12-01-2004 02:17 AM
Hi,
I have a PIX 515E, IOS 6.3(4) VPN client 4.0.x
3DES enabled.
With pre-sharekey there is no problem, but not with certificate.
When trying to connect the pix reject all IKE proposal.
isakmp policy 8 authentication rsa-sig
isakmp policy 8 encryption aes
isakmp policy 8 hash sha
isakmp policy 8 group 5
isakmp policy 8 lifetime 1000
crypto ipsec transform-set myset esp-aes esp-sha-hmac
I have tried others but the same log
this is the ISAKMP LOG :
-----------------------------------------------------
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): Proposed key length does not match policy
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): Proposed key length does not match policy
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): Proposed key length does not match policy
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0
VPN Peer:ISAKMP: Peer Info for 193.95.55.147/500 not found - peers:1
crypto_isakmp_process_block:src:193.95.55.147, dest:193.95.116.9 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 193.95.55.147/500 not found - peers:1
ISAKMP: larval sa found
crypto_isakmp_process_block:src:193.95.55.147, dest:193.95.116.9 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 193.95.55.147/500 not found - peers:1
ISAKMP: larval sa found
------------------------------------------------------
12-01-2004 04:02 AM
Take a look at:
This suggests a transform set of
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
and a policy with
isakmp policy 10 encryption aes-256
12-01-2004 05:55 AM
Hello,
Thanks a lot for you response.
I have replaced the transformSet and policy as needed and below the log :
The line :
ISAKMP (0): Proposed key length does not match policy
has desapeared.
-------------------------------------------------
pixnouvelair#
crypto_isakmp_process_block:src:193.95.55.183, dest:193.95.116.9 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
crypto_isakmp_process_block:src:193.95.55.183, dest:193.95.116.9 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 193.95.55.183/500 not found - peers:1
ISAKMP: larval sa found
crypto_isakmp_process_block:src:193.95.55.183, dest:193.95.116.9 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 193.95.55.183/500 not found - peers:1
ISAKMP: larval sa found
crypto_isakmp_process_block:src:193.95.55.183, dest:193.95.116.9 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 193.95.55.183/500 not found - peers:1
ISAKMP: larval sa found
-----------------------------------------------------
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide