I have had a static VPN running now for about 2 years. I want to add a dynamic VPN using Cisco's VPN client. I have followed the examples and I cannot get it to connect. I have tried different transform sets.. ACL and no ACL.. every combination I can think of and no luck. I'm sure I am missing something obvious. I will paste the config with its matching debug. The router is a 2811 running the following software:
(C2800NM-ADVIPSERVICESK9-M), Version 12.3(11)T3
Thanks for any help you could give.
! aaa authentication login default local group radius aaa authentication login userauthen local aaa authentication ppp default group radius local aaa authorization exec default local aaa authorization network groupauthen local aaa accounting network default start-stop group radius aaa session-id common ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 10 hash md5 authentication pre-share group 2 crypto isakmp key secretkey address xxx.xxx.xxx.158 no-xauth crypto isakmp key secretkey address xxx.xxx.xxx.56 no-xauth crypto isakmp key secretkey address xxx.xxx.xxx.85 no-xauth ! crypto isakmp client configuration group LSIGroup key secretkey dns xxx.xxx.xxx.13 wins xxx.xxx.xxx.82 pool lsipool netmask 255.255.255.0 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac crypto ipsec transform-set vpnset esp-des esp-md5-hmac ! crypto dynamic-map dynmap 10 set transform-set vpnset ! ! crypto map SDM_CMAP_1 client authentication list userauthen crypto map SDM_CMAP_1 isakmp authorization list groupauthor crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel Thru L3 to site A set peer xxx.xxx.xxx.158 set transform-set ESP-3DES-SHA match address 100 crypto map SDM_CMAP_1 2 ipsec-isakmp description Tunnel Thru UUnet to site A set peer xxx.xxx.xxx.158 set transform-set ESP-3DES-SHA2 match address 102 crypto map SDM_CMAP_1 3 ipsec-isakmp description Tunnel Thru L3 to site B set peer xxx.xxx.xxx.85 set transform-set ESP-3DES-SHA1 match address 101 crypto map SDM_CMAP_1 4 ipsec-isakmp description Tunnel thru UUNet to site B set peer xxx.xxx.xxx.85 set transform-set ESP-3DES-SHA3 match address 103 crypto map SDM_CMAP_1 10 ipsec-isakmp dynamic dynmap ! ! access-list 100 permit ip xxx.xxx.xxx.0 0.0.0.255 10.0.1.0 0.0.0.255 access-list 101 permit ip xxx.xxx.xxx.0 0.0.0.255 10.0.2.0 0.0.0.255 access-list 102 permit ip xxx.xxx.xxx.0 0.0.0.255 10.0.1.0 0.0.0.255 access-list 103 permit ip xxx.xxx.xxx.0 0.0.0.255 10.0.2.0 0.0.0.255 access-list 105 permit ip xxx.xxx.xxx.0 0.0.0.255 any !
Router debugs from Cisco VPN Client 4.0.5 ( 4.6 gave the same results )
Router#term mon Router#deb crypto isakmp Crypto ISAKMP debugging is on Router#deb crypto ipsec Crypto IPSEC debugging is on Router#debug crypto eng Crypto Engine debugging is on Router#debug crypto ber BER debug output debugging is on Router#debug crypto verb verbose debug output debugging is on Router# Mar 13 17:04:20.481: ISAKMP (0:0): received packet from xxx.xxx.xxx.22 dport
500 sport 500 Global (N) NEW SA Mar 13 17:04:20.481: ISAKMP: Created a peer struct for xxx.xxx.xxx.22, peer port 500 Mar 13 17:04:20.481: ISAKMP: Locking peer struct 0x44FC6538, IKE refcount 1 for crypto_isakmp_process_block Mar 13 17:04:20.481: ISAKMP:(0:0:N/A:0):Setting client config settings 45D3D360 Mar 13 17:04:20.481: ISAKMP:(0:0:N/A:0):(Re)Setting client xauth list and state Mar 13 17:04:20.481: ISAKMP/xauth: initializing AAA request Mar 13 17:04:20.485: ISAKMP: local port 500, remote port 500 Mar 13 17:04:20.485: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 45CED0DC Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0 Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): processing ID payload. message ID = 0 Mar 13 17:04:20.485: ISAKMP (0:0): ID payload next-payload : 13 type : 11 group id : LSIGroup protocol : 17 port : 500 length : 16 Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0):: peer matches *none* of the profiles Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): processing vendor id payload Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 215 mismatch Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): vendor ID is XAUTH Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): processing vendor id