07-16-2010 03:38 PM
These are the policies configured for phase 1:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 5
lifetime 28800
!
crypto isakmp policy 5
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 7
encr aes
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 9
encr aes 256
authentication pre-share
group 2
lifetime 28800
However, this is what my debug tells me:
Jul 16 18:23:19: ISAKMP:(0):found peer pre-shared key matching 67.216.78.20
Jul 16 18:23:19: ISAKMP:(0): local preshared key found
Jul 16 18:23:19: ISAKMP : Scanning profiles for xauth ...
Jul 16 18:23:19: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Jul 16 18:23:19: ISAKMP: encryption DES-CBC
Jul 16 18:23:19: ISAKMP: hash MD5
Jul 16 18:23:19: ISAKMP: default group 2
Jul 16 18:23:19: ISAKMP: auth pre-share
Jul 16 18:23:19: ISAKMP: life type in seconds
Jul 16 18:23:19: ISAKMP: life duration (VPI) of 0x0 0x0 0x1C 0x20
Jul 16 18:23:19: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jul 16 18:23:19: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jul 16 18:23:19: ISAKMP:(0):Checking ISAKMP transform 1 against priority 3 policy
Jul 16 18:23:19: ISAKMP: encryption DES-CBC
Jul 16 18:23:19: ISAKMP: hash MD5
Jul 16 18:23:19: ISAKMP: default group 2
Jul 16 18:23:19: ISAKMP: auth pre-share
Jul 16 18:23:19: ISAKMP: life type in seconds
Jul 16 18:23:19: ISAKMP: life duration (VPI) of 0x0 0x0 0x1C 0x20
Jul 16 18:23:19: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jul 16 18:23:19: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jul 16 18:23:19: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy
Jul 16 18:23:19: ISAKMP: encryption DES-CBC
Jul 16 18:23:19: ISAKMP: hash MD5
Jul 16 18:23:19: ISAKMP: default group 2
Jul 16 18:23:19: ISAKMP: auth pre-share
Jul 16 18:23:19: ISAKMP: life type in seconds
Jul 16 18:23:19: ISAKMP: life duration (VPI) of 0x0 0x0 0x1C 0x20
Jul 16 18:23:19: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jul 16 18:23:19: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jul 16 18:23:19: ISAKMP:(0):Checking ISAKMP transform 1 against priority 7 policy
Jul 16 18:23:19: ISAKMP: encryption DES-CBC
Jul 16 18:23:19: ISAKMP: hash MD5
Jul 16 18:23:19: ISAKMP: default group 2
Jul 16 18:23:19: ISAKMP: auth pre-share
Jul 16 18:23:19: ISAKMP: life type in seconds
Jul 16 18:23:19: ISAKMP: life duration (VPI) of 0x0 0x0 0x1C 0x20
Jul 16 18:23:19: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jul 16 18:23:19: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jul 16 18:23:19: ISAKMP:(0):Checking ISAKMP transform 1 against priority 9 policy
Jul 16 18:23:19: ISAKMP: encryption DES-CBC
Jul 16 18:23:19: ISAKMP: hash MD5
Jul 16 18:23:19: ISAKMP: default group 2
Jul 16 18:23:19: ISAKMP: auth pre-share
Jul 16 18:23:19: ISAKMP: life type in seconds
Jul 16 18:23:19: ISAKMP: life duration (VPI) of 0x0 0x0 0x1C 0x20
Jul 16 18:23:19: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jul 16 18:23:19: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jul 16 18:23:19: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65535 policy
Jul 16 18:23:19: ISAKMP: encryption DES-CBC
Jul 16 18:23:19: ISAKMP: hash MD5
Jul 16 18:23:19: ISAKMP: default group 2
Jul 16 18:23:19: ISAKMP: auth pre-share
Jul 16 18:23:19: ISAKMP: life type in seconds
Jul 16 18:23:19: ISAKMP: life duration (VPI) of 0x0 0x0 0x1C 0x20
Jul 16 18:23:19: ISAKMP:(0):Hash algorithm offered does not match policy!
Jul 16 18:23:19: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jul 16 18:23:19: ISAKMP:(0):no offers accepted!
Jul 16 18:23:19: ISAKMP:(0): phase 1 SA policy not acceptable! (local 65.118.143.194
remote 67.216.78.20)
The router is completely ignoring all of the configured policies and trying with nothing but the default. Is this a bug?
Solved! Go to Solution.
07-16-2010 06:19 PM
Hi Jason,
What you are seeing is the isakmp policy that the peer is proposing and it is being compared to the isakmp policies you have configured on your router.
Can you add another isakmp policy that matches this proposal to see if phase 1 completes.
crypto isakmp policy 2
encr des
authentication pre-share
hash md5
group 2
lifetime 7200
What is the peer device?
Regards,
Loren
07-16-2010 06:19 PM
Hi Jason,
What you are seeing is the isakmp policy that the peer is proposing and it is being compared to the isakmp policies you have configured on your router.
Can you add another isakmp policy that matches this proposal to see if phase 1 completes.
crypto isakmp policy 2
encr des
authentication pre-share
hash md5
group 2
lifetime 7200
What is the peer device?
Regards,
Loren
07-19-2010 07:58 AM
The peer device is Microsoft TMG (aka ISA).
As a follow up, we took your advice and added that policy you suggested. The VPN came up but with a twist. Phase 1 was established using AES and SHA, which is what we wanted in the first place! Does anyone know why we had to add a policy for phase 1 in order to get the devices to establish phase 1 using a different policy?
07-19-2010 09:51 AM
Can you send the output of the following commands:
show crypto isakmp sa
show crypto ipsec sa peer [remote-peer-ip-address]
07-21-2010 08:07 AM
Here is the results of the show commands:
vib-oh_life#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
63.123.252.12 65.118.143.194 QM_IDLE 1797 0 ACTIVE
65.118.143.194 67.216.78.20 QM_IDLE 1801 0 ACTIVE
65.118.143.194 69.238.9.15 QM_IDLE 1800 0 ACTIVE
IPv6 Crypto ISAKMP SA
vib-oh_life#sh cry ipsec sa peer 67.216.78.20
interface: FastEthernet0/0
Crypto map tag: to_vpn, local addr 65.118.143.194
protected vrf: (none)
local ident (addr/mask/prot/port): (172.18.143.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.253.1.0/255.255.255.0/0/0)
current_peer 67.216.78.20 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 65.118.143.194, remote crypto endpt.: 67.216.78.20
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.18.143.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.254.1.0/255.255.255.0/0/0)
current_peer 67.216.78.20 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 65.118.143.194, remote crypto endpt.: 67.216.78.20
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.18.143.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.41.0.0/255.255.0.0/0/0)
current_peer 67.216.78.20 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3911788, #pkts encrypt: 3911788, #pkts digest: 3911788
#pkts decaps: 2266910, #pkts decrypt: 2266910, #pkts verify: 2266910
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 527, #recv errors 100
local crypto endpt.: 65.118.143.194, remote crypto endpt.: 67.216.78.20
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x5326E891(1395058833)
inbound esp sas:
spi: 0x22779B21(578263841)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3119, flow_id: NETGX:1119, crypto map: to_vpn
sa timing: remaining key lifetime (k/sec): (4444393/2890)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5326E891(1395058833)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3120, flow_id: NETGX:1120, crypto map: to_vpn
sa timing: remaining key lifetime (k/sec): (4405275/2890)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.18.143.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.52.0.0/255.255.0.0/0/0)
current_peer 67.216.78.20 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 65.118.143.194, remote crypto endpt.: 67.216.78.20
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
07-21-2010 11:43 AM
Hi,
The phase 2 SA is being built with 3DES and SHA.
I meant to ask for "show crypto isakmp detail" to verify the Phase 1 SA, can you check this to detemine what the Cisco device is using to secure Phase 1?
Thanks,
Loren
07-21-2010 11:59 AM
Phase 1 is being created with AES and SHA, which is what we wanted from the start.
07-21-2010 12:16 PM
Hi,
Baed on the previous debugging information the ISA server is not proposing AES/SHA so why it is connecting with that is odd.
Can you provide the debugging information for this connection setup?
Thanks,
Loren
07-28-2010 07:15 AM
We have a few VPNs on this router so the debug will be hard to figure out. Currently the VPN we are working on is active and it is using AES/SHA for phase 1 and 3DES/SHA for phase 2.
Thanks for all your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide