Try adding the following
crypto isakmp profile EZVPN match identity group EZC client authentication list EZ-AUTHEN isakmp authorization list EZ-AUTHOR client configuration address respond ! no crypto map MY-RMAP client authentication list EZ-AUTHEN no crypto map MY-RMAP isakmp authorization list EZ-AUTHOR no crypto map MY-RMAP client configuration address respond crypto map MY-RMAP isakmp-profile EZVPN Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Sumit Mahla Sent: Monday, May 10, 2010 8:39 AM To: [email protected] Subject: Re: [OSL | CCIE_Security] Eazy VPN... Debug output Forgot to mention this as well On R1 username cisco password cisco _____ From: [email protected] To: [email protected] Date: Mon, 10 May 2010 18:02:36 +0530 Subject: [OSL | CCIE_Security] Eazy VPN... Debug output Hello All, I configured Eazy VPN router and a software client... below is the config and debug output... Could any one please suggest? ON ASA ciscoasa/C1(config)# sh run access-list access-list OUT extended permit esp any any access-list OUT extended permit udp any any eq isakmp access-list OUT extended permit udp any any eq 1500 access-list OUT extended permit icmp any any access-list OUT extended permit tcp object-group LOOPBACK object-group SERVER object-group TCP-APP access-list OUT extended permit udp object-group LOOPBACK object-group SERVER object-group UDP-APP access-list OUT extended permit udp host 192.1.55.16 host 192.1.41.100 eq radius access-list OUT extended permit udp host 192.1.55.16 host 192.1.41.100 eq radius-acct access-list OUT extended permit tcp host 192.1.56.6 host 192.1.41.100 eq tacacs access-list OUT extended permit udp host 192.1.42.2 host 192.1.41.100 eq radius access-list OUT extended permit udp host 192.1.42.2 host 192.1.41.100 eq radius-acct ciscoasa/C1(config)# ciscoasa/C1(config)# sh run static static (Inside,Outside) 192.1.41.24 10.11.11.24 netmask 255.255.255.255 static (Inside,Outside) 192.1.41.26 10.11.11.26 netmask 255.255.255.255 static (Inside,Outside) 192.1.41.100 10.11.11.25 netmask 255.255.255.255 static (Inside,Outside) 192.1.41.1 10.22.22.1 netmask 255.255.255.255 ciscoasa/C1(config)# ON R1 R1#sh run | in aaa aaa new-model aaa authentication login EZ-AUTHEN local aaa authorization network EZ-AUTHOR local aaa session-id common R1#sh run | sec crypto crypto isakmp policy 17 encr 3des authentication pre-share group 2 crypto isakmp client configuration group EZC key cciesec pool EZP acl 170 crypto ipsec transform-set EZ-SET esp-3des esp-md5-hmac crypto dynamic-map R-MAP 17 set transform-set EZ-SET reverse-route crypto map MY-RMAP client authentication list EZ-AUTHEN crypto map MY-RMAP isakmp authorization list EZ-AUTHOR crypto map MY-RMAP client configuration address respond crypto map MY-RMAP 170 ipsec-isakmp dynamic R-MAP crypto map MY-RMAP R1#sh run interface f0/0 Building configuration... Current configuration : 115 bytes ! interface FastEthernet0/0 ip address 10.22.22.1 255.255.255.0 duplex auto speed auto crypto map MY-RMAP end R1# R1(config-if)# *May 10 08:11:14.774: ISAKMP (0): received packet from 192.1.66.25 dport 500 sport 1077 Global (N) NEW SA *May 10 08:11:14.774: ISAKMP: Created a peer struct for 192.1.66.25, peer port 1077 *May 10 08:11:14.774: ISAKMP: New peer created peer = 0x4938C7D8 peer_handle = 0x80000007 *May 10 08:11:14.774: ISAKMP: Locking peer struct 0x4938C7D8, refcount 1 for crypto_isakmp_process_block *May 10 08:11:14.774: ISAKMP:(0):Setting client config settings 4866AC74 *May 10 08:11:14.774: ISAKMP:(0):(Re)Setting client xauth list and state *May 10 08:11:14.774: ISAKMP/xauth: initializing AAA request *May 10 08:11:14.778: ISAKMP: local port 500, remote port 1077 *May 10 08:11:14.778: ISAKMP:(0):insert sa successfully