Re: IPSec VPN with c2600 router

RJ45 wrote:
Hello,
I have a Cisco 2621 router, and I would like to use it for my office
VPN access.
I configured it with pptp and it work with default local user called
"root".
I root is just the privilege cisco 2600 user and I just used it to test
VPN also.

Now I wanted to do something more complicate and I wanted to configure
a IPSec VPN using Cisco VPN client to connect to my c2621,
but it does not work and I fail to configure it.

The situation is this, my router has a public IP

131.x.a.b

and when I am connected in VPN the public IP 131.z.a.c
is assigned to me and this works with vpdn PPTP.

How to do it with IPSEC ?

This is really not very well documented around and here I REport
the configuration which apparently does not work.

There are plenty of configuration examples on the Cisco web site that would have helped you get farther with this task.

Could someone give me a solution to a good configuration for
a IPSec VPN using Cisco VPN client to connect to my router ?

here is the router config:


!
! Last configuration change at 08:30:48 CEST Fri Apr 11 2008 by root
! NVRAM config last updated at 08:30:57 CEST Fri Apr 11 2008 by root
!
version 12.3
no parser cache
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!
enable password 7 104D4252130411

Don't include passwords in your post. Type 7 passwords are easily decrypted with readily available utilities. Takes less than 1 sec. Most of us can tell you what your password is, if you need proof. Use the "enable secret" command instead of "enable password". The result is a type 5 password that is not so easily decrypted. Don't include those in your post either.

!
clock timezone CEST 1
clock summer-time CEST recurring 4 Sun Mar 0:00 4 Sun Oct 0:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpnuser local

aaa authorization network vpnuser local

aaa authentication ppp default local
aaa session-id common
ip subnet-zero
ip cef
!
!
ip domain name cnaf.infn.it
ip name-server 131.x.y.z
!
ip audit po max-events 100
vpdn enable
!
vpdn-group pptpcnaf
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
username root password 7 0115020557040206
!
!
! !
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!

crypto isakmp client configuration address-pool local internalpool

crypto isakmp client configuration group vpnuser
key xxxxxxx
dns 131.x.y.z
domain cnaf.infn.it
pool internalpool
!
!
crypto ipsec transform-set default-set esp-3des esp-sha-hmac !
crypto dynamic-map default-map 13
set transform-set default-set

reverse-route

!
!
crypto map mobile-map client authentication list vpnuser

crypto map mobile-map isakmp authorization list vpnuser

crypto map mobile-map client configuration address respond
crypto map mobile-map 13 ipsec-isakmp dynamic default-map !
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 131.x.a.b 255.255.255.0
duplex auto
speed auto

crypto map mobile-map

Assuming FastEthernet0/1 is the interface that will terminate the inbound IPSec tunnels.

!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
peer default ip address pool internalpool
ppp encrypt mppe 128 required
ppp authentication ms-chap ms-chap-v2
!
ip local pool internalpool 131.x.a.c
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 131.x.a.z
!
!
!
snmp-server community public RO
snmp-server enable traps tty
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 5 15
!
end

And here is the DEBUG output:



1d12h: ISAKMP (0:0): received packet from 131.x.y.h dport 500 sport 500 Glob
al (N) NEW SA
1d12h: ISAKMP: Locking peer struct 0x82FEEBB4, IKE refcount 2 for Responding to
new initiation
1d12h: ISAKMP: local port 500, remote port 500
1d12h: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 83
13D0D8
1d12h: ISAKMP (0:2): processing SA payload. message ID = 0
1d12h: ISAKMP (0:2): processing ID payload. message ID = 0
1d12h: ISAKMP (0:2): ID payload
next-payload : 13
type : 11
group id : vpnuser
protocol : 17
port : 500
length : 15
1d12h: ISAKMP (0:2): peer matches *none* of the profiles
1d12h: ISAKMP (0:2): processing vendor id payload
1d12h: ISAKMP (0:2): vendor ID seems Unity/DPD but major 215 mismatch
1d12h: ISAKMP (0:2): vendor ID is XAUTH
1d12h: ISAKMP (0:2): processing vendor id payload
1d12h: ISAKMP (0:2): vendor ID is DPD
1d12h: ISAKMP (0:2): processing vendor id payload
1d12h: ISAKMP (0:2): vendor ID is Unity
1d12h: ISAKMP : Scanning profiles for xauth ...
1d12h: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 3 policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash SHA
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth XAUTHInitPreShared
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 256
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 2 against priority 3 policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash MD5
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth XAUTHInitPreShared
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 256
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 3 against priority 3 policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash SHA
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth pre-share
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 256
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 4 against priority 3 policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash MD5
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth pre-share
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 256
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 5 against priority 3 policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash SHA
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth XAUTHInitPreShared
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 128
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 6 against priority 3 policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash MD5
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth XAUTHInitPreShared
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 128
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 7 against priority 3 policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash SHA
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth pre-share
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 128
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 8 against priority 3 policy


and keeps logging that non ISAKMP transform patch policy encryption...

any hints or suggetions ?


thanks


RJ45



I've listed what stands out the most, and excluded optional configuration commands. Other posters may find additional requirements I've overlooked.

Presumably your interface ACLs have been setup appropriately for ESP, ISAKMP, and potentially non500-ISAKMP.

Best Regards,
News Reader
.

Relevant Pages

  • Re: IPSec VPN with c2600 router
    ... Configuring Cisco VPN Client and Cisco IOS Easy VPN Server ... Configuring Cisco VPN Client and Easy VPN Server with Xauth ... 4d19h: ISAKMP: local port 500, ... 4d19h: ISAKMP: Encryption algorithm offered does not match policy! ...
    (comp.dcom.sys.cisco)
  • Re: pix 501 remote access vpn problem
    ... client I use is a cisco vpn client version 5.0.00.0340. ... Always set your vpn pool addresses to be -outside- your current network, ... isakmp policy 10 authentication pre-share ... vpdn group skynet request dialout pppoe ...
    (comp.dcom.sys.cisco)
  • Re: IPSec VPN with c2600 router
    ... there are plenty of IOS example with site to site VPN, ... 4d19h: ISAKMP: local port 500, ... 4d19h: ISAKMP: processing vendor id payload ... 4d19h: ISAKMP: Encryption algorithm offered does not match policy! ...
    (comp.dcom.sys.cisco)
  • Re: IPSec VPN with c2600 router
    ... VPN access. ... crypto isakmp policy 3 ... 1d12h: ISAKMP: Locking peer struct 0x82FEEBB4, IKE refcount 2 for Responding to ... 1d12h: ISAKMP: processing vendor id payload ...
    (comp.dcom.sys.cisco)
  • RE: [fw-wiz] Netscreen-pix515 IPsec interop]
    ... Here is detail of VPN. ... isakmp identity address ... isakmp policy 2 authentication pre-share ... crypto map vpn-nk 20 set peer 194.78.66.32 ...
    (Firewall-Wizards)