payload Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): vendor ID is DPD Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): processing vendor id payload Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2 Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): processing vendor id payload Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): processing vendor id payload Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): vendor ID is Unity Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): Authentication by xauth preshared Mar 13 17:04:20.489: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy Mar 13 17:04:20.489: ISAKMP: encryption AES-CBC Mar 13 17:04:20.489: ISAKMP: hash SHA Mar 13 17:04:20.489: ISAKMP: default group 2 Mar 13 17:04:20.489: ISAKMP: auth XAUTHInitPreShared Mar 13 17:04:20.489: ISAKMP: life type in seconds Mar 13 17:04:20.489: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B Mar 13 17:04:20.489: ISAKMP: keylength of 256 Mar 13 17:04:20.489: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! Mar 13 17:04:20.489: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 Mar 13 17:04:20.489: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against priority 1 policy Mar 13 17:04:20.489: ISAKMP: encryption AES-CBC Mar 13 17:04:20.489: ISAKMP: hash MD5 Mar 13 17:04:20.489: ISAKMP: default group 2 Mar 13 17:04:20.489: ISAKMP: auth XAUTHInitPreShared Mar 13 17:04:20.489: ISAKMP: life type in seconds Mar 13 17:04:20.489: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B Mar 13 17:04:20.489: ISAKMP: keylength of 256 Mar 13 17:04:20.489: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! Mar 13 17:04:20.489: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 Mar 13 17:04:20.493: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against priority 1 policy Mar 13 17:04:20.493: ISAKMP: encryption AES-CBC Mar 13 17:04:20.493: ISAKMP: hash SHA Mar 13 17:04:20.493: ISAKMP: default group 2 Mar 13 17:04:20.493: ISAKMP: auth pre-share Mar 13 17:04:20.493: ISAKMP: life type in seconds Mar 13 17:04:20.493: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B Mar 13 17:04:20.493: ISAKMP: keylength of 256 Mar 13 17:04:20.493: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! Mar 13 17:04:20.493: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 Mar 13 17:04:20.493: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 4 against priority 1 policy Mar 13 17:04:20.493: ISAKMP: encryption AES-CBC Mar 13 17:04:20.493: ISAKMP: hash MD5 Mar 13 17:04:20.493: ISAKMP: default group 2 Mar 13 17:04:20.493: ISAKMP: auth pre-share Mar 13 17:04:20.493: ISAKMP: life type in seconds Mar 13 17:04:20.493: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B Mar 13 17:04:20.493: ISAKMP: keylength of 256 Mar 13 17:04:20.493: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! Mar 13 17:04:20.493: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 Mar 13 17:04:20.493: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 5 against priority 1 policy Mar 13 17:04:20.497: ISAKMP: encryption AES-CBC Mar 13 17:04:20.497: ISAKMP: hash SHA Mar 13 17:04:20.497: ISAKMP: default group 2 Mar 13 17:04:20.497: ISAKMP: auth XAUTHInitPreShared Mar 13 17:04:20.497: ISAKMP: life type in seconds Mar 13 17:04:20.497: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B Mar 13 17:04:20.497: ISAKMP: keylength of 128 Mar 13 17:04:20.497: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! Mar 13 17:04:20.497: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 Mar 13 17:04:20.497: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 6 against priority 1 policy Mar 13 17:04:20.497: ISAKMP: encryption AES-CBC Mar 13 17:04:20.497: ISAKMP: hash MD5 Mar 13 17:04:20.497: ISAKMP: default group 2 Mar 13 17:04:20.497: ISAKMP: auth XAUTHInitPreShared Mar 13 17:04:20.497: ISAKMP: life type in seconds Mar 13 17:04:20.497: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B Mar 13 17:04:20.497: ISAKMP: keylength of 128 Mar 13 17:04:20.497: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! Mar 13 17:04:20.497: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 Mar 13 17:04:20.501: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 7 against