Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
670
Views
0
Helpful
4
Replies

What config should i select ?

e-mourad
Level 1
Level 1

‎12-01-2004 02:17 AM

Hi,

I have a PIX 515E, IOS 6.3(4) VPN client 4.0.x

3DES enabled.

With pre-sharekey there is no problem, but not with certificate.

When trying to connect the pix reject all IKE proposal.

isakmp policy 8 authentication rsa-sig

isakmp policy 8 encryption aes

isakmp policy 8 hash sha

isakmp policy 8 group 5

isakmp policy 8 lifetime 1000

crypto ipsec transform-set myset esp-aes esp-sha-hmac

I have tried others but the same log

this is the ISAKMP LOG :

-----------------------------------------------------

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): Proposed key length does not match policy

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): Proposed key length does not match policy

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): Proposed key length does not match policy

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0

VPN Peer:ISAKMP: Peer Info for 193.95.55.147/500 not found - peers:1

crypto_isakmp_process_block:src:193.95.55.147, dest:193.95.116.9 spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for 193.95.55.147/500 not found - peers:1

ISAKMP: larval sa found

crypto_isakmp_process_block:src:193.95.55.147, dest:193.95.116.9 spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for 193.95.55.147/500 not found - peers:1

ISAKMP: larval sa found

------------------------------------------------------

Labels:
0 Helpful
4 Replies 4

umedryk
Level 5
Level 5

‎12-08-2004 06:42 AM

This could be an MTU issue.

0 Helpful

e-mourad
Level 1
Level 1
In response to umedryk

‎12-08-2004 08:48 AM

Hi,

Thanks, i have resolved this problem. Using windows 2003 ca server instead of windows 2000.

0 Helpful

jboyer
Level 1
Level 1

‎12-08-2004 08:09 AM

When you use a shared key, the ike key length is negotiable. When you use a certificate the key length is inside the cert and must match the policy on the pix. You have "isakmp policy 8 encryption aes" this is 128 bit. you can also use aes-192 or aes-256, it should match the key length of your cert.

0 Helpful

e-mourad
Level 1
Level 1
In response to jboyer

‎12-08-2004 11:39 PM

Hello,

What i know, the key on the cert is the public key : the length is 1024 and the aes key is stored on the pix.

0 Helpful
Customers Also Viewed These Support Documents