Have you looked at the logs on the Acs to see what the acs thinks is going on
Dave -----Original Message----- From: Kingsley Charles Sent: Sun 13/09/2009 18:44 To: Simon Baumann Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Analyzing ISAKMP debug. Please ignore IP addressing comment, I think that is necessary only when it is configured to get IP address from AAA similar to "vpn-addr-assign" in ASA. I am not sure, if this is required. Have you enabled priv 15 for user account in AAA. With regards Kings On Sun, Sep 13, 2009 at 10:50 PM, Kingsley Charles <[email protected]> wrote: Hi Simon ACS server may be reachable. We need to see, if we have configured TACACS correctly. Can you try to enable authentication/authorization for vty line and see, if your telnet is succesful with TACACS. If it is succesful, please enable debug aaa, tacacs and see where it is failing. If the client is connecting in client mode, have you configured the ACS TACACS for leasing an IP address. With regards Kings On Sun, Sep 13, 2009 at 9:27 PM, Simon Baumann <[email protected]> wrote: Hi Kings, very good hint! It works with local auth/author :) Seems like the acs has an problem. But: I could verify it with the test aaa command? Cheers Simon Am 13.09.2009 um 16:12 schrieb Kingsley Charles: Hi Simon Are you able to establish the connection with just LOCAL AAA authentication/authorization. Just wanted to narrow down the issue. Just try to use "LOCAL" authentication alone and remove the TACACS for both authentication and authorization. In Aggressive mode, there are three handshakes and they will take care of ISAKMP policy negotiation which was successful, then DH negotiations which should have no issues and then identification. If there is mis-match in group name or key, you will get specific message like failed sanity. I don't see those messages. Next is the xauth, where it is not happening. Hence I asking to remove TACACS authentication/authorization and check. With regards Kings With regards Kings On Sun, Sep 13, 2009 at 6:37 PM, Simon Baumann <[email protected]> wrote: Hi Stew, Hi Kings, thanks for your hints. Here's my configuration: used devices (PL sec pod): cat3, r2, acs-server, xp-ws cat3 configuration: vlans: 10 -> acs_vlan 192 -> r2_xp_vlan ip routing is turned on, here are the vlan interfaces: Vlan10 10.1.1.254 Vlan192 192.1.49.254 port configuration: fa0/2 (r2 fa1/1): vlan 192 fa0/14 (acs-server): vlan 10 fa 0/15( xp-ws): vlan 192 ip-adresses: r2 fa1/1: 192.1.49.1 acs: 10.1.1.100 xp-ws: 192.1.49.100 r2 configuration (only the relevant ipsec parts): #-----------------------------------------------------------------------------------------------------------------------------# aaa authentication login default none aaa authentication login vpn group tacacs+ local aaa authorization network vpn_network group tacacs+ local ! username ccie password 0 ccie ! crypto isakmp policy 1 hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group cisco key simon pool vpnclients acl 199 ! ! crypto ipsec transform-set 3des esp-3des esp-md5-hmac ! crypto dynamic-map mode 1 set transform-set 3des ! crypto map mode client authentication list vpn crypto map mode isakmp authorization list vpn_network crypto map mode client configuration address initiate crypto map mode client configuration address respond crypto map mode 1 ipsec-isakmp dynamic mode ! interface FastEthernet1/1 no switchport ip address 192.1.49.1 255.255.255.0 crypto map mode ! ip local pool vpnclients 192.168.0.1 192.168.0.10 ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.1.49.254 no ip http server no ip http secure-server ! ip tacacs source-interface FastEthernet1/1 ! access-list 199 permit ip 192.168.0.0 0.0.0.255 any ! tacacs-server host 10.1.1.100 key cisco ! #-----------------------------------------------------------------------------------------------------------------------------# r2#test aaa group tacacs+ ccie ccie legacy Attempting authentication test to server-group tacacs+ using tacacs+ User was successfully authenticated. r2#ping 192.1.49.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.1.49.100, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms r2# xp-ws: C:\Documents and Settings\Administrator>ping 192.1.49.1 Pinging 192.1.49.1 with 32 bytes of data: Reply from 192.1.49.1 <http://192.1.49.1/> : bytes=32 time=7ms TTL=255 Reply from 192.1.49.1 <http://192.1.49.1/> : bytes=32 time<1ms TTL=255 Reply from 192.1.49.1 <http://192.1.49.1/> : bytes=32 time=1ms TTL=255 Reply from 192.1.49.1 <http://192.1.49.1/> : bytes=32 time<1ms TTL=255 Ping statistics for 192.1.49.1 <http://192.1.49.1/> : Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 7ms, Average = 2ms #-----------------------------------------------------------------------------------------------------------------------------# I know: no "any" statement in the ipsec-acl - it's for testing only. I don't see the wood for the trees at the moment ;) And suggestions? TIA. Have a nice sunday Simon Am 12.09.2009 um 16:07 schrieb Paul Stewart: Simon, if you aren't through nat from the client back to the VPN device, I think there could be an asymmetric or some other routing issue back to the client. The NAT-T constructed, means that packtes back to the ip address included inside the messages were dropped. I have seen this in a couple of cases when NAT is not used. My guess, is a "show ip route" back to the actual IP address of the VPN client would route the traffic out another interface. Thus it is not parsed by the crypto map that is receiving the traffic. Also, you will notice that subsequent packets are "NOT Encrypted, but should've been". The client uses aggressive mode, so if this is the case, it actually may have went further than a L2L client that would have used main mode. There may be some other stuff going on, but I would make sure that the packets are directed back out the same interface with the crypto map first. That NAT-T is a clue if NAT isn't being used. In any case, post back what the resolution was so we all know. Am 12.09.2009 um 16:41 schrieb Kingsley Charles: Hi Simon The following is where the issue starts: *Sep 13 05:19:23.719: ISAKMP:(0):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY *Sep 13 05:19:23.719: ISAKMP:(0):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2 *Sep 13 05:19:23.731: ISAKMP (0): received packet from 192.1.49.100 dport 500 sport 1094 Global (R) AG_INIT_EXCH *Sep 13 05:19:23.731: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 192.1.49.100 was not encrypted and it should've been. It is somewhere near the pre-shared key authentication. Can you please check for AAA configurations, pre-shared key configuration. Please send the server configuration and the client side parameters. With regards Kings On Sat, Sep 12, 2009 at 7:05 PM, Simon Baumann <[email protected]> wrote: Hi, I just tried to configure r2 of my sec pod acting as an IPSec gateway. The XP workstation conencts withe the Cisco VPN Client. Here's the debug of r2 when trying to connect from XP. #--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------# *Sep 13 05:19:23.527: ISAKMP (0): received packet from 192.1.49.100 dport 500 sport 1094 Global (N) NEW SA *Sep 13 05:19:23.527: ISAKMP: Created a peer struct for 192.1.49.100, peer port 1094 *Sep 13 05:19:23.527: ISAKMP: New peer created peer = 0x70F5D13C peer_handle = 0x8000000E *Sep 13 05:19:23.527: ISAKMP: Locking peer struct 0x70F5D13C, refcount 1 for crypto_isakmp_process_block *Sep 13 05:19:23.527: ISAKMP:(0):Setting client config settings 70F5C430 *Sep 13 05:19:23.527: ISAKMP:(0):(Re)Setting client xauth list and state *Sep 13 05:19:23.527: ISAKMP/xauth: initializing AAA request *Sep 13 05:19:23.527: ISAKMP: local port 500, remote port 1094 *Sep 13 05:19:23.527: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 70F6F64C *Sep 13 05:19:23.527: ISAKMP:(0): processing SA payload. message ID = 0 *Sep 13 05:19:23.527: ISAKMP:(0): processing ID payload. message ID = 0 *Sep 13 05:19:23.527: ISAKMP (0): ID payload next-payload : 13 type : 11 group id : vpnclients protocol : 17 port : 500 length : 18 *Sep 13 05:19:23.527: ISAKMP:(0):: peer matches *none* of the profiles *Sep 13 05:19:23.527: ISAKMP:(0): processing vendor id payload *Sep 13 05:19:23.527: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch *Sep 13 05:19:23.527: ISAKMP:(0): vendor ID is XAUTH *Sep 13 05:19:23.527: ISAKMP:(0): processing vendor id payload *Sep 13 05:19:23.527: ISAKMP:(0): vendor ID is DPD *Sep 13 05:19:23.527: ISAKMP:(0): processing vendor id payload *Sep 13 05:19:23.527: ISAKMP:(0): processing