sa = 48E9FEC8 *May 10 08:11:14.778: ISAKMP:(0): processing SA payload. message ID = 0 *May 10 08:11:14.778: ISAKMP:(0): processing ID payload. message ID = 0 *May 10 08:11:14.778: ISAKMP (0): ID payload next-payload : 13 type : 11 group id : EZC proto R1(config-if)#col : 17 port : 500 length : 11 *May 10 08:11:14.778: ISAKMP:(0):: peer matches *none* of the profiles *May 10 08:11:14.778: ISAKMP:(0): processing vendor id payload *May 10 08:11:14.778: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch *May 10 08:11:14.778: ISAKMP:(0): vendor ID is XAUTH *May 10 08:11:14.778: ISAKMP:(0): processing vendor id payload *May 10 08:11:14.778: ISAKMP:(0): vendor ID is DPD *May 10 08:11:14.782: ISAKMP:(0): processing vendor id payload *May 10 08:11:14.782: ISAKMP:(0): processing IKE frag vendor id payload *May 10 08:11:14.782: ISAKMP:(0):Support for IKE Fragmentation not enabled *May 10 08:11:14.782: ISAKMP:(0): processing vendor id payload *May 10 08:11:14.782: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch *May 10 08:11:14.782: ISAKMP:(0): vendor ID is NAT-T v2 *May 10 08:11:14.782: ISAKMP:(0): processing vendor id payload *May 10 08:11:14.782: ISAKMP:(0): vendor ID is Unity *May 10 08:11:14.782: ISAKMP:(0): Authentication by xauth preshared *May 10 08:11:14.782: ISAKMP:(0):Checking ISAKMP transform 1 against priority 17 policy *May 10 08:11:14.782: ISAKMP: encryption AES-CBC *May 10 08:11:14.782: ISAKMP: hash SHA *May 10 08:11:14.782: ISAKMP: default group 2 *May 10 08:11:14.782: ISAKMP: auth XAUTHInitPreShared *May 10 08:11:14.782: ISAKMP: life type in seconds *May 10 08:11:14.782: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *May 10 08:11:14.782: ISAKMP: keylength of 256 *May 10 08:11:14.782: ISAKMP:(0):Encryption algorithm offered does not match policy! *May 10 08:11:14.782: ISAKMP:(0):atts are not acceptable. Next payload is 3 *May 10 08:11:14.782: ISAKMP:(0):Checking ISAKMP transform 2 against priority 17 policy *May 10 08:11:14.782: ISAKMP: encryption AES-CBC *May 10 08:11:14.782: ISAKMP: hash MD5 *May 10 08:11:14.782: ISAKMP: default group 2 *May 10 08:11:14.782: ISAKMP: auth XAUTHInitPreShared *May 10 08:11:14.782: ISAKMP: life type in seconds *May 10 08:11:14.782: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *May 10 08:11:14.782: ISAKMP: keylength of 256 *May 10 08:11:14.782: ISAKMP:(0):Encryption algorithm offered does not match policy! *May 10 08:11:14.782: ISAKMP:(0):atts are not acceptable. Next payload is 3 *May 10 08:11:14.782: ISAKMP:(0):Checking ISAKMP transform 3 against priority 17 policy *May 10 08:11:14.782: ISAKMP: encryption AES-CBC *May 10 08:11:14.782: ISAKMP: hash SHA *May 10 08:11:14.782: ISAKMP: default group 2 *May 10 08:11:14.782: ISAKMP: auth pre-share *May 10 08:11:14.782: ISAKMP: life type in seconds *May 10 08:11:14.782: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *May 10 08:11:14.782: ISAKMP: keylength of 256 *May 10 08:11:14.782: ISAKMP:(0):Encryption algorithm offered does not match policy! *May 10 08:11:14.782: ISAKMP:(0):atts are not acceptable. Next payload is 3 *May 10 08:11:14.782: ISAKMP:(0):Checking ISAKMP transform 4 against priority 17 policy *May 10 08:11:14.782: ISAKMP: encryption AES-CBC *May 10 08:11:14.782: ISAKMP: hash MD5 *May 10 08:11:14.782: ISAKMP: default group 2 *May 10 08:11:14.782: ISAKMP: auth pre-share *May 10 08:11:14.782: ISAKMP: life type in seconds *May 10 08:11:14.782: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *May 10 08:11:14.786: ISAKMP: keylength of 256 *May 10 08:11:14.786: ISAKMP:(0):Encryption algorithm offered does not match policy! *May 10 08:11:14.786: ISAKMP:(0):atts are not acceptable. Next payload is 3 *May 10 08:11:14.786: ISAKMP:(0):Checking ISAKMP transform 5 