Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
580
Views
0
Helpful
2
Replies

What config should i select ?

e-mourad
Level 1
Level 1

‎12-01-2004 02:17 AM

Hi,

I have a PIX 515E, IOS 6.3(4) VPN client 4.0.x

3DES enabled.

With pre-sharekey there is no problem, but not with certificate.

When trying to connect the pix reject all IKE proposal.

isakmp policy 8 authentication rsa-sig

isakmp policy 8 encryption aes

isakmp policy 8 hash sha

isakmp policy 8 group 5

isakmp policy 8 lifetime 1000

crypto ipsec transform-set myset esp-aes esp-sha-hmac

I have tried others but the same log

this is the ISAKMP LOG :

-----------------------------------------------------

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): Proposed key length does not match policy

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): Proposed key length does not match policy

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): Proposed key length does not match policy

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0

VPN Peer:ISAKMP: Peer Info for 193.95.55.147/500 not found - peers:1

crypto_isakmp_process_block:src:193.95.55.147, dest:193.95.116.9 spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for 193.95.55.147/500 not found - peers:1

ISAKMP: larval sa found

crypto_isakmp_process_block:src:193.95.55.147, dest:193.95.116.9 spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for 193.95.55.147/500 not found - peers:1

ISAKMP: larval sa found

------------------------------------------------------

Labels:
0 Helpful
2 Replies 2

matthew.long
Level 1
Level 1

‎12-01-2004 04:02 AM

Take a look at:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml

This suggests a transform set of

crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac

and a policy with

isakmp policy 10 encryption aes-256

0 Helpful

e-mourad
Level 1
Level 1
In response to matthew.long

‎12-01-2004 05:55 AM

Hello,

Thanks a lot for you response.

I have replaced the transformSet and policy as needed and below the log :

The line :

ISAKMP (0): Proposed key length does not match policy

has desapeared.

-------------------------------------------------

pixnouvelair#

crypto_isakmp_process_block:src:193.95.55.183, dest:193.95.116.9 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

crypto_isakmp_process_block:src:193.95.55.183, dest:193.95.116.9 spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for 193.95.55.183/500 not found - peers:1

ISAKMP: larval sa found

crypto_isakmp_process_block:src:193.95.55.183, dest:193.95.116.9 spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for 193.95.55.183/500 not found - peers:1

ISAKMP: larval sa found

crypto_isakmp_process_block:src:193.95.55.183, dest:193.95.116.9 spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for 193.95.55.183/500 not found - peers:1

ISAKMP: larval sa found

-----------------------------------------------------

Thanks

0 Helpful
Customers Also Viewed These Support Documents