IKE frag vendor id payload *Sep 13 05:19:23.527: ISAKMP:(0):Support for IKE Fragmentation not enabled *Sep 13 05:19:23.527: ISAKMP:(0): processing vendor id payload *Sep 13 05:19:23.527: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch *Sep 13 05:19:23.527: ISAKMP:(0): vendor ID is NAT-T v2 *Sep 13 05:19:23.527: ISAKMP:(0): processing vendor id payload *Sep 13 05:19:23.527: ISAKMP:(0): vendor ID is Unity *Sep 13 05:19:23.527: ISAKMP:(0): Authentication by xauth preshared *Sep 13 05:19:23.527: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy *Sep 13 05:19:23.527: ISAKMP: encryption AES-CBC *Sep 13 05:19:23.527: ISAKMP: hash SHA *Sep 13 05:19:23.527: ISAKMP: default group 2 *Sep 13 05:19:23.527: ISAKMP: auth XAUTHInitPreShared *Sep 13 05:19:23.527: ISAKMP: life type in seconds *Sep 13 05:19:23.527: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.527: ISAKMP: keylength of 256 *Sep 13 05:19:23.527: ISAKMP:(0):Encryption algorithm offered does not match policy! *Sep 13 05:19:23.527: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.527: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy *Sep 13 05:19:23.527: ISAKMP: encryption AES-CBC *Sep 13 05:19:23.527: ISAKMP: hash MD5 *Sep 13 05:19:23.527: ISAKMP: default group 2 *Sep 13 05:19:23.527: ISAKMP: auth XAUTHInitPreShared *Sep 13 05:19:23.527: ISAKMP: life type in seconds *Sep 13 05:19:23.531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.531: ISAKMP: keylength of 256 *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not match policy! *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy *Sep 13 05:19:23.531: ISAKMP: encryption AES-CBC *Sep 13 05:19:23.531: ISAKMP: hash SHA *Sep 13 05:19:23.531: ISAKMP: default group 2 *Sep 13 05:19:23.531: ISAKMP: auth pre-share *Sep 13 05:19:23.531: ISAKMP: life type in seconds *Sep 13 05:19:23.531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.531: ISAKMP: keylength of 256 *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not match policy! *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy *Sep 13 05:19:23.531: ISAKMP: encryption AES-CBC *Sep 13 05:19:23.531: ISAKMP: hash MD5 *Sep 13 05:19:23.531: ISAKMP: default group 2 *Sep 13 05:19:23.531: ISAKMP: auth pre-share *Sep 13 05:19:23.531: ISAKMP: life type in seconds *Sep 13 05:19:23.531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.531: ISAKMP: keylength of 256 *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not match policy! *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy *Sep 13 05:19:23.531: ISAKMP: encryption AES-CBC *Sep 13 05:19:23.531: ISAKMP: hash SHA *Sep 13 05:19:23.531: ISAKMP: default group 2 *Sep 13 05:19:23.531: ISAKMP: auth XAUTHInitPreShared *Sep 13 05:19:23.531: ISAKMP: life type in seconds *Sep 13 05:19:23.531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.531: ISAKMP: keylength of 128 *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not match policy! *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy *Sep 13 05:19:23.531: ISAKMP: encryption AES-CBC *Sep 13 05:19:23.531: ISAKMP: hash MD5 *Sep 13 05:19:23.531: ISAKMP: default group 2 *Sep 13 05:19:23.531: ISAKMP: auth XAUTHInitPreShared *Sep 13 05:19:23.531: ISAKMP: life type in seconds *Sep 13 05:19:23.531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.531: ISAKMP: keylength of 128 *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not match policy! *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy *Sep 13 05:19:23.531: ISAKMP: encryption AES-CBC *Sep 13 05:19:23.531: ISAKMP: hash SHA *Sep 13 05:19:23.531: ISAKMP: default group 2 *Sep 13 05:19:23.531: ISAKMP: auth pre-share *Sep 13 05:19:23.531: ISAKMP: life type in seconds *Sep 13 05:19:23.531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.531: ISAKMP: keylength of 128 *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not match policy! *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy *Sep 13 05:19:23.531: ISAKMP: encryption AES-CBC *Sep 13 05:19:23.531: ISAKMP: hash MD5 *Sep 13 05:19:23.531: ISAKMP: default group 2 *Sep 13 05:19:23.531: ISAKMP: auth pre-share *Sep 13 05:19:23.531: ISAKMP: life type in seconds *Sep 13 05:19:23.531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.531: ISAKMP: keylength of 128 *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not