12-01-2004 02:17 AM
Hi,
I have a PIX 515E, IOS 6.3(4) VPN client 4.0.x
3DES enabled.
With pre-sharekey there is no problem, but not with certificate.
When trying to connect the pix reject all IKE proposal.
isakmp policy 8 authentication rsa-sig
isakmp policy 8 encryption aes
isakmp policy 8 hash sha
isakmp policy 8 group 5
isakmp policy 8 lifetime 1000
crypto ipsec transform-set myset esp-aes esp-sha-hmac
I have tried others but the same log
this is the ISAKMP LOG :
-----------------------------------------------------
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): Proposed key length does not match policy
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): Proposed key length does not match policy
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): Proposed key length does not match policy
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0
VPN Peer:ISAKMP: Peer Info for 193.95.55.147/500 not found - peers:1
crypto_isakmp_process_block:src:193.95.55.147, dest:193.95.116.9 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 193.95.55.147/500 not found - peers:1
ISAKMP: larval sa found
crypto_isakmp_process_block:src:193.95.55.147, dest:193.95.116.9 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 193.95.55.147/500 not found - peers:1
ISAKMP: larval sa found
------------------------------------------------------
12-08-2004 06:42 AM
This could be an MTU issue.
12-08-2004 08:48 AM
Hi,
Thanks, i have resolved this problem. Using windows 2003 ca server instead of windows 2000.
12-08-2004 08:09 AM
When you use a shared key, the ike key length is negotiable. When you use a certificate the key length is inside the cert and must match the policy on the pix. You have "isakmp policy 8 encryption aes" this is 128 bit. you can also use aes-192 or aes-256, it should match the key length of your cert.
12-08-2004 11:39 PM
Hello,
What i know, the key on the cert is the public key : the length is 1024 and the aes key is stored on the pix.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide