Re: IPSec VPN with c2600 router




hello,
thanks for your help,
I wrote to the newsgroup because I could not find on the cisco
site any help abotu setting up an end user VPN.
there are plenty of IOS example with site to site VPN,
and the end user vpn examples are only for ASA or PIX hardware
and not with normal router hardware and IOS.
I tryed to apply your hints but still I have the same
error and vpn cannot be established with
cisco vpn client. any more hints ?
thanks

4d19h: ISAKMP (0:0): received packet from 131.154.3.242 dport 500 sport
500 Glob
al (N) NEW SA
4d19h: ISAKMP: Locking peer struct 0x82FEEB8C, IKE refcount 2 for
Responding to
new initiation
4d19h: ISAKMP: local port 500, remote port 500
4d19h: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert
sa = 83
14B168
4d19h: ISAKMP (0:2): processing SA payload. message ID = 0
4d19h: ISAKMP (0:2): processing ID payload. message ID = 0
4d19h: ISAKMP (0:2): ID payload
next-payload : 13
type : 11
group id : vpnuser
protocol : 17
port : 500
length : 15
4d19h: ISAKMP (0:2): peer matches *none* of the profiles
4d19h: ISAKMP (0:2): processing vendor id payload
4d19h: ISAKMP (0:2): vendor ID seems Unity/DPD but major 215 mismatch
4d19h: ISAKMP (0:2): vendor ID is XAUTH
4d19h: ISAKMP (0:2): processing vendor id payload
4d19h: ISAKMP (0:2): vendor ID is DPD
4d19h: ISAKMP (0:2): processing vendor id payload
4d19h: ISAKMP (0:2): vendor ID is Unity
4d19h: ISAKMP : Scanning profiles for xauth ...
4d19h: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 3
policy
4d19h: ISAKMP: encryption AES-CBC
4d19h: ISAKMP: hash SHA
4d19h: ISAKMP: default group 2
4d19h: ISAKMP: auth XAUTHInitPreShared
4d19h: ISAKMP: life type in seconds
4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
4d19h: ISAKMP: keylength of 256
4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
4d19h: ISAKMP (0:2): Checking ISAKMP transform 2 against priority 3
policy
4d19h: ISAKMP: encryption AES-CBC
4d19h: ISAKMP: hash MD5
4d19h: ISAKMP: default group 2
4d19h: ISAKMP: auth XAUTHInitPreShared
4d19h: ISAKMP: life type in seconds
4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
4d19h: ISAKMP: keylength of 256
4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
4d19h: ISAKMP (0:2): Checking ISAKMP transform 3 against priority 3
policy
4d19h: ISAKMP: encryption AES-CBC
4d19h: ISAKMP: hash SHA
4d19h: ISAKMP: default group 2
4d19h: ISAKMP: auth pre-share
4d19h: ISAKMP: life type in seconds
4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
4d19h: ISAKMP: keylength of 256
4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
4d19h: ISAKMP (0:2): Checking ISAKMP transform 4 against priority 3
policy
4d19h: ISAKMP: encryption AES-CBC
4d19h: ISAKMP: hash MD5
4d19h: ISAKMP: default group 2
4d19h: ISAKMP: auth pre-share
4d19h: ISAKMP: life type in seconds
4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
4d19h: ISAKMP: keylength of 256
4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
4d19h: ISAKMP (0:2): Checking ISAKMP transform 5 against priority 3
policy
4d19h: ISAKMP: encryption AES-CBC
4d19h: ISAKMP: hash SHA
4d19h: ISAKMP: default group 2
4d19h: ISAKMP: auth XAUTHInitPreShared
4d19h: ISAKMP: life type in seconds
4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
4d19h: ISAKMP: keylength of 128
4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
4d19h: ISAKMP (0:2): Checking ISAKMP transform 6 against priority 3
policy
4d19h: ISAKMP: encryption AES-CBC
4d19h: ISAKMP: hash MD5
4d19h: ISAKMP: default group 2
4d19h: ISAKMP: auth XAUTHInitPreShared
4d19h: ISAKMP: life type in seconds
4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
4d19h: ISAKMP: keylength of 128
4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
4d19h: ISAKMP (0:2): Checking ISAKMP transform 7 against priority 3
policy
4d19h: ISAKMP: encryption AES-CBC
4d19h: ISAKMP: hash SHA
4d19h: ISAKMP: default group 2
4d19h: ISAKMP: auth pre-share
4d19h: ISAKMP: life type in seconds
4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
4d19h: ISAKMP: keylength of 128
4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
4d19h: ISAKMP (0:2): Checking ISAKMP transform 8 against priority 3
policy
4d19h: ISAKMP: encryption AES-CBC
4d19h: ISAKMP: hash MD5
4d19h: ISAKMP: default group 2
4d19h: ISAKMP: auth pre-share
4d19h: ISAKMP: life type in seconds
4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
4d19h: ISAKMP: keylength of 128
4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
4d19h: ISAKMP (0:2): Checking ISAKMP transform 9 against priority 3
policy
4d19h: ISAKMP: encryption 3DES-CBC
4d19h: ISAKMP: hash SHA
4d19h: ISAKMP: default group 2
4d19h: ISAKMP: auth XAUTHInitPreShared
4d19h: ISAKMP: life type in seconds
4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
4d19h: ISAKMP (0:2): Xauth authentication by pre-shared key offered but
does not
match policy!


On 2008-04-11, News Reader <user@xxxxxxxxxxx> wrote:
News Reader wrote:
RJ45 wrote:
Hello,
I have a Cisco 2621 router, and I would like to use it for my office
VPN access.
I configured it with pptp and it work with default local user called
"root".
I root is just the privilege cisco 2600 user and I just used it to test
VPN also.

Now I wanted to do something more complicate and I wanted to configure
a IPSec VPN using Cisco VPN client to connect to my c2621,
but it does not work and I fail to configure it.

The situation is this, my router has a public IP

131.x.a.b

and when I am connected in VPN the public IP 131.z.a.c
is assigned to me and this works with vpdn PPTP.

How to do it with IPSEC ?

This is really not very well documented around and here I REport
the configuration which apparently does not work.

There are plenty of configuration examples on the Cisco web site that
would have helped you get farther with this task.

Could someone give me a solution to a good configuration for
a IPSec VPN using Cisco VPN client to connect to my router ?

here is the router config:


!
! Last configuration change at 08:30:48 CEST Fri Apr 11 2008 by root
! NVRAM config last updated at 08:30:57 CEST Fri Apr 11 2008 by root
!
version 12.3
no parser cache
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!
enable password 7 104D4252130411

Don't include passwords in your post. Type 7 passwords are easily
decrypted with readily available utilities. Takes less than 1 sec. Most
of us can tell you what your password is, if you need proof. Use the
"enable secret" command instead of "enable password". The result is a
type 5 password that is not so easily decrypted. Don't include those in
your post either.

!
clock timezone CEST 1
clock summer-time CEST recurring 4 Sun Mar 0:00 4 Sun Oct 0:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpnuser local

aaa authorization network vpnuser local

aaa authentication ppp default local
aaa session-id common
ip subnet-zero
ip cef
!
!
ip domain name cnaf.infn.it
ip name-server 131.x.y.z
!
ip audit po max-events 100
vpdn enable
!
vpdn-group pptpcnaf
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
username root password 7 0115020557040206

Use the "username secret" command instead of the "username password"
command. See my prior note on the level of encryption, and the ease with
which Type 7 passwords are decrypted.

Consider setting up a specific VPN username in the aaa local database,
instead of a generic root user, particularly if that root password is
used elsewhere in the organization.

username <desire-vpn-username> secret <secret-password>

You may also want to specify a privilege level (lower the better) for
that user, in case they try logging into the router.

!
!
! !
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!

crypto isakmp client configuration address-pool local internalpool

crypto isakmp client configuration group vpnuser
key xxxxxxx
dns 131.x.y.z
domain cnaf.infn.it
pool internalpool
!
!
crypto ipsec transform-set default-set esp-3des esp-sha-hmac !
crypto dynamic-map default-map 13
set transform-set default-set

reverse-route

!
!
crypto map mobile-map client authentication list vpnuser

crypto map mobile-map isakmp authorization list vpnuser

crypto map mobile-map client configuration address respond
crypto map mobile-map 13 ipsec-isakmp dynamic default-map !
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 131.x.a.b 255.255.255.0
duplex auto
speed auto

crypto map mobile-map

Assuming FastEthernet0/1 is the interface that will terminate the
inbound IPSec tunnels.

!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
peer default ip address pool internalpool
ppp encrypt mppe 128 required
ppp authentication ms-chap ms-chap-v2
!
ip local pool internalpool 131.x.a.c
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 131.x.a.z
!
!
!
snmp-server community public RO
snmp-server enable traps tty
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 5 15
!
end

And here is the DEBUG output:



1d12h: ISAKMP (0:0): received packet from 131.x.y.h dport 500 sport
500 Glob
al (N) NEW SA
1d12h: ISAKMP: Locking peer struct 0x82FEEBB4, IKE refcount 2 for
Responding to
new initiation
1d12h: ISAKMP: local port 500, remote port 500
1d12h: ISAKMP: Find a dup sa in the avl tree during calling
isadb_insert sa = 83
13D0D8
1d12h: ISAKMP (0:2): processing SA payload. message ID = 0
1d12h: ISAKMP (0:2): processing ID payload. message ID = 0
1d12h: ISAKMP (0:2): ID payload
next-payload : 13
type : 11
group id : vpnuser
protocol : 17
port : 500
length : 15
1d12h: ISAKMP (0:2): peer matches *none* of the profiles
1d12h: ISAKMP (0:2): processing vendor id payload
1d12h: ISAKMP (0:2): vendor ID seems Unity/DPD but major 215 mismatch
1d12h: ISAKMP (0:2): vendor ID is XAUTH
1d12h: ISAKMP (0:2): processing vendor id payload
1d12h: ISAKMP (0:2): vendor ID is DPD
1d12h: ISAKMP (0:2): processing vendor id payload
1d12h: ISAKMP (0:2): vendor ID is Unity
1d12h: ISAKMP : Scanning profiles for xauth ...
1d12h: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 3
policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash SHA
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth XAUTHInitPreShared
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 256
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 2 against priority 3
policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash MD5
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth XAUTHInitPreShared
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 256
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 3 against priority 3
policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash SHA
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth pre-share
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 256
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 4 against priority 3
policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash MD5
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth pre-share
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 256
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 5 against priority 3
policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash SHA
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth XAUTHInitPreShared
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 128
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 6 against priority 3
policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash MD5
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth XAUTHInitPreShared
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 128
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 7 against priority 3
policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash SHA
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth pre-share
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 128
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 8 against priority 3
policy


and keeps logging that non ISAKMP transform patch policy encryption...

any hints or suggetions ?


thanks


RJ45



I've listed what stands out the most, and excluded optional
configuration commands. Other posters may find additional requirements
I've overlooked.

Presumably your interface ACLs have been setup appropriately for ESP,
ISAKMP, and potentially non500-ISAKMP.

Best Regards,
News Reader


.



Relevant Pages

  • Re: IPSec VPN with c2600 router
    ... Configuring Cisco VPN Client and Cisco IOS Easy VPN Server ... Configuring Cisco VPN Client and Easy VPN Server with Xauth ... 4d19h: ISAKMP: local port 500, ... 4d19h: ISAKMP: Encryption algorithm offered does not match policy! ...
    (comp.dcom.sys.cisco)
  • Re: IPSec VPN with c2600 router
    ... Configuring Cisco VPN Client and Cisco IOS Easy VPN Server ... 4d19h: ISAKMP: local port 500, ... 4d19h: ISAKMP: processing vendor id payload ... 4d19h: ISAKMP: Encryption algorithm offered does not match policy! ...
    (comp.dcom.sys.cisco)
  • Re: IPSec VPN with c2600 router
    ... VPN access. ... crypto isakmp policy 3 ... 1d12h: ISAKMP: Locking peer struct 0x82FEEBB4, IKE refcount 2 for Responding to ... 1d12h: ISAKMP: processing vendor id payload ...
    (comp.dcom.sys.cisco)
  • Re: IPSec VPN with c2600 router
    ... VPN access. ... crypto isakmp policy 3 ... 1d12h: ISAKMP: Locking peer struct 0x82FEEBB4, IKE refcount 2 for Responding to ... 1d12h: ISAKMP: processing vendor id payload ...
    (comp.dcom.sys.cisco)
  • vpn with SBS 2003 RADIUS
    ... Following an upgrade from w2k to sbs2003, remote vpn authentication has ... Pix debug has 'ISAKMP: reserved not zero on payload 8!' ... Checking ISAKMP transform 1 against priority 10 policy ...
    (comp.dcom.sys.cisco)