Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IPSec VPN with c2600 router

400 views
Skip to first unread message

RJ45

unread,
Apr 11, 2008, 2:51:08 AM4/11/08
to
Hello,
I have a Cisco 2621 router, and I would like to use it for my office
VPN access.
I configured it with pptp and it work with default local user called
"root".
I root is just the privilege cisco 2600 user and I just used it to test
VPN also.

Now I wanted to do something more complicate and I wanted to configure
a IPSec VPN using Cisco VPN client to connect to my c2621,
but it does not work and I fail to configure it.

The situation is this, my router has a public IP

131.x.a.b

and when I am connected in VPN the public IP 131.z.a.c
is assigned to me and this works with vpdn PPTP.

How to do it with IPSEC ?

This is really not very well documented around and here I REport
the configuration which apparently does not work.
Could someone give me a solution to a good configuration for
a IPSec VPN using Cisco VPN client to connect to my router ?

here is the router config:


!
! Last configuration change at 08:30:48 CEST Fri Apr 11 2008 by root
! NVRAM config last updated at 08:30:57 CEST Fri Apr 11 2008 by root
!
version 12.3
no parser cache
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!
enable password 7 104D4252130411
!
clock timezone CEST 1
clock summer-time CEST recurring 4 Sun Mar 0:00 4 Sun Oct 0:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpnuser local
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
ip cef
!
!
ip domain name cnaf.infn.it
ip name-server 131.x.y.z
!
ip audit po max-events 100
vpdn enable
!
vpdn-group pptpcnaf
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
username root password 7 0115020557040206
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnuser
key xxxxxxx
dns 131.x.y.z
domain cnaf.infn.it
pool internalpool
!
!
crypto ipsec transform-set default-set esp-3des esp-sha-hmac
!
crypto dynamic-map default-map 13
set transform-set default-set
!
!
crypto map mobile-map client authentication list vpnuser
crypto map mobile-map client configuration address respond
crypto map mobile-map 13 ipsec-isakmp dynamic default-map
!
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 131.x.a.b 255.255.255.0
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
peer default ip address pool internalpool
ppp encrypt mppe 128 required
ppp authentication ms-chap ms-chap-v2
!
ip local pool internalpool 131.x.a.c
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 131.x.a.z
!
!
!
snmp-server community public RO
snmp-server enable traps tty
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 5 15
!
end

And here is the DEBUG output:

1d12h: ISAKMP (0:0): received packet from 131.x.y.h dport 500 sport 500 Glob
al (N) NEW SA
1d12h: ISAKMP: Locking peer struct 0x82FEEBB4, IKE refcount 2 for Responding to
new initiation
1d12h: ISAKMP: local port 500, remote port 500
1d12h: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 83
13D0D8
1d12h: ISAKMP (0:2): processing SA payload. message ID = 0
1d12h: ISAKMP (0:2): processing ID payload. message ID = 0
1d12h: ISAKMP (0:2): ID payload
next-payload : 13
type : 11
group id : vpnuser
protocol : 17
port : 500
length : 15
1d12h: ISAKMP (0:2): peer matches *none* of the profiles
1d12h: ISAKMP (0:2): processing vendor id payload
1d12h: ISAKMP (0:2): vendor ID seems Unity/DPD but major 215 mismatch
1d12h: ISAKMP (0:2): vendor ID is XAUTH
1d12h: ISAKMP (0:2): processing vendor id payload
1d12h: ISAKMP (0:2): vendor ID is DPD
1d12h: ISAKMP (0:2): processing vendor id payload
1d12h: ISAKMP (0:2): vendor ID is Unity
1d12h: ISAKMP : Scanning profiles for xauth ...
1d12h: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 3 policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash SHA
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth XAUTHInitPreShared
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 256
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 2 against priority 3 policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash MD5
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth XAUTHInitPreShared
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 256
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 3 against priority 3 policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash SHA
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth pre-share
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 256
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 4 against priority 3 policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash MD5
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth pre-share
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 256
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 5 against priority 3 policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash SHA
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth XAUTHInitPreShared
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 128
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 6 against priority 3 policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash MD5
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth XAUTHInitPreShared
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 128
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 7 against priority 3 policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash SHA
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth pre-share
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 128
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 8 against priority 3 policy


and keeps logging that non ISAKMP transform patch policy encryption...

