Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
0
Helpful
3
Replies

Router to Cisco VPN client VPN connection Version problem?

tkpsimon
Level 1
Level 1

‎05-14-2003 09:40 AM - edited ‎02-21-2020 12:32 PM

Hi,

I have a Cisco VPN client connection to a cisco 2600, if i'm using the client version 3.5.2, it's working, once i upgrade to 3.6.4, i can't even finish the negotication. does it has something to do with the AES issue?

how can i get around this?

Simon

Labels:
0 Helpful
3 Replies 3

jfrahim
Level 5
Level 5

‎05-14-2003 10:24 AM

Simon,

The VPN client should send AES in the ike proposal along with 3des and des. The router should accept either a 3des or a des proposal eventually. Can you send debug cry isa and debug cry ip from the router?

Jazib

0 Helpful

tkpsimon
Level 1
Level 1
In response to jfrahim

‎05-14-2003 12:23 PM

Hi

Thanks for your reply, here is the debug message which i got from the router.

any suggestion or hints would be appreciates

04:51:04: ISAKMP (0:0): received packet from 67.194.152.99 (N) NEW SA

04:51:04: ISAKMP: local port 500, remote port 500

04:51:04: ISAKMP (0:2): (Re)Setting client xauth list user-test and state

04:51:04: ISAKMP: Locking CONFIG struct 0x82CC85C8 from crypto_ikmp_config_initi

alize_sa, count 2

04:51:04: ISAKMP (0:2): processing SA payload. message ID = 0

04:51:04: ISAKMP (0:2): processing ID payload. message ID = 0

04:51:04: ISAKMP (0:2): processing vendor id payload

04:51:04: ISAKMP (0:2): vendor ID seems Unity/DPD but bad major

04:51:04: ISAKMP (0:2): vendor ID is XAUTH

04:51:04: ISAKMP (0:2): processing vendor id payload

04:51:04: ISAKMP (0:2): vendor ID is DPD

04:51:04: ISAKMP (0:2): processing vendor id payload

04:51:04: ISAKMP (0:2): vendor ID seems Unity/DPD but bad major

04:51:04: ISAKMP (0:2): processing vendor id payload

04:51:04: ISAKMP (0:2): vendor ID seems Unity/DPD but bad major

04:51:04: ISAKMP (0:2): processing vendor id payload

04:51:04: ISAKMP (0:2): vendor ID is Unity

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 3 policy

04:51:04: ISAKMP: encryption... What? 7?

04:51:04: ISAKMP: hash SHA

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth XAUTHInitPreShared

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP: attribute 14

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 2 against priority 3 policy

04:51:04: ISAKMP: encryption... What? 7?

04:51:04: ISAKMP: hash MD5

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth XAUTHInitPreShared

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP: attribute 14

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 3 against priority 3 policy

04:51:04: ISAKMP: encryption... What? 7?

04:51:04: ISAKMP: hash SHA

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth pre-share

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP: attribute 14

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 4 against priority 3 policy

04:51:04: ISAKMP: encryption... What? 7?

04:51:04: ISAKMP: hash MD5

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth pre-share

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP: attribute 14

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 5 against priority 3 policy

04:51:04: ISAKMP: encryption... What? 7?

04:51:04: ISAKMP: hash SHA

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth XAUTHInitPreShared

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP: attribute 14

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 6 against priority 3 policy

04:51:04: ISAKMP: encryption... What? 7?

04:51:04: ISAKMP: hash MD5

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth XAUTHInitPreShared

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP: attribute 14

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 7 against priority 3 policy

04:51:04: ISAKMP: encryption... What? 7?

04:51:04: ISAKMP: hash SHA

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth pre-share

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP: attribute 14

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 8 against priority 3 policy

04:51:04: ISAKMP: encryption... What? 7?

04:51:04: ISAKMP: hash MD5

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth pre-share

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP: attribute 14

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 9 against priority 3 policy

04:51:04: ISAKMP: encryption 3DES-CBC

04:51:04: ISAKMP: hash SHA

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth XAUTHInitPreShared

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 10 against priority 3 policy

04:51:04: ISAKMP: encryption 3DES-CBC

04:51:04: ISAKMP: hash SHA

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth pre-share

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 12 against priority 65535 poli

cy

04:51:04: ISAKMP: encryption 3DES-CBC

04:51:04: ISAKMP: hash MD5

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth pre-share

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP (0:2): Encryption algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 13 against priority 65535 poli

cy

04:51:04: ISAKMP: encryption DES-CBC

04:51:04: ISAKMP: hash MD5

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth XAUTHInitPreShared

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP (0:2): Hash algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 3

04:51:04: ISAKMP (0:2): Checking ISAKMP transform 14 against priority 65535 poli

cy

04:51:04: ISAKMP: encryption DES-CBC

04:51:04: ISAKMP: hash MD5

04:51:04: ISAKMP: default group 2

04:51:04: ISAKMP: auth pre-share

04:51:04: ISAKMP: life type in seconds

04:51:04: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

04:51:04: ISAKMP (0:2): Hash algorithm offered does not match policy!

04:51:04: ISAKMP (0:2): atts are not acceptable. Next payload is 0

04:51:04: ISAKMP (0:2): no offers accepted!

04:51:04: ISAKMP (0:2): phase 1 SA not acceptable!

04:51:04: ISAKMP (0:2): incrementing error counter on sa: construct_fail_ag_init

04:51:04: ISAKMP (0:2): Unknown Input: state = IKE_READY, major, minor = IKE_MES

G_FROM_PEER, IKE_AM_EXCH

04:51:09: ISAKMP (0:2): received packet from 67.194.152.99 (R) AG_NO_STATE

04:51:09: ISAKMP (0:2): phase 1 packet is a duplicate of a previous packet.

04:51:09: ISAKMP (0:2): retransmitting due to retransmit phase 1

04:51:09: ISAKMP (0:2): retransmitting phase 1 AG_NO_STATE...

04:51:10: ISAKMP (0:2): retransmitting phase 1 AG_NO_STATE...

04:51:10: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1

04:51:10: ISAKMP (0:2): retransmitting phase 1 AG_NO_STATE

04:51:10: ISAKMP (0:2): sending packet to 67.194.152.99 (R) AG_NO_STATE

0 Helpful

jfrahim
Level 5
Level 5
In response to tkpsimon

‎05-14-2003 01:17 PM

Hi there,

it does look like your router is not negotiating the isakmp policy. I don't know what's the configured isakmp policy is on your router. But try to configure a policy similar to the one listed below and see what happens

encr 3des

hash md5

group 2

auth pres

Jazib

0 Helpful
Customers Also Viewed These Support Documents