Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
247
Views
0
Helpful
2
Replies

VPN software client to 837 problem

rkazmierczak
Level 1
Level 1

‎02-22-2006 03:34 AM

Hello,

I am trying to configure remote access VPN with 837 and cisco software client. here is a relevant part of my config:

aaa new-model

!

!

aaa authentication login remote_access local

aaa authorization network remote_auth local

!

aaa session-id common

!

username xxx password 7 xxxxxx

!

!

crypto isakmp policy 5

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key zzzz address xxx.yyy.zzz no-xauth

!

crypto isakmp client configuration group vpn_remote

key xxx

dns xxx.yyy.zzz

domain xxx

pool vpn_pool

acl split_acl

!

!

crypto ipsec transform-set vpn_set esp-3des esp-sha-hmac

!

crypto dynamic-map vpn_dynamic 20

set transform-set vpn_set

!

!

crypto map vpn_map client authentication list remote_access

crypto map vpn_map isakmp authorization list remote_auth

crypto map vpn_map client configuration address respond

crypto map vpn_map 10 ipsec-isakmp

set peer xxx.yyy.zzz

set transform-set vpn_set

set pfs group5

match address crypto_acl

crypto map vpn_map 20 ipsec-isakmp dynamic vpn_dynamic

ip local pool vpn_pool 172.16.1.1 172.16.1.254

...

ip access-list extended nonat

deny ip 192.168.yyy.0 0.0.0.255 193.37.xxx.0 0.0.0.255

deny ip 192.168.yyy.0 0.0.0.255 172.16.1.0 0.0.0.255

permit ip 192.168.yyy.0 0.0.0.255 any

ip access-list extended split_acl

permit ip 192.168.yyy.0 0.0.0.255 172.16.1.0 0.0.0.255

when I try to connect from the vpn client to the router I get the following error

Mar 2 00:39:34.203: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m

atch policy!

*Mar 2 00:39:34.203: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i

s 3

*Mar 2 00:39:34.203: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m

atch policy!

*Mar 2 00:39:34.203: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i

s 3

*Mar 2 00:39:34.207: ISAKMP:(0:0:N/A:0):Encryption algorithm offered

What can be the problem? the config seems OK. The site-site tunnel is working and I have successfully configured many vpn clients on the pix. I have tried changing the policy parameters but did not help. I even installed the newest version of VPN client (IOS 14.4(5a). Any ideas? Has anyone had a simmilar problem?

Labels:
0 Helpful
2 Replies 2

spremkumar
Level 9
Level 9

‎02-24-2006 03:04 AM

Hi

Can you revert whether you are trying to apply this on any subinterface or any interface configured with secondary ip address ?

regds

0 Helpful

rkazmierczak
Level 1
Level 1
In response to spremkumar

‎02-24-2006 08:14 AM

Hello,

Thank you very much for your response. I mentioned in the post that I provided the relevant part of the configuration but it is not true. I omitted the firewall/access-list configuration which turned out to be a problem.

I enabled esp and isakmp from any to the interface but could not connect. Then I disabled the IPsec over UDP and could connect but not access the lan. I kept getting these wrong encryption messages, which really distracted me.

I then opened UDP 4500 and enabled IPsec over UDP again and it worked!! but I also tested that ESP and ISAKMP ports mut also be opened. At least the ESP as, as far as I know, the UDP encapsulates only isakmp messages.

I hope this might be helpful to others.

Thanks again.

Rafal

0 Helpful
Customers Also Viewed These Support Documents