any hints or suggetions ?


thanks


RJ45


News Reader

unread,
Apr 11, 2008, 12:45:38 PM4/11/08
to
RJ45 wrote:
> Hello,
> I have a Cisco 2621 router, and I would like to use it for my office
> VPN access.
> I configured it with pptp and it work with default local user called
> "root".
> I root is just the privilege cisco 2600 user and I just used it to test
> VPN also.
>
> Now I wanted to do something more complicate and I wanted to configure
> a IPSec VPN using Cisco VPN client to connect to my c2621,
> but it does not work and I fail to configure it.
>
> The situation is this, my router has a public IP
>
> 131.x.a.b
>
> and when I am connected in VPN the public IP 131.z.a.c
> is assigned to me and this works with vpdn PPTP.
>
> How to do it with IPSEC ?
>
> This is really not very well documented around and here I REport
> the configuration which apparently does not work.

There are plenty of configuration examples on the Cisco web site that
would have helped you get farther with this task.

> Could someone give me a solution to a good configuration for
> a IPSec VPN using Cisco VPN client to connect to my router ?
>
> here is the router config:
>
>
> !
> ! Last configuration change at 08:30:48 CEST Fri Apr 11 2008 by root
> ! NVRAM config last updated at 08:30:57 CEST Fri Apr 11 2008 by root
> !
> version 12.3
> no parser cache
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> !
> hostname r1
> !
> boot-start-marker
> boot-end-marker
> !
> enable password 7 104D4252130411

Don't include passwords in your post. Type 7 passwords are easily
decrypted with readily available utilities. Takes less than 1 sec. Most
of us can tell you what your password is, if you need proof. Use the
"enable secret" command instead of "enable password". The result is a
type 5 password that is not so easily decrypted. Don't include those in
your post either.

> !
> clock timezone CEST 1
> clock summer-time CEST recurring 4 Sun Mar 0:00 4 Sun Oct 0:00
> aaa new-model
> !
> !
> aaa authentication login default local
> aaa authentication login vpnuser local

aaa authorization network vpnuser local

crypto isakmp client configuration address-pool local internalpool

> crypto isakmp client configuration group vpnuser
> key xxxxxxx
> dns 131.x.y.z
> domain cnaf.infn.it
> pool internalpool
> !
> !
> crypto ipsec transform-set default-set esp-3des esp-sha-hmac
> !
> crypto dynamic-map default-map 13
> set transform-set default-set

reverse-route

> !
> !
> crypto map mobile-map client authentication list vpnuser

crypto map mobile-map isakmp authorization list vpnuser

> crypto map mobile-map client configuration address respond
> crypto map mobile-map 13 ipsec-isakmp dynamic default-map
> !
> !
> !
> !
> interface Loopback0
> no ip address
> !
> interface FastEthernet0/0
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet0/1
> ip address 131.x.a.b 255.255.255.0
> duplex auto
> speed auto

crypto map mobile-map

Assuming FastEthernet0/1 is the interface that will terminate the
inbound IPSec tunnels.

I've listed what stands out the most, and excluded optional
configuration commands. Other posters may find additional requirements
I've overlooked.

Presumably your interface ACLs have been setup appropriately for ESP,
ISAKMP, and potentially non500-ISAKMP.

Best Regards,
News Reader

News Reader

unread,
Apr 11, 2008, 1:22:53 PM4/11/08
to

Use the "username secret" command instead of the "username password"
command. See my prior note on the level of encryption, and the ease with
which Type 7 passwords are decrypted.

Consider setting up a specific VPN username in the aaa local database,
instead of a generic root user, particularly if that root password is
used elsewhere in the organization.

username <desire-vpn-username> secret <secret-password>

You may also want to specify a privilege level (lower the better) for
that user, in case they try logging into the router.


