05-14-2003 09:40 AM - edited 02-21-2020 12:32 PM
Hi,
I have a Cisco VPN client connection to a cisco 2600, if i'm using the client version 3.5.2, it's working, once i upgrade to 3.6.4, i can't even finish the negotication. does it has something to do with the AES issue?
how can i get around this?
Simon
05-14-2003 10:24 AM
Simon,
The VPN client should send AES in the ike proposal along with 3des and des. The router should accept either a 3des or a des proposal eventually. Can you send debug cry isa and debug cry ip from the router?
Jazib
05-14-2003 12:23 PM
Hi
Thanks for your reply, here is the debug message which i got from the router.
any suggestion or hints would be appreciates
04:51:04: ISAKMP (0:0): received packet from 67.194.152.99 (N) NEW SA
04:51:04: ISAKMP: local port 500, remote port 500
04:51:04: ISAKMP (0:2): (Re)Setting client xauth list user-test and state
04:51:04: ISAKMP: Locking CONFIG struct 0x82CC85C8 from crypto_ikmp_config_initi
alize_sa, count 2
04:51:04: ISAKMP (0:2): processing SA payload. message ID = 0
04:51:04: ISAKMP (0:2): processing ID payload. message ID = 0
04:51:04: ISAKMP (0:2): processing vendor id payload
04:51:04: ISAKMP (0:2): vendor ID seems Unity/DPD but bad major
04:51:04: ISAKMP (0:2): vendor ID is XAUTH
04:51:04: ISAKMP (0:2): processing vendor id payload
04:51:04: ISAKMP (0:2): vendor ID is DPD
04:51:04: ISAKMP (0:2): processing vendor id payload
04:51:04: ISAKMP (0:2): vendor ID seems Unity/DPD but bad major
04:51:04: ISAKMP (0:2): processing vendor id payload
04:51:04: ISAKMP (0:2): vendor ID seems Unity/DPD but bad major
04:51:04: ISAKMP (0:2): processing vendor id payload
04:51:04: ISAKMP (0:2): vendor ID is Unity
04:51:04: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 3 policy
04:51:04: ISAKMP: encryption... What? 7?
04:51:04: ISAKMP: hash SHA
04:51:04: ISAKMP: default group 2
04:51:04: ISAKMP: auth XAUTHInitPreShared
04:51:04: ISAKMP: life type in seconds
04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:51:04: ISAKMP: attribute 14
04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!
04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3
04:51:04: ISAKMP (0:2): Checking ISAKMP transform 2 against priority 3 policy
04:51:04: ISAKMP: encryption... What? 7?
04:51:04: ISAKMP: hash MD5
04:51:04: ISAKMP: default group 2
04:51:04: ISAKMP: auth XAUTHInitPreShared
04:51:04: ISAKMP: life type in seconds
04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:51:04: ISAKMP: attribute 14
04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!
04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3
04:51:04: ISAKMP (0:2): Checking ISAKMP transform 3 against priority 3 policy
04:51:04: ISAKMP: encryption... What? 7?
04:51:04: ISAKMP: hash SHA
04:51:04: ISAKMP: default group 2
04:51:04: ISAKMP: auth pre-share
04:51:04: ISAKMP: life type in seconds
04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:51:04: ISAKMP: attribute 14
04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!
04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3
04:51:04: ISAKMP (0:2): Checking ISAKMP transform 4 against priority 3 policy
04:51:04: ISAKMP: encryption... What? 7?
04:51:04: ISAKMP: hash MD5
04:51:04: ISAKMP: default group 2
04:51:04: ISAKMP: auth pre-share
04:51:04: ISAKMP: life type in seconds
04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:51:04: ISAKMP: attribute 14
04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!
04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3
04:51:04: ISAKMP (0:2): Checking ISAKMP transform 5 against priority 3 policy
04:51:04: ISAKMP: encryption... What? 7?
04:51:04: ISAKMP: hash SHA
04:51:04: ISAKMP: default group 2
04:51:04: ISAKMP: auth XAUTHInitPreShared
04:51:04: ISAKMP: life type in seconds
04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:51:04: ISAKMP: attribute 14
04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!
04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3
04:51:04: ISAKMP (0:2): Checking ISAKMP transform 6 against priority 3 policy
04:51:04: ISAKMP: encryption... What? 7?
04:51:04: ISAKMP: hash MD5
04:51:04: ISAKMP: default group 2
04:51:04: ISAKMP: auth XAUTHInitPreShared
04:51:04: ISAKMP: life type in seconds
04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:51:04: ISAKMP: attribute 14
04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!
04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3
04:51:04: ISAKMP (0:2): Checking ISAKMP transform 7 against priority 3 policy
04:51:04: ISAKMP: encryption... What? 7?
04:51:04: ISAKMP: hash SHA
04:51:04: ISAKMP: default group 2
04:51:04: ISAKMP: auth pre-share
04:51:04: ISAKMP: life type in seconds
04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:51:04: ISAKMP: attribute 14
04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!
04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3
04:51:04: ISAKMP (0:2): Checking ISAKMP transform 8 against priority 3 policy
04:51:04: ISAKMP: encryption... What? 7?
04:51:04: ISAKMP: hash MD5
04:51:04: ISAKMP: default group 2
04:51:04: ISAKMP: auth pre-share
04:51:04: ISAKMP: life type in seconds
04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:51:04: ISAKMP: attribute 14
04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!
04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3
04:51:04: ISAKMP (0:2): Checking ISAKMP transform 9 against priority 3 policy
04:51:04: ISAKMP: encryption 3DES-CBC
04:51:04: ISAKMP: hash SHA
04:51:04: ISAKMP: default group 2
04:51:04: ISAKMP: auth XAUTHInitPreShared
04:51:04: ISAKMP: life type in seconds
04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!
04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3
04:51:04: ISAKMP (0:2): Checking ISAKMP transform 10 against priority 3 policy
04:51:04: ISAKMP: encryption 3DES-CBC
04:51:04: ISAKMP: hash SHA
04:51:04: ISAKMP: default group 2
04:51:04: ISAKMP: auth pre-share
04:51:04: ISAKMP: life type in seconds
04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!
04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3
04:51:04: ISAKMP (0:2): Checking ISAKMP transform 12 against priority 65535 poli
cy
04:51:04: ISAKMP: encryption 3DES-CBC
04:51:04: ISAKMP: hash MD5
04:51:04: ISAKMP: default group 2
04:51:04: ISAKMP: auth pre-share
04:51:04: ISAKMP: life type in seconds
04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!
04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3
04:51:04: ISAKMP (0:2): Checking ISAKMP transform 13 against priority 65535 poli
cy
04:51:04: ISAKMP: encryption DES-CBC
04:51:04: ISAKMP: hash MD5
04:51:04: ISAKMP: default group 2
04:51:04: ISAKMP: auth XAUTHInitPreShared
04:51:04: ISAKMP: life type in seconds
04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:51:04: ISAKMP (0:2): Hash algorithm offered does not match policy!
04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3
04:51:04: ISAKMP (0:2): Checking ISAKMP transform 14 against priority 65535 poli
cy
04:51:04: ISAKMP: encryption DES-CBC
04:51:04: ISAKMP: hash MD5
04:51:04: ISAKMP: default group 2
04:51:04: ISAKMP: auth pre-share
04:51:04: ISAKMP: life type in seconds
04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:51:04: ISAKMP (0:2): Hash algorithm offered does not match policy!
04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 0
04:51:04: ISAKMP (0:2): no offers accepted!
04:51:04: ISAKMP (0:2): phase 1 SA not acceptable!
04:51:04: ISAKMP (0:2): incrementing error counter on sa: construct_fail_ag_init
04:51:04: ISAKMP (0:2): Unknown Input: state = IKE_READY, major, minor = IKE_MES
G_FROM_PEER, IKE_AM_EXCH
04:51:09: ISAKMP (0:2): received packet from 67.194.152.99 (R) AG_NO_STATE
04:51:09: ISAKMP (0:2): phase 1 packet is a duplicate of a previous packet.
04:51:09: ISAKMP (0:2): retransmitting due to retransmit phase 1
04:51:09: ISAKMP (0:2): retransmitting phase 1 AG_NO_STATE...
04:51:10: ISAKMP (0:2): retransmitting phase 1 AG_NO_STATE...
04:51:10: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
04:51:10: ISAKMP (0:2): retransmitting phase 1 AG_NO_STATE
04:51:10: ISAKMP (0:2): sending packet to 67.194.152.99 (R) AG_NO_STATE
05-14-2003 01:17 PM
Hi there,
it does look like your router is not negotiating the isakmp policy. I don't know what's the configured isakmp policy is on your router. But try to configure a policy similar to the one listed below and see what happens
encr 3des
hash md5
group 2
auth pres
Jazib
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide