Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
525
Views
0
Helpful
1
Replies

VPN client to Cisco 2811 - Issues with Phase 1 authentication

tim.giles
Level 4
Level 4

‎04-30-2015 08:38 AM

Hi all,

I'm after some help with a VPN configuration I've been trying to setup on a demo lab. I did have this working originally but am still trying to work out how it broke. The messages I am now seeing when trying to authenticate from a Cisco VPN client is..

 

xxx-DEMOLAB-2811(cfg-crypto-trans)#
5w6d: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
5w6d: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
5w6d: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
5w6d: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
5w6d: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
5w6d: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
5w6d: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
5w6d: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
xxx-DEMOLAB-2811(cfg-crypto-trans)#
5w6d: ISAKMP:(0:4:SW:1):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer 146.199.xxx.xxx)
5w6d: ISAKMP:(0:4:SW:1):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer 146.199.xxx.xxx)
xxx-DEMOLAB-2811(cfg-crypto-trans)#
5w6d: ISAKMP:(0:5:SW:1):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer 146.199.xxx.xxx)
5w6d: ISAKMP:(0:5:SW:1):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer 146.199.xxx.xxx)

 

I've tried a few things to try and resolve this with no luck.

I've attached the full config from the router and would really appreciate some advice. I'm completely new to security, settings up VPN's etc. so please don't be too harsh if you see something simple I've missed, I've basically been following this guide which seemed to work initially:

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/809-cisco-router-vpn-client.html

 

The circuit is provided by BT ADSL. We have a range of static IP's but the dialer0 interface IP is assigned dynamically by the ISP, I am using this as the host IP on the Cisco VPN client (v5.0.07.0440). I've attached logs from the client side also.

 

Many thanks,

Tim

Labels:
Preview file
3 KB
Preview file
6 KB
0 Helpful
1 Reply 1

Mark Malone
VIP Alumni
VIP Alumni

‎05-01-2015 02:17 AM

Wrong encryption/authentication on 1 side causing mismatch , local side using 3des and md5 , whats the client using looks like sha from your link if that's its default , check tunnel details tab on client vpn

https://supportforums.cisco.com/document/11751/ios-router-other-vpn-gateway-encryption-algorithm-offered-does-not-match-policy

Core issue

On the router, the following debug messages are displayed during the phase 1 negotiation.


 

Encryption algorithm offered does not match policy

atts are not acceptable

Resolution

The above errors mean that the remote VPN gateway is not configured with the correct encryption algorithm (DES/3DES), so it does not match the policy.

To fix the problem, configure the Internet Security Association and Key Management Protocol (ISAKMP) policies on both end points with the same parameters.

Problem Type

Connectivity to the device

Product Family

Routers

0 Helpful
Customers Also Viewed These Support Documents