09-07-2002 04:11 PM - edited 02-21-2020 12:02 PM
Not able to get phase 1 negotiations set up between VPN client 3.6 and 1710 VPN Server. Coming from a DSL connection that creates an NTS PPPoE Adapter with a public address.
Salient config:
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpngroup
key xxxxx
dns 192.168.1.4 x.x.x.x
domain xxx.com
pool vpnpool
!
!
crypto ipsec transform-set mdset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set mdset
!
!
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
interface Ethernet0
crypto map clientmap
!
ip local pool vpnpool 192.168.1.200 192.168.1.250
Debug output (partial):
22:48:12: ISAKMP (0:0): received packet from 65.65.x.x (N) NEW SA
22:48:12: ISAKMP: local port 500, remote port 500
22:48:12: ISAKMP: Locking CONFIG struct 0x8170FA30 from crypto_ikmp_config_initialize_sa, count 2
22:48:12: ISAKMP (0:2): processing SA payload. message ID = 0
22:48:12: ISAKMP (0:2): processing ID payload. message ID = 0
22:48:12: ISAKMP (0:2): processing vendor id payload
22:48:12: ISAKMP (0:2): vendor ID seems Unity/DPD but bad major
22:48:12: ISAKMP (0:2): vendor ID is XAUTH
22:48:12: ISAKMP (0:2): processing vendor id payload
22:48:12: ISAKMP (0:2): vendor ID is DPD
22:48:12: ISAKMP (0:2): processing vendor id payload
22:48:12: ISAKMP (0:2): vendor ID seems Unity/DPD but bad major
22:48:12: ISAKMP (0:2): processing vendor id payload
22:48:12: ISAKMP (0:2): vendor ID seems Unity/DPD but bad major
22:48:12: ISAKMP (0:2): processing vendor id payload
22:48:12: ISAKMP (0:2): vendor ID is Unity
22:48:12: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 3 policy
22:48:12: ISAKMP: encryption... What? 7?
22:48:12: ISAKMP: hash SHA
22:48:12: ISAKMP: default group 2
22:48:12: ISAKMP: auth XAUTHInitPreShared
22:48:12: ISAKMP: life type in seconds
22:48:12: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
22:48:12: ISAKMP: attribute 14
22:48:12: ISAKMP (0:2): Encryption algorithm offered does not match policy!
22:48:12: ISAKMP (0:2): atts are not acceptable. Next payload is 3
22:48:12: ISAKMP (0:2): Checking ISAKMP transform 2 against priority 3 policy
22:48:17: ISAKMP: encryption 3DES-CBC
22:48:17: ISAKMP: hash SHA
22:48:17: ISAKMP: default group 2
22:48:17: ISAKMP: auth pre-share
22:48:17: ISAKMP: life type in seconds
22:48:17: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
22:48:17: ISAKMP (0:3): Preshared authentication offered but does not match policy!
22:48:17: ISAKMP (0:3): atts are not acceptable. Next payload is 3
22:48:17: ISAKMP (0:3): Checking ISAKMP transform 16 against priority 3 policy
22:48:17: ISAKMP: encryption 3DES-CBC
22:48:17: ISAKMP: hash MD5
22:48:17: ISAKMP: default group 2
22:48:17: ISAKMP: auth pre-share
22:48:17: ISAKMP: life type in seconds
22:48:17: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
22:48:17: ISAKMP (0:3): Hash algorithm offered does not match policy!
22:48:17: ISAKMP (0:3): atts are not acceptable. Next payload is 3
22:48:17: ISAKMP (0:3): Checking ISAKMP transform 17 against priority 3 policy
22:48:17: ISAKMP (0:3): no offers accepted!
22:48:17: ISAKMP (0:3): phase 1 SA not acceptable!
22:48:17: ISAKMP (0:3): incrementing error counter on sa: construct_fail_ag_init
22:48:17: ISAKMP (0:3): Unknown Input: state = IKE_READY, major, minor = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Thanks,
09-11-2002 09:54 AM
Had to rebuild the config so the router to would take the commands. Pretty flaky???
Some suggestions from TAC:
Put the config in this order: aaa commands, ISAKMP policy, ISAKMP client group, Crypto ipsec transform-set, Crypto dynamic maps, crypto client map, ip local pool, add pool to group, bypass NAT commands
Remove the crypto map client command from the interface to make changes and reapply.
Specify a pool of private addresses that are different than your internal LAN segment to avoid routing issues.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide