-2015 01:23 PM
Cisco vpn-client on my laptop, built in on my phone.
Cannot ping 8.8.8.8, no.
ip domain-name rts.local -
08-24-2015 07:27 PM
08-24-2015 12:09 PM
Are you able to ping 8.8.8.8, when vpn-in ?
Do you have ip domain-name configured on your router?
ip domain-name whatever-domain.com
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide