09-29-2010 03:58 AM
HI Guys
I hope if someone can help me with my issue:
Cisco IOS in use: advipservicesk9-mz.124-20.T
Router: Cisco 2851
I have a few site-to-site VPN running in addition to VPN client. All site-to-site VPN have their own individual pre-shared keys whereas VPN client uses certificates.
I made a change for site-to-site VPN which include the use of a generic pre-shared key (cry isakmp key XXX address 0.0.0.0 0.0.0.0 no-xauth) for all site-to-site tunnels instead of individual keys for each tunnel. After making the change, all site-to-site VPN works perfectly fine where as the VPN client has stopped working and following are the logs on router generated (debug cry isakmp error).
129143: Sep 29 10:16:16.487 BST: ISAKMP:(0):Xauth authentication by RSA offered but does not match policy!
129144: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3
129145: Sep 29 10:16:16.487 BST: ISAKMP:(0):Hash algorithm offered does not match policy!
129146: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3
129147: Sep 29 10:16:16.487 BST: ISAKMP:(0):Diffie-Hellman group offered does not match policy!
129148: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3
129149: Sep 29 10:16:16.487 BST: ISAKMP:(0):Hash algorithm offered does not match policy!
129150: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3
129151: Sep 29 10:16:16.487 BST: ISAKMP:(0):Xauth authentication by RSA offered but does not match policy!
129152: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3
129153: Sep 29 10:16:16.487 BST: ISAKMP:(0):Hash algorithm offered does not match policy!
129154: Sep 29 10:16:16.487 BST: ISAKMP:(0):atts are not acceptable. Next payload is 3 Unknown Attr: 0x700C
129155: Sep 29 10:16:17.207 BST: ISAKMP:(1249):No IP address pool defined for ISAKMP!
129156: Sep 29 10:16:17.207 BST: ISAKMP:(1249):deleting SA reason "Fail to allocate ip address" state (R) CONF_ADDR (peer X.X.X.X)
129157: Sep 29 10:16:17.207 BST: ISAKMP (0/1249): Unknown Attr: CONFIG_MODE_UNKNOWN (0x700C)
129158: Sep 29 10:16:17.207 BST: ISAKMP (0/1249): Unknown Attr: MODECFG_HOSTNAME (0x700A)
129159: Sep 29 10:16:17.215 BST: ISAKMP:(1249):deleting SA reason "Fail to allocate ip address" state (R) MM_NO_STATE (peer X.X.X.X)
ate ip address" state (R) CONF_ADDR (peer 195.200.149.188)
129157: Sep 29 10:16:17.207 BST: ISAKMP (0/1249): Unknown Attr: CONFIG_MODE_UNKNOWN (0x700C)
129158: Sep 29 10:16:17.207 BST: ISAKMP (0/1249): Unknown Attr: MODECFG_HOSTNAME (0x700A)
129159: Sep 29 10:16:17.215 BST: ISAKMP:(1249):deleting SA reason "Fail to allocate ip address" state (R) MM_NO_STATE (peer x.x.x.x)
129162: Sep 29 10:16:32.295 BST: ISAKMP(0:1250): Unable to get our DN from cert, using my FQDN as identity
129163: Sep 29 10:16:32.475 BST: ISAKMP(0:1251): Unable to get our DN from cert, using my FQDN as identity
129164: Sep 29 10:16:48.451 BST: ISAKMP(0:1252): Unable to get our DN from cert, using my FQDN as identity
129169: Sep 29 10:16:58.283 BST: ISAKMP(0:1253): Unable to get our DN from cert, using my FQDN as identity
129170: Sep 29 10:17:01.047 BST: ISAKMP(0:1254): Unable to get our DN from cert, using my FQDN as identity
129174: Sep 29 10:17:05.843 BST: ISAKMP(0:1255): Unable to get our DN from cert, using my FQDN as identity
Removing the generic pre-shared key makes VPN client work again. Any help in this matter will be very helpful. Many thanks in advance.
Solved! Go to Solution.
09-29-2010 04:39 AM
Yes, when you use "cry isakmp key XXX address 0.0.0.0 0.0.0.0 no-xauth" with the no-xauth keyword, that breaks the remote access vpn client. While you need that for lan-to-lan vpn tunnel, you can't have that for vpn client.
There are 2 options:
1) Configure "cry isa key" individually for the lan-to-lan vpn tunnel
2) Or alternatively, you can configure isakmp profile for lan-to-lan and a separate profile for vpn client. Here is a sample configuration for your reference:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml
Hope that helps.
09-29-2010 04:39 AM
Yes, when you use "cry isakmp key XXX address 0.0.0.0 0.0.0.0 no-xauth" with the no-xauth keyword, that breaks the remote access vpn client. While you need that for lan-to-lan vpn tunnel, you can't have that for vpn client.
There are 2 options:
1) Configure "cry isa key" individually for the lan-to-lan vpn tunnel
2) Or alternatively, you can configure isakmp profile for lan-to-lan and a separate profile for vpn client. Here is a sample configuration for your reference:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml
Hope that helps.
10-03-2010 02:06 PM
Thanks Jennifer. That solved the problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide