I am having a problenm with connecting to a VPN. I keepo getting errors on the PIX "ATTS not acceptable" - also apparentlt different key lengths appearing on the debug... ANy assistance appreciated. Client is Cisco VPN client v4.8.00.0440 I have tried various settings for DES - 3DES - AES ... all results similar.
******************* Current debug is: crypto_isakmp_process_block:src:87.192.152.28, dest:194.196.37.3 spt:500 dpt:500 OAK_AG exchange ISAKMP (0): processing SA payload. message ID = 0ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 128 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 128 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 128 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 128 ISAKMP (0): Proposed key length does not match policy ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b crypto_isakmp_process_block:src:87.192.152.28, dest:194.196.37.3 spt:500 dpt:500 VPN Peer:ISAKMP: Peer Info for 87.192.152.28/500 not found - peers:0
ISAKMP: larval sa found crypto_isakmp_process_block:src:87.192.152.28, dest:194.196.37.3 spt:500 dpt:500 VPN Peer:ISAKMP: Peer Info for 87.192.152.28/500 not found - peers:0
ISAKMP: larval sa found crypto_isakmp_process_block:src:87.192.152.28, dest:194.196.37.3 spt:500 dpt:500 VPN Peer:ISAKMP: Peer Info for 87.192.152.28/500 not found - peers:0
ISAKMP: larval sa found ISAKMP (0): deleting SA: src 87.192.152.28, dst 194.196.37.3 ISADB: reaper checking SA 0x3ac8cd4, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 87.192.152.28/500 not found - peers:0
***********: PIX Version 6.3(5) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security10 nameif ethernet3 intf3 security6 nameif ethernet4 intf4 security8 nameif ethernet5 intf5 security10 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixvpn fixup protocol dns maximum-length 512 names access-list 102 permit tcp any any eq www access-list 102 permit icmp any any pager lines 24 logging on logging buffered debugging ip address outside 192.192.37.3 255.255.255.240 ip address inside 10.0.0.254 255.0.0.0 ip address intf2 127.0.0.1 255.255.255.255 ip audit info action alarm ip audit attack action alarm ip local pool myownvpn 10.1.1.10-10.1.1.254 no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address intf2 no failover ip address intf3 no failover ip address intf4 no failover ip address intf5 pdm history enable arp timeout 14400 global (outside) 1 192.192.37.33-192.192.37.34 netmask 255.255.255.240 global (outside) 1 192.192.37.35 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group 102 in interface outside route outside 0.0.0.0 0.0.0.0 192.192.37.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap interface outside isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 vpngroup user1 address-pool myownvpn vpngroup user1 idle-time 600 vpngroup user1 password ******** vpngroup user2 address-pool myownvpn vpngroup user2 idle-time 600 vpngroup user3 address-pool myownvpn vpngroup user3 idle-time 600 telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 ************** VPN Client log: Cisco Systems VPN Client Version 4.8.00.0440 Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 5.1.2600 Service Pack 18 12:30:02.991 07/19/06 Sev=Warning/2 IKE/0xE3000099 Invalid SPI size (PayloadNotify:116)
9 12:30:02.991 07/19/06 Sev=Warning/3 IKE/0xA3000058 Received malformed message or negotiation no longer active (message id:0x00000000)
***********************************