match policy! *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy *Sep 13 05:19:23.531: ISAKMP: encryption 3DES-CBC *Sep 13 05:19:23.531: ISAKMP: hash SHA *Sep 13 05:19:23.531: ISAKMP: default group 2 *Sep 13 05:19:23.531: ISAKMP: auth XAUTHInitPreShared *Sep 13 05:19:23.531: ISAKMP: life type in seconds *Sep 13 05:19:23.531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:2 r2#3.531: ISAKMP:(0):Encryption algorithm offered does not match policy! *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1 policy *Sep 13 05:19:23.531: ISAKMP: encryption 3DES-CBC *Sep 13 05:19:23.531: ISAKMP: hash MD5 *Sep 13 05:19:23.531: ISAKMP: default group 2 *Sep 13 05:19:23.531: ISAKMP: auth XAUTHInitPreShared *Sep 13 05:19:23.531: ISAKMP: life type in seconds *Sep 13 05:19:23.531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not match policy! *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 11 against priority 1 policy *Sep 13 05:19:23.531: ISAKMP: encryption 3DES-CBC *Sep 13 05:19:23.531: ISAKMP: hash SHA *Sep 13 05:19:2 3.531: ISAKMP: default group 2 *Sep 13 05:19:23.531: ISAKMP: auth pre-share *Sep 13 05:19:23.531: ISAKMP: life type in seconds *Sep 13 05:19:23.531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not match policy! *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 12 against priority 1 policy *Sep 13 05:19:23.531: ISAKMP: encryption 3DES-CBC *Sep 13 05:19:23.531: ISAKMP: hash MD5 *Sep 13 05:19:23.531: ISAKMP: default group 2 *Sep 13 05:19:23.531: ISAKMP: auth pre-share *Sep 13 05:19:23.531: ISAKMP: life type in seconds *Sep 13 05:19:23.531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not match policy! *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 13 against priority 1 policy *Sep 13 05:19:23.531: ISAKMP: encryption DES-CBC *Sep 13 05:19:23.531: ISAKMP: hash MD5 *Sep 13 05:19:23.531: ISAKMP: default group 2 *Sep 13 05:19:23.531: ISAKMP: auth XAUTHInitPreShared *Sep 13 05:19:23.531: ISAKMP: life type in seconds *Sep 13 05:19:23.531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.531: ISAKMP:(0):Hash algorithm offered does not match policy! *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 14 against priority 1 policy *Sep 13 05:19:23.531: ISAKMP: encryption DES-CBC *Sep 13 05:19:23.531: ISAKMP: hash MD5 *Sep 13 05:19:23.531: ISAKMP: default group 2 *Sep 13 05:19:23.531: ISAKMP: auth pre-share *Sep 13 05:19:23.531: ISAKMP: life type in se r2#conds *Sep 13 05:19:23.531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.531: ISAKMP:(0):Hash algorithm offered does not match policy! *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 0 *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 1 against priority 3 policy *Sep 13 05:19:23.531: ISAKMP: encryption AES-CBC *Sep 13 05:19:23.531: ISAKMP: hash SHA *Sep 13 05:19:23.531: ISAKMP: default group 2 *Sep 13 05:19:23.531: ISAKMP: auth XAUTHInitPreShared *Sep 13 05:19:23.531: ISAKMP: life type in seconds *Sep 13 05:19:23.531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.531: ISAKMP: keylength of 256 *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not match policy! *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 2 against priority 3 policy *Sep 13 05:19:23.531: ISAKMP: encryption AES-CBC *Sep 13 05:19:23.531: ISAKMP: hash MD5 *Sep 13 05:19:23.531: ISAKMP: default group 2 *Sep 13 05:19:23.531: ISAKMP: auth XAUTHInitPreShared *Sep 13 05:19:23.531: ISAKMP: life type in seconds *Sep 13 05:19:23.531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.531: ISAKMP: keylength of 256 *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not match policy! *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 3 against priority 3 policy *Sep 13 05:19:23.531: ISAKMP: encryption AES-CBC *Sep 13 05:19:23.531: ISAKMP: hash SHA *Sep 13 05:19:23.531: ISAKMP: default group 2 *Sep 13 05:19:23.531: ISAKMP: auth pre-share *Sep 13 05:19:23.531: ISAKMP: life type in seconds *Sep 13 05:19:23. 