priority 1 policy Mar 13 17:04:20.501: ISAKMP: encryption AES-CBC Mar 13 17:04:20.501: ISAKMP: hash SHA Mar 13 17:04:20.501: ISAKMP: default group 2 Mar 13 17:04:20.501: ISAKMP: auth pre-share Mar 13 17:04:20.501: ISAKMP: life type in seconds Mar 13 17:04:20.501: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B Mar 13 17:04:20.501: ISAKMP: keylength of 128 Mar 13 17:04:20.501: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! Mar 13 17:04:20.501: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 Mar 13 17:04:20.501: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 8 against priority 1 policy Mar 13 17:04:20.501: ISAKMP: encryption AES-CBC Mar 13 17:04:20.501: ISAKMP: hash MD5 Mar 13 17:04:20.501: ISAKMP: default group 2 Mar 13 17:04:20.501: ISAKMP: auth pre-share Mar 13 17:04:20.505: ISAKMP: life type in seconds Mar 13 17:04:20.505: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B Mar 13 17:04:20.505: ISAKMP: keylength of 128 Mar 13 17:04:20.505: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! Mar 13 17:04:20.505: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 Mar 13 17:04:20.505: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 9 against priority 1 policy Mar 13 17:04:20.505: ISAKMP: encryption 3DES-CBC Mar 13 17:04:20.505: ISAKMP: hash SHA Mar 13 17:04:20.505: ISAKMP: default group 2 Mar 13 17:04:20.505: ISAKMP: auth XAUTHInitPreShared Mar 13 17:04:20.505: ISAKMP: life type in seconds Mar 13 17:04:20.505: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B Mar 13 17:04:20.505: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3 Mar 13 17:04:20.509: CryptoEngine0: generating alg parameter for connid 22 Mar 13 17:04:20.545: CRYPTO_ENGINE: Dh phase 1 status: 0 Mar 13 17:04:20.545: CRYPTO_ENGINE: Dh phase 1 status: OK Mar 13 17:04:20.545: ISAKMP:(0:22:SW:1): processing KE payload. message ID = 0 Mar 13 17:04:20.545: CryptoEngine0: generating alg parameter for connid 0 Mar 13 17:04:20.593: ISAKMP:(0:22:SW:1): processing NONCE payload. message ID = 0 Mar 13 17:04:20.597: ISAKMP:(0:22:SW:1): vendor ID is NAT-T v2 Mar 13 17:04:20.597: ISAKMP (0:134217750): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY Mar 13 17:04:20.597: ISAKMP:(0:22:SW:1):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH Mar 13 17:04:20.597: ISAKMP:(0:22:SW:1):Old State = IKE_READY New State = IKE_READYMar 13 17:04:20.597: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at xxx.xxx.xxx.22 Mar 13 17:04:25.513: ISAKMP (0:134217750): received packet from xxx.xxx.xxx.22 dport 500 sport 500 Global (R) AG_NO_STATE Mar 13 17:04:25.513: ISAKMP:(0:22:SW:1): processing SA payload. message ID = 0 Mar 13 17:04:25.513: ISAKMP:(0:22:SW:1): already processed SA payload! Mar 13 17:04:25.513: ISAKMP (0:134217750): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY Mar 13 17:04:25.513: ISAKMP:(0:22:SW:1):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH Mar 13 17:04:25.513: ISAKMP:(0:22:SW:1):Old State = IKE_READY New State = IKE_READY
Mar 13 17:04:30.681: ISAKMP (0:134217750): received packet from xxx.xxx.xxx.22 dport 500 sport 500 Global (R) AG_NO_STATE Mar 13 17:04:30.685: ISAKMP:(0:22:SW:1): processing SA payload. message ID = 0 Mar 13 17:04:30.685: ISAKMP:(0:22:SW:1): already processed SA payload! Mar 13 17:04:30.685: ISAKMP (0:134217750): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY Mar 13 17:04:30.685: ISAKMP:(0:22:SW:1):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH Mar 13 17:04:30.685: ISAKMP:(0:22:SW:1):Old State = IKE_READY New State = IKE_READY
Mar 13 17:04:35.797: ISAKMP (0:134217750): received packet from xxx.xxx.xxx.22 dport 500 sport 500 Global (R) AG_NO_STATE Mar 13 17:04:35.797: ISAKMP:(0:22:SW:1): processing SA payload. message ID = 0 Mar 13 17:04:35.797: ISAKMP:(0:22:SW:1): already processed SA payload! Mar 13 17:04:35.797: ISAKMP (0:134217750): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY Mar 13 17:04:35.797: ISAKMP:(0:22:SW:1):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH Mar 13 17:04:35.797: ISAKMP:(0:22:SW:1):Old State = IKE_READY New State = IKE_READY
Gordon Montgomery Living Scriptures, Inc snipped-for-privacy@lsi.com (anti spam - replace lsi with livingscriptures) (801) 627-2000