--
Best Regards,
News Reader

RJ45

unread,
Apr 14, 2008, 10:07:09 AM4/14/08
to

hello,
thanks for your help,
I wrote to the newsgroup because I could not find on the cisco
site any help abotu setting up an end user VPN.
there are plenty of IOS example with site to site VPN,
and the end user vpn examples are only for ASA or PIX hardware
and not with normal router hardware and IOS.
I tryed to apply your hints but still I have the same
error and vpn cannot be established with
cisco vpn client. any more hints ?
thanks

4d19h: ISAKMP (0:0): received packet from 131.154.3.242 dport 500 sport


500 Glob
al (N) NEW SA

4d19h: ISAKMP: Locking peer struct 0x82FEEB8C, IKE refcount 2 for
Responding to
new initiation
4d19h: ISAKMP: local port 500, remote port 500
4d19h: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert
sa = 83
14B168
4d19h: ISAKMP (0:2): processing SA payload. message ID = 0
4d19h: ISAKMP (0:2): processing ID payload. message ID = 0
4d19h: ISAKMP (0:2): ID payload


next-payload : 13
type : 11
group id : vpnuser
protocol : 17
port : 500
length : 15

4d19h: ISAKMP (0:2): peer matches *none* of the profiles
4d19h: ISAKMP (0:2): processing vendor id payload
4d19h: ISAKMP (0:2): vendor ID seems Unity/DPD but major 215 mismatch
4d19h: ISAKMP (0:2): vendor ID is XAUTH
4d19h: ISAKMP (0:2): processing vendor id payload
4d19h: ISAKMP (0:2): vendor ID is DPD
4d19h: ISAKMP (0:2): processing vendor id payload
4d19h: ISAKMP (0:2): vendor ID is Unity
4d19h: ISAKMP : Scanning profiles for xauth ...
4d19h: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 3
policy
4d19h: ISAKMP: encryption AES-CBC
4d19h: ISAKMP: hash SHA
4d19h: ISAKMP: default group 2
4d19h: ISAKMP: auth XAUTHInitPreShared
4d19h: ISAKMP: life type in seconds
4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
4d19h: ISAKMP: keylength of 256
4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
4d19h: ISAKMP (0:2): Checking ISAKMP transform 2 against priority 3
policy
4d19h: ISAKMP: encryption AES-CBC
4d19h: ISAKMP: hash MD5
4d19h: ISAKMP: default group 2
4d19h: ISAKMP: auth XAUTHInitPreShared
4d19h: ISAKMP: life type in seconds
4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
4d19h: ISAKMP: keylength of 256
4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
4d19h: ISAKMP (0:2): Checking ISAKMP transform 3 against priority 3
policy
4d19h: ISAKMP: encryption AES-CBC
4d19h: ISAKMP: hash SHA
4d19h: ISAKMP: default group 2
4d19h: ISAKMP: auth pre-share
4d19h: ISAKMP: life type in seconds
4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
4d19h: ISAKMP: keylength of 256
4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
4d19h: ISAKMP (0:2): Checking ISAKMP transform 4 against priority 3
policy
4d19h: ISAKMP: encryption AES-CBC
4d19h: ISAKMP: hash MD5
4d19h: ISAKMP: default group 2
4d19h: ISAKMP: auth pre-share
4d19h: ISAKMP: life type in seconds
4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
4d19h: ISAKMP: keylength of 256
4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
4d19h: ISAKMP (0:2): Checking ISAKMP transform 5 against priority 3
policy
4d19h: ISAKMP: encryption AES-CBC
4d19h: ISAKMP: hash SHA
4d19h: ISAKMP: default group 2
4d19h: ISAKMP: auth XAUTHInitPreShared
4d19h: ISAKMP: life type in seconds
4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
4d19h: ISAKMP: keylength of 128
4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
4d19h: ISAKMP (0:2): Checking ISAKMP transform 6 against priority 3
policy
4d19h: ISAKMP: encryption AES-CBC
4d19h: ISAKMP: hash MD5
4d19h: ISAKMP: default group 2
4d19h: ISAKMP: auth XAUTHInitPreShared
4d19h: ISAKMP: life type in seconds
4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
4d19h: ISAKMP: keylength of 128
4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
4d19h: ISAKMP (0:2): Checking ISAKMP transform 7 against priority 3
policy
4d19h: ISAKMP: encryption AES-CBC
4d19h: ISAKMP: hash SHA
4d19h: ISAKMP: default group 2
4d19h: ISAKMP: auth pre-share
4d19h: ISAKMP: life type in seconds
4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
4d19h: ISAKMP: keylength of 128
4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
4d19h: ISAKMP (0:2): Checking ISAKMP transform 8 against priority 3
policy
4d19h: ISAKMP: encryption AES-CBC
4d19h: ISAKMP: hash MD5
4d19h: ISAKMP: default group 2
4d19h: ISAKMP: auth pre-share
4d19h: ISAKMP: life type in seconds
4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
4d19h: ISAKMP: keylength of 128
4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
4d19h: ISAKMP (0:2): Checking ISAKMP transform 9 against priority 3
policy
4d19h: ISAKMP: encryption 3DES-CBC
4d19h: ISAKMP: hash SHA
4d19h: ISAKMP: default group 2
4d19h: ISAKMP: auth XAUTHInitPreShared
4d19h: ISAKMP: life type in seconds
4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
4d19h: ISAKMP (0:2): Xauth authentication by pre-shared key offered but
does not
match policy!