531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.531: ISAKMP: keylength of 256 *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not match policy! *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 4 against priority 3 policy *Sep 13 05:19:23.531: ISAKMP: encryption AES-CBC *Sep 13 05:19:23.531: ISAKMP: hash MD5 *Sep 13 05:19:23.531: ISAKMP: default group 2 *Sep 13 05:19:23.531: ISAKMP: auth pre-share *Sep 13 05:19:23.531: ISAKMP: life type in seconds *Sep 13 05:19:23.531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.531: ISAKMP: keylength of 256 *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not match policy! *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 5 against priority 3 policy *Sep 13 05:19:23.531: ISAKMP: encryption AES-CBC *Sep 13 05:19:23.531: ISAKMP: hash SHA *Sep 13 05:19:23.531: ISAKMP: default group 2 *Sep 13 05:19:23.531: ISAKMP: auth XAUTHInitPreShared *Sep 13 05:19:23.531: ISAKMP: life type in seconds *Sep 13 05:19:23.531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.531: ISAKMP: keylength of 128 *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not match policy! *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 6 against priority 3 policy *Sep 13 05:19:23.531: ISAKMP: encryption AES-CBC *Sep 13 05:19:23.531: ISAKMP: hash MD5 *Sep 13 05:19:23.531: ISAKMP: default group 2 *Sep 13 05:19:23.531: ISAKMP: auth XAUTHInitPreShared *Sep 13 05:19:23.531: ISAKMP: life tyundebupe in seconds *Sep 13 05:19:23.531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.531: ISAKMP: keylength of 128 *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not match policy! *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 7 against priority 3 policy *Sep 13 05:19:23.531: ISAKMP: encryption AES-CBC *Sep 13 05:19:23.531: ISAKMP: hash SHA *Sep 13 05:19:23.531: ISAKMP: default group 2 *Sep 13 05:19:23.531: ISAKMP: auth pre-share *Sep 13 05:19:23.531: ISAKMP: life type in seconds *Sep 13 05:19:23.531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.531: ISAKMP: keylength of 128 *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not match policy! g all13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 3 All possible debugging has been turned off r2# *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 8 against priority 3 policy *Sep 13 05:19:23.531: ISAKMP: encryption AES-CBC *Sep 13 05:19:23.531: ISAKMP: hash MD5 *Sep 13 05:19:23.531: ISAKMP: default group 2 *Sep 13 05:19:23.531: ISAKMP: auth pre-share *Sep 13 05:19:23.531: ISAKMP: life type in seconds *Sep 13 05:19:23.531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.531: ISAKMP: keylength of 128 *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not match policy! *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 9 against priority 3 policy *Sep 13 05:19:23.531: ISAKMP: encryption 3DES-CBC *Sep 13 05:19:23.531: ISAKMP: hash SHA *Sep 13 05:19:23.531: ISAKMP: default group 2 *Sep 13 05:19:23.531: ISAKMP: auth XAUTHInitPreShared *Sep 13 05:19:23.531: ISAKMP: life type in seconds *Sep 13 05:19:23.531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not match policy! *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 10 against priority 3 policy *Sep 13 05:19:23.531: ISAKMP: encryption 3DES-CBC *Sep 13 05:19:23.531: ISAKMP: hash MD5 *Sep 13 05:19:23.531: ISAKMP: default group 2 *Sep 13 05:19:23.531: ISAKMP: auth XAUTHInitPreShared *Sep 13 05:19:23.531: ISAKMP: life type in seconds *Sep 13 05:19:23.531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not match policy! *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 11 against priority 3 policy *Sep 13 05:19:23.531: ISAKMP: encryption 3DES-CBC *Sep 13 05:19:23.531: ISAKMP: hash SHA *Sep 13 05:19:23.531: ISAKMP: default group 2 *Sep 13 05:19:23.531: ISAKMP: auth pre-share *Sep 13 05:19:23.531: ISAKMP: life type in seconds *Sep 13 05:19:23.531: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.531: ISAKMP:(0):Encryption algorithm offered does not match policy! *Sep 13 05:19:23.531: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.531: ISAKMP:(0):Checking ISAKMP transform 12 against priority 3 policy *Sep 13 05:19:23.531: ISAKMP: encryption 3DES-CBC *Sep 13 05:19:23.531: ISAKMP: hash MD5 *Sep 13 05:19:23.535: ISAKMP: default group 2 *Sep 13 05:19:23.535: ISAKMP: auth pre-share *Sep 13 05:19:23.535: ISAKMP: life type in seconds *Sep 13 05:19:23.535: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.535: ISAKMP:(0):Encryption algorithm offered does not match policy! *Sep 13 05:19:23.535: ISAKMP:(0):atts are not acceptable. Next payload is 3 *Sep 13 05:19:23.535: ISAKMP:(0):Checking ISAKMP transform 13 against priority 3 policy *Sep 13 05:19:23.535: ISAKMP: encryption DES-CBC *Sep 13 05:19:23.535: ISAKMP: hash MD5 *Sep 13 05:19:23.535: ISAKMP: default group 2 *Sep 13 05:19:23.535: ISAKMP: auth XAUTHInitPreShared *Sep 13 05:19:23.535: ISAKMP: life type in seconds *Sep 13 05:19:23.535: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *Sep 13 05:19:23.535: ISAKMP:(0):atts are acceptable. Next payload is 3 *Sep 13 05:19:23.535: ISAKMP:(0):Acceptable atts:actual life: 86400 *Sep 13 05:19:23.535: ISAKMP:(0):Acceptable atts:life: 0 *Sep 13 05:19:23.535: ISAKMP:(0):Fill atts in sa vpi_length:4 *Sep 13 05:19:23.535: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483 *Sep 13 05:19:23.535: ISAKMP:(0):Returning Actual lifetime: 86400 *Sep 13 05:19:23.535: ISAKMP:(0)::Started lifetime timer: 86400. *Sep 13 05:19:23.535: ISAKMP:(0): processing KE payload. message ID = 0 *Sep 13 05:19:23.551: ISAKMP:(0): processing NONCE payload. message ID = 0 *Sep 13 05:19:23.551: ISAKMP:(0): vendor ID is NAT-T v2 *Sep 13 05:19:23.551: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH *Sep 13 05:19:23.551: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT *Sep 13 05:19:23.719: ISAKMP:(0): constructed NAT-T vendor-02 ID *Sep 13 05:19:23.719: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_FQDN *Sep 13 05:19:23.719: ISAKMP (0): ID payload next-payload : 10 type : 2 FQDN name : r2 protocol : 0 port : 0 length : 10 *Sep 13 05:19:23.719: ISAKMP:(0):Total payload length: 10 *Sep 13 05:19:23.719: ISAKMP:(0): sending packet to 192.1.49.100 my_port 500 peer_port 1094 (R) AG_INIT_EXCH *Sep 13 05:19:23.719: ISAKMP:(0):Sending an IKE IPv4 Packet. *Sep 13 05:19:23.719: ISAKMP:(0):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY *Sep 13 05:19:23.719: ISAKMP:(0):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2 *Sep 13 05:19:23.731: ISAKMP (0): received packet from 192.1.49.100 dport 500 sport 1094 Global (R) AG_INIT_EXCH *Sep 13 05:19:23.731: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 192.1.49.100 was not encrypted and it should've been. *Sep 13 05:19:23.735: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: reset_retransmission *Sep 13 05:19:23.735: ISAKMP (0): received packet from 192.1.49.100 dport 500 sport 1094 Global (R) AG_INIT_EXCH *Sep 13 05:19:23.735: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 192.1.49.100 was not encrypted and it should've been. *Sep 13 05:19:23.735: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission *Sep 13 05:19:24.735: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH... *Sep 13 05:19:24.735: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1 *Sep 13 05:19:24.735: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH *Sep 13 05:19:24.735: ISAKMP:(0): sending packet to 192.1.49.100 my_port 500 peer_port 1094 (R) AG_INIT_EXCH *Sep 13 05:19:24.735: ISAKMP:(0):Sending an IKE IPv4 Packet. *Sep 13 05:19:24.955: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH... *Sep 13 05:19:24.955: ISAKMP:(0):peer does not do paranoid keepalives. *Sep 13 05:19:24.955: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer 192.1.49.100) *Sep 13 05:19:24.955: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer 192.1.49.100) *Sep 13 05:19:24.955: ISAKMP: Unlocking peer struct 0x7043EBFC for isadb_mark_sa_deleted(), count 0 *Sep 13 05:19:24.955: ISAKMP: Deleting peer node by peer_reap for 192.1.49.100 <http://192.1.49.100/> : 7043EBFC *Sep 13 05:19:24.955: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Sep 13 05:19:24.955: ISAKMP:(0):Old State = IKE_R_AM2 New State = IKE_DEST_SA *Sep 13 05:19:34.735: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH... *Sep 13 05:19:34.735: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1 *Sep 13 05:19:34.735: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH *Sep 13 05:19:34.735: ISAKMP:(0): sending packet to 192.1.49.100 my_port 500 peer_port 1094 (R) AG_INIT_EXCH *Sep 13 05:19:34.735: ISAKMP:(0):Sending an IKE IPv4 Packet. r2# #--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------# It looks like an problem withe the isakmp policy to me. What's your recommendation to check? TIA. Have a nice weekend Simon _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