News Reader

unread,
Apr 14, 2008, 12:56:32 PM4/14/08
to
Search for these on the Cisco web site:

Configuring Cisco VPN Client and Cisco IOS Easy VPN Server

Configuring Cisco VPN Client and Easy VPN Server with Xauth

Configuring Cisco VPN Client and Easy VPN Server with Xauth and Split
Tunneling

They might be a couple years old, but they should help.

Best Regards,
News Reader

Bo...@hotmail.co.uk

unread,
Apr 14, 2008, 1:23:33 PM4/14/08
to
I posted what I think was a working config for this a while back
"combining site to site vpn & vpn client on 837"

Gary

unread,
Apr 14, 2008, 6:11:25 PM4/14/08
to
RJ45 wrote:

> I wrote to the newsgroup because I could not find on the cisco
> site any help abotu setting up an end user VPN.

...


> and not with normal router hardware and IOS.

I've seen some examples for PPTP endpoint but most of the IPsec info I've
come across for IOS is either site-to-site or passthrough. I think it
might depend on the feature set you've got, too, which is not always easy
to figure out even with assistance from their online tools. Here's that
PPTP example I found if it helps at all: http://preview.tinyurl.com/5dgrx

-Gary

News Reader

unread,
Apr 15, 2008, 4:53:13 PM4/15/08
to

Define a pool that is not used on the internal network. You want the
router to use the reverse-route injected into it's routing table and go
back out the interface to which the remote client is connecting.

Notice that the VPN Client is proposing policies (transform 1, 2, etc.)
that are being compared to your ISAKMP priority 3 policy (configured on
the router), and not finding a match that they can agree on.

I didn't mention this sooner because your ISAKMP policy seemed
reasonable (encr 3des, authentication pre-share, group 2).

Presumably, you have only shown us a partial debug. You would want to
verify whether the VPN Client is actually proposing policy that is an
exact match with your ISAKMP priority 3 policy. I suspect it is, but it
would be nice to verify this. Different VPN client versions are likely
to support different transforms.

I once ran into such an issue and did not resolve it until I reviewed
the supported parameters in the client user manual.

All of the proposals in the portion of the debug provided use AES, and
there are other differences between proposals of course.

Best Regards,
News Reader

RJ45

unread,
Apr 21, 2008, 4:41:38 AM4/21/08
to

Hello,
here is the full IPSEC and ISAKMP configuration and the full DEBUG

I added a second transfomr set, but still have incompatibility with
VPN client.

here is router info:

Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(26), RELEASE SOFTWARE (f
c2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 15:23 by dchih

ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)

r1 uptime is 1 week, 4 days, 14 hours, 18 minutes
System returned to ROM by reload at 02:16:05 CEST Mon Mar 1 1993
System restarted at 20:07:55 CEST Wed Apr 9 2008
System image file is "flash:c2600-ik9o3s3-mz.123-26.bin"

cisco 2621 (MPC860) processor (revision 0x600) with 61440K/4096K bytes of memory
.
Processor board ID JAD05440HLQ (1261232853)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
2 FastEthernet/IEEE 802.3 interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

here is the configuration


version 12.3
no parser cache
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!

enable password 7 xxxxxxx


!
clock timezone CEST 1
clock summer-time CEST recurring 4 Sun Mar 0:00 4 Sun Oct 0:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpnuser local

aaa authentication ppp default local
aaa authorization network vpnuser local
aaa session-id common
ip subnet-zero
ip cef
!
!

ip domain name domain.my


ip name-server 131.x.y.z
!
ip audit po max-events 100
vpdn enable
!
vpdn-group pptpcnaf
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!

username root password 7 xxxxxxxxxxxxxxxxxxxxxx
username user1 password 7 xxxxxxxxxxxxxxxxxxxxx
crypto isakmp policy 2
encr aes


authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local internalpool
!

crypto isakmp client configuration group vpnuser
key fanfulla
dns 131.x.y.u
domain mydomain.my


pool internalpool
!
!
crypto ipsec transform-set default-set esp-3des esp-sha-hmac

crypto ipsec transform-set second-set esp-aes esp-sha-hmac


!
crypto dynamic-map default-map 13
set transform-set default-set
reverse-route
!

crypto dynamic-map second-map 12
set transform-set second-set


!
!
crypto map mobile-map client authentication list vpnuser
crypto map mobile-map isakmp authorization list vpnuser
crypto map mobile-map client configuration address respond
crypto map mobile-map 13 ipsec-isakmp dynamic default-map

crypto map mobile-map 12 ipsec-isakmp dynamic second-map


1w4d: ISAKMP (0:0): received packet from a.b.c.d dport 500 sport 500 Globa
l (N) NEW SA
1w4d: ISAKMP: Locking peer struct 0x82AC3CD0, IKE refcount 2 for Responding to n
ew initiation
1w4d: ISAKMP: local port 500, remote port 500
1w4d: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 82B
1AE40
1w4d: ISAKMP (0:2): processing SA payload. message ID = 0
1w4d: ISAKMP (0:2): processing ID payload. message ID = 0
1w4d: ISAKMP (0:2): ID payload



next-payload : 13
type : 11
group id : vpnuser
protocol : 17
port : 500
length : 15

1w4d: ISAKMP (0:2): peer matches *none* of the profiles
1w4d: ISAKMP (0:2): processing vendor id payload
1w4d: ISAKMP (0:2): vendor ID seems Unity/DPD but major 215 mismatch
1w4d: ISAKMP (0:2): vendor ID is XAUTH
1w4d: ISAKMP (0:2): processing vendor id payload
1w4d: ISAKMP (0:2): vendor ID is DPD
1w4d: ISAKMP (0:2): processing vendor id payload
1w4d: ISAKMP (0:2): vendor ID is Unity
1w4d: ISAKMP : Scanning profiles for xauth ...
1w4d: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 2 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash SHA
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth XAUTHInitPreShared
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 256
1w4d: ISAKMP (0:2): Proposed key length does not match policy
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 2 against priority 2 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth XAUTHInitPreShared
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 256
1w4d: ISAKMP (0:2): Hash algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 3 against priority 2 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash SHA
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth pre-share
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 256
1w4d: ISAKMP (0:2): Proposed key length does not match policy
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 4 against priority 2 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth pre-share
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 256
1w4d: ISAKMP (0:2): Hash algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 5 against priority 2 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash SHA
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth XAUTHInitPreShared
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 128
1w4d: ISAKMP (0:2): Xauth authentication by pre-shared key offered but does not
match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 6 against priority 2 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth XAUTHInitPreShared
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 128
1w4d: ISAKMP (0:2): Hash algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 7 against priority 2 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash SHA
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth pre-share
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 128
1w4d: ISAKMP (0:2): Preshared authentication offered but does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 8 against priority 2 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth pre-share
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 128
1w4d: ISAKMP (0:2): Hash algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 9 against priority 2 policy
1w4d: ISAKMP: encryption 3DES-CBC
1w4d: ISAKMP: hash SHA
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth XAUTHInitPreShared
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 10 against priority 2 policy
1w4d: ISAKMP: encryption 3DES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth XAUTHInitPreShared
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 11 against priority 2 policy
1w4d: ISAKMP: encryption 3DES-CBC
1w4d: ISAKMP: hash SHA
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth pre-share
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 12 against priority 2 policy
1w4d: ISAKMP: encryption 3DES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth pre-share
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 13 against priority 2 policy
1w4d: ISAKMP: encryption DES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth XAUTHInitPreShared
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 14 against priority 2 policy
1w4d: ISAKMP: encryption DES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth pre-share
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 0
1w4d: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 3 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash SHA
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth XAUTHInitPreShared
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 256
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 2 against priority 3 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth XAUTHInitPreShared
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 256
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 3 against priority 3 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash SHA
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth pre-share
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 256
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 4 against priority 3 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth pre-share
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 256
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 5 against priority 3 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash SHA
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth XAUTHInitPreShared
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 128
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 6 against priority 3 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth XAUTHInitPreShared
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 128
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 7 against priority 3 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash SHA
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth pre-share
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 128
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 8 against priority 3 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth pre-share
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 128
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 9 against priority 3 policy
1w4d: ISAKMP: encryption 3DES-CBC
1w4d: ISAKMP: hash SHA
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth XAUTHInitPreShared
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP (0:2): Xauth authentication by pre-shared key offered but does not
match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 10 against priority 3 policy
1w4d: ISAKMP: encryption 3DES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth XAUTHInitPreShared
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP (0:2): Hash algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 11 against priority 3 policy
1w4d: ISAKMP: encryption 3DES-CBC
1w4d: ISAKMP: hash SHA
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth pre-share
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP (0:2): Preshared authentication offered but does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 12 against priority 3 policy
1w4d: ISAKMP: encryption 3DES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth pre-share
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP (0:2): Hash algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 13 against priority 3 policy
1w4d: ISAKMP: encryption DES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth XAUTHInitPreShared
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 14 against priority 3 policy
1w4d: ISAKMP: encryption DES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth pre-share
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 0
1w4d: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 65535 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash SHA
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth XAUTHInitPreShared
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 256
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 2 against priority 65535 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth XAUTHInitPreShared
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 256
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 3 against priority 65535 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash SHA
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth pre-share
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 256
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 4 against priority 65535 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth pre-share
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 256
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 5 against priority 65535 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash SHA
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth XAUTHInitPreShared
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 128
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 6 against priority 65535 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth XAUTHInitPreShared
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 128
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 7 against priority 65535 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash SHA
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth pre-share
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 128
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 8 against priority 65535 policy
1w4d: ISAKMP: encryption AES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth pre-share
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP: keylength of 128
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 9 against priority 65535 policy
1w4d: ISAKMP: encryption 3DES-CBC
1w4d: ISAKMP: hash SHA
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth XAUTHInitPreShared
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 10 against priority 65535 policy
1w4d: ISAKMP: encryption 3DES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth XAUTHInitPreShared
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 11 against priority 65535 policy
1w4d: ISAKMP: encryption 3DES-CBC
1w4d: ISAKMP: hash SHA
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth pre-share
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 12 against priority 65535 policy
1w4d: ISAKMP: encryption 3DES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth pre-share
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 13 against priority 65535 policy
1w4d: ISAKMP: encryption DES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth XAUTHInitPreShared
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP (0:2): Hash algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1w4d: ISAKMP (0:2): Checking ISAKMP transform 14 against priority 65535 policy
1w4d: ISAKMP: encryption DES-CBC
1w4d: ISAKMP: hash MD5
1w4d: ISAKMP: default group 2
1w4d: ISAKMP: auth pre-share
1w4d: ISAKMP: life type in seconds
1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1w4d: ISAKMP (0:2): Hash algorithm offered does not match policy!
1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 0
1w4d: ISAKMP (0:2): no offers accepted!
1w4d: ISAKMP (0:2): phase 1 SA policy not acceptable! (local 131.x.y.z remot
e a.b.c.d)
1w4d: ISAKMP (0:2): incrementing error counter on sa, attempt 1 of 5: construct_
fail_ag_init
1w4d: ISAKMP (0:2): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_
READY
1w4d: ISAKMP (0:2): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
1w4d: ISAKMP (0:2): Old State = IKE_READY New State = IKE_READY

1w4d: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with pee
r at a.b.c.d
1w4d: ISAKMP: quick mode timer expired.
1w4d: ISAKMP (0:1): peer does not do paranoid keepalives.

1w4d: ISAKMP (0:1): deleting SA reason "QM_TIMER expired" state (R) AG_NO_STATE
(peer a.b.c.d) input queue 0
1w4d: ISAKMP (0:1): deleting SA reason "QM_TIMER expired" state (R) AG_NO_STATE
(peer a.b.c.d input queue 0
1w4d: ISAKMP: Unlocking IKE struct 0x82AC3CD0 for isadb_mark_sa_deleted(), count
1
1w4d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
1w4d: ISAKMP (0:1): Old State = IKE_READY New State = IKE_DEST_SA

1w4d: ISAKMP (0:2): received packet from a.b.c.d dport 500 sport 500 Globa
l (R) AG_NO_STATE
1w4d: ISAKMP (0:2): phase 1 packet is a duplicate of a previous packet.
1w4d: ISAKMP (0:2): retransmitting due to retransmit phase 1
1w4d: ISAKMP (0:2): retransmitting phase 1 AG_NO_STATE...
1w4d: ISAKMP (0:2): incrementing error counter on sa, attempt 2 of 5: retransmit
phase 1
1w4d: ISAKMP (0:2): retransmitting phase 1 AG_NO_STATE
1w4d: ISAKMP (0:2): sending packet to a.b.c.d my_port 500 peer_port 500 (R
) AG_NO_STATE
1w4d: ISAKMP (0:2): received packet from a.b.c.d dport 500 sport 500 Globa
l (R) AG_NO_STATE
1w4d: ISAKMP (0:2): phase 1 packet is a duplicate of a previous packet.
1w4d: ISAKMP (0:2): retransmitting due to retransmit phase 1
1w4d: ISAKMP (0:2): no outgoing phase 1 packet to retransmit. AG_NO_STATE
1w4d: ISAKMP (0:2): received packet from a.b.c.d dport 500 sport 500 Globa
l (R) AG_NO_STATE
1w4d: ISAKMP (0:2): phase 1 packet is a duplicate of a previous packet.
1w4d: ISAKMP (0:2): retransmitting due to retransmit phase 1
1w4d: ISAKMP (0:2): no outgoing phase 1 packet to retransmit. AG_NO_STATE
1w4d: ISAKMP (0:1): purging SA., sa=82AC3228, delme=82AC3228

News Reader

unread,
Apr 21, 2008, 12:19:17 PM4/21/08
to

You can list multiple transform-sets in order of preference. You don't
need the additional priority below.

> !
> crypto dynamic-map second-map 12
> set transform-set second-set

You were missing "reverse-route" here anyway.

> !
> !
> crypto map mobile-map client authentication list vpnuser
> crypto map mobile-map isakmp authorization list vpnuser
> crypto map mobile-map client configuration address respond
> crypto map mobile-map 13 ipsec-isakmp dynamic default-map
> crypto map mobile-map 12 ipsec-isakmp dynamic second-map

You can lose one of the above two statements above assuming you were
acting on the earlier comment. Make sure you remove the correct one.

...................................................................................................................

> 1w4d: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 2 policy
> 1w4d: ISAKMP: encryption AES-CBC
> 1w4d: ISAKMP: hash SHA
> 1w4d: ISAKMP: default group 2
> 1w4d: ISAKMP: auth XAUTHInitPreShared
> 1w4d: ISAKMP: life type in seconds
> 1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
> 1w4d: ISAKMP: keylength of 256
> 1w4d: ISAKMP (0:2): Proposed key length does not match policy

The VPN client has offered up "transform 1" for comparison with your
ISAKMP "priority 2 policy".

crypto isakmp policy 2
encr aes
authentication pre-share
group 2

It did NOT find a mis-match with encryption AES-CBC, hash SHA, default
group 2, auth XAUTHInitPreShared, or life duration (VPI) of 0x0 0x20
0xC4 0x9B.

However, it has found a mis-match with "keylength of 256", as stated:
"Proposed key length does not match policy".

If you wanted to match "this transform" with your policy you would use
"encr aes 256" in your policy.

i.e:

crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2

Other transforms offered by the client have other mis-matched
combinations etc.

> 1w4d: ISAKMP (0:2): atts are not acceptable. Next payload is 3
> 1w4d: ISAKMP (0:2): Checking ISAKMP transform 2 against priority 2 policy
> 1w4d: ISAKMP: encryption AES-CBC
> 1w4d: ISAKMP: hash MD5
> 1w4d: ISAKMP: default group 2
> 1w4d: ISAKMP: auth XAUTHInitPreShared
> 1w4d: ISAKMP: life type in seconds
> 1w4d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
> 1w4d: ISAKMP: keylength of 256
> 1w4d: ISAKMP (0:2): Hash algorithm offered does not match policy!


Best Regards,
News Reader

News Reader

unread,
Apr 25, 2008, 6:25:06 PM4/25/08
to
RJ45 wrote:
>>>> And here is the DEBUG output:
>>>>
>>>>
>>>>
>>>> 1d12h: ISAKMP (0:0): received packet from 131.x.y.h dport 500 sport
>>>> 500 Glob
>>>> al (N) NEW SA
>>>> 1d12h: ISAKMP: Locking peer struct 0x82FEEBB4, IKE refcount 2 for
>>>> Responding to
>>>> new initiation
>>>> 1d12h: ISAKMP: local port 500, remote port 500
>>>> 1d12h: ISAKMP: Find a dup sa in the avl tree during calling
>>>> isadb_insert sa = 83
>>>> 13D0D8
>>>> 1d12h: ISAKMP (0:2): processing SA payload. message ID = 0
>>>> 1d12h: ISAKMP (0:2): processing ID payload. message ID = 0
>>>> 1d12h: ISAKMP (0:2): ID payload
>>>> next-payload : 13
>>>> type : 11
>>>> group id : vpnuser
>>>> protocol : 17
>>>> port : 500
>>>> length : 15
>>>> 1d12h: ISAKMP (0:2): peer matches *none* of the profiles

I think the key issue is indicated above (i.e.: not finding a match in
profiles). I think this is why none of your ISAKMP transforms are being
successfully matched with local ISAKMP policy.

Maybe try a "profiles" approach to this configuration:

aaa authentication login vpnuser local
aaa authorization network vpnuser local

crypto isakmp policy 3


encr 3des
authentication pre-share
group 2

crypto isakmp client configuration address-pool local internalpool

crypto isakmp client configuration group vpnuser


key fanfulla
dns 131.x.y.u
domain mydomain.my
pool internalpool

crypto isakmp profile mob-prof
match identity group vpnuser
client authentication list vpnuser
isakmp authorization list vpnuser
client configuration address respond

crypto ipsec transform-set default-set esp-3des esp-sha-hmac

crypto dynamic-map dyn-mobile-map 10
set transform-set default-set
set isakmp-profile mob-prof
reverse-route

crypto map mobile-map 10 ipsec-isakmp dynamic dyn-mobile-map

interface FastEthernet0/1
ip address 131.x.a.b 255.255.255.0

crypto map mobile-map

ip local pool internalpool 131.x.a.c

Note: The pool should NOT be part of your internal address space.


The key differences are the creation of the profile (with consolidation
of commands under it), reference to the profile in the dynamic map, and
the trimmed down crypto map.

Maybe this will allow the "profile" to be matched.


>>>> 1d12h: ISAKMP (0:2): processing vendor id payload
>>>> 1d12h: ISAKMP (0:2): vendor ID seems Unity/DPD but major 215 mismatch
>>>> 1d12h: ISAKMP (0:2): vendor ID is XAUTH
>>>> 1d12h: ISAKMP (0:2): processing vendor id payload
>>>> 1d12h: ISAKMP (0:2): vendor ID is DPD
>>>> 1d12h: ISAKMP (0:2): processing vendor id payload
>>>> 1d12h: ISAKMP (0:2): vendor ID is Unity
>>>> 1d12h: ISAKMP : Scanning profiles for xauth ...
>>>> 1d12h: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 3
>>>> policy
>>>> 1d12h: ISAKMP: encryption AES-CBC
>>>> 1d12h: ISAKMP: hash SHA
>>>> 1d12h: ISAKMP: default group 2
>>>> 1d12h: ISAKMP: auth XAUTHInitPreShared
>>>> 1d12h: ISAKMP: life type in seconds
>>>> 1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
>>>> 1d12h: ISAKMP: keylength of 256
>>>> 1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
>>>> 1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3

Best Regards,
News Reader

0 new messages