against priority 17 policy *May 10 08:11:14.786: ISAKMP: encryption AES-CBC *May 10 08:11:14.786: ISAKMP: hash SHA *May 10 08:11:14.786: ISAKMP: default group 2 *May 10 08:11:14.786: ISAKMP: auth XAUTHInitPreShared *May 10 08:11:14.786: ISAKMP: life type in seconds *May 10 08:11:14.786: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *May 10 08:11:14.786: ISAKMP: keylength of 128 *May 10 08:11:14.786: ISAKMP:(0):Encryption algorithm offered does not match policy! *May 10 08:11:14.786: ISAKMP:(0):atts are not acceptable. Next payload is 3 *May 10 08:11:14.786: ISAKMP:(0):Checking ISAKMP transform 6 against priority 17 policy *May 10 08:11:14.786: ISAKMP: encryption AES-CBC *May 10 08:11:14.786: ISAKMP: hash MD5 *May 10 08:11:14.786: ISAKMP: default group 2 *May 10 08:11:14.786: ISAKMP: auth XAUTHInitPreShared *May 10 08:11:14.786: ISAKMP: life type in seconds *May 10 08:11:14.786: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *May 10 08:11:14.786: ISAKMP: keylength of 128 *May 10 08:11:14.786: ISAKMP:(0):Encryption algorithm offered does not match policy! *May 10 08:11:14.786: ISAKMP:(0):atts are not acceptable. Next payload is 3 *May 10 08:11:14.786: ISAKMP:(0):Checking ISAKMP transform 7 against priority 17 policy *May 10 08:11:14.786: ISAKMP: encryption AES-CBC *May 10 08:11:14.786: ISAKMP: hash SHA *May 10 08:11:14.786: ISAKMP: default group 2 *May 10 08:11:14.786: ISAKMP: auth pre-share *May 10 08:11:14.786: ISAKMP: life type in seconds *May 10 08:11:14.786: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *May 10 08:11:14.786: ISAKMP: keylength of 128 *May 10 08:11:14.786: ISAKMP:(0):Encryption algorithm offered does not match policy! *May 10 08:11:14.786: ISAKMP:(0):atts are not acceptable. Next payload is 3 *May 10 08:11:14.786: ISAKMP:(0):Checking ISAKMP transform 8 against priority 17 policy *May 10 08:11:14.786: ISAKMP: encryption AES-CBC *May 10 08:11:14.786: ISAKMP: hash MD5 *May 10 08:11:14.786: ISAKMP: default group 2 *May 10 08:11:14.786: ISAKMP: auth pre-share *May 10 08:11:14.786: ISAKMP: life type in seconds *May 10 08:11:14.786: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *May 10 08:11:14.786: ISAKMP: keylength of 128 *May 10 08:11:14.786: ISAKMP:(0):Encryption algorithm offered does not match policy! *May 10 08:11:14.786: ISAKMP:(0):atts are not acceptable. Next payload is 3 *May 10 08:11:14.786: ISAKMP:(0):Checking ISAKMP transform 9 against priority 17 policy *May 10 08:11:14.786: ISAKMP: encryption 3DES-CBC *May 10 08:11:14.786: ISAKMP: hash SHA *May 10 08:11:14.786: ISAKMP: default group 2 *May 10 08:11:14.786: ISAKMP: auth XAUTHInitPreShared *May 10 08:11:14.786: ISAKMP: life type in seconds *May 10 08:11:14.786: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *May 10 08:11:14.786: ISAKMP:(0):atts are acceptable. Next payload is 3 *May 10 08:11:14.786: ISAKMP:(0):Acceptable atts:actual life: 86400 *May 10 08:11:14.786: ISAKMP:(0):Acceptable atts:life: 0 *May 10 08:11:14.786: ISAKMP:(0):Fill atts in sa vpi_length:4 *May 10 08:11:14.786: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483 *May 10 08:11:14.786: ISAKMP:(0):Returning Actual lifetime: 86400 *May 10 08:11:14.786: ISAKMP:(0)::Started lifetime timer: 86400. *May 10 08:11:14.790: ISAKMP:(0): processing KE payload. message ID = 0 *May 10 08:11:14.838: ISAKMP:(0): processing NONCE payload. message ID = 0 *May 10 08:11:14.838: ISAKMP:(0): vendor ID is NAT-T v2 *May 10 08:11:14.838: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH *May 10 08:11:14.838: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT *May 10 08:11:14.842: ISAKMP:(1006): constructed NAT-T vendor-02 ID *May 10 08:11:14.842: ISAKMP:(1006):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR *May 10 08:11:14.842: ISAKMP (1006): ID payload next-payload : 10 type : 1 address : 10.22.22.1 protocol : 0 port : 0 length : 12 *May 10 08:11:14.842: ISAKMP:(1006):Total payload length: 12 *May 10 08:11:14.842: ISAKMP:(1006): sending packet to 192.1.66.25 my_port 500 peer_port 1077 (R) AG_INIT_EXCH *May 10 08:11:14.842: ISAKMP:(1006):Sending an IKE IPv4 Packet. *May 10 08:11:14.842: ISAKMP:(1006):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY *May 10 08:11:14.842: ISAKMP:(1006):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2 R1(config-if)# R1(config-if)# *May 10 08:11:24.842: ISAKMP:(1006): retransmitting phase 1 AG_INIT_EXCH... *May 10 08:11:24.842: ISAKMP (1006): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1 *May 10 08:11:24.842: ISAKMP:(1006): retransmitting phase 1 AG_INIT_EXCH *May 10 08:11:24.842: ISAKMP:(1006): sending packet to 192.1.66.25 my_port 500 peer_port 1077 (R) AG_INIT_EXCH *May 10 08:11:24.842: ISAKMP:(1006):Sending an IKE IPv4 Packet. R1(config-if)# *May 10 08:11:34.842: ISAKMP:(1006): retransmitting phase 1 AG_INIT_EXCH... *May 10 08:11:34.842: ISAKMP (1006): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1 *May 10 08:11:34.842: ISAKMP:(1006): retransmitting phase 1 AG_INIT_EXCH *May 10 08:11:34.842: ISAKMP:(1006): sending packet to 192.1.66.25 my_port 500 peer_port 1077 (R) AG_INIT_EXCH *May 10 08:11:34.842: ISAKMP:(1006):Sending an IKE IPv4 Packet. R1(config-if)# *May 10 08:11:44.842: ISAKMP:(1006): retransmitting phase 1 AG_INIT_EXCH... *May 10 08:11:44.842: ISAKMP (1006): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1 *May 10 08:11:44.842: ISAKMP:(1006): retransmitting phase 1 AG_INIT_EXCH *May 10 08:11:44.842: ISAKMP:(1006): sending packet to 192.1.66.25 my_port 500 peer_port 1077 (R) AG_INIT_EXCH *May 10 08:11:44.842: ISAKMP:(1006):Sending an IKE IPv4 Packet. R1(config-if)# *May 10 08:11:54.842: ISAKMP:(1006): retransmitting phase 1 AG_INIT_EXCH... *May 10 08:11:54.842: ISAKMP (1006): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1 *May 10 08:11:54.842: ISAKMP:(1006): retransmitting phase 1 AG_INIT_EXCH *May 10 08:11:54.842: ISAKMP:(1006): sending packet to 192.1.66.25 my_port 500 peer_port 1077 (R) AG_INIT_EXCH *May 10 08:11:54.842: ISAKMP:(1006):Sending an IKE IPv4 Packet. R1(config-if)# R1# R1# *May 10 08:12:04.842: ISAKMP:(1006): retransmitting phase 1 AG_INIT_EXCH... *May 10 08:12:04.842: ISAKMP (1006): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1 *May 10 08:12:04.842: ISAKMP:(1006): retransmitting phase 1 AG_INIT_EXCH *May 10 08:12:04.842: ISAKMP:(1006): sending packet to 192.1.66.25 my_port 500 peer_port 1077 (R) AG_INIT_EXCH *May 10 08:12:04.842: ISAKMP:(1006):Sending an IKE IPv4 Packet. R1# *May 10 08:12:06.042: %SYS-5-CONFIG_I: Configured from console by console R1# *May 10 08:12:14.842: ISAKMP:(1006): retransmitting phase 1 AG_INIT_EXCH... *May 10 08:12:14.842: ISAKMP:(1006):peer does not do paranoid keepalives. *May 10 08:12:14.842: ISAKMP:(1006):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer 192.1.66.25) *May 10 08:12:14.842: ISAKMP:(1006):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer 192.1.66.25) *May 10 08:12:14.842: ISAKMP: Unlocking peer struct 0x4938C7D8 for isadb_mark_sa_deleted(), count 0 *May 10 08:12:14.842: ISAKMP: Deleting peer node by peer_reap for 192.1.66.25: 4938C7D8 *May 10 08:12:14.842: ISAKMP:(1006):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL R1# *May 10 08:12:14.842: ISAKMP:(1006):Old State = IKE_R_AM2 New State = IKE_DEST_SA *May 10 08:12:14.846: IPSEC(key_engine): got a queue event with 1 KMI message(s) R1# *May 10 08:13:14.842: ISAKMP:(1006):purging SA., sa=48E9FEC8, delme=48E9FEC8 R1# Could any one please suggest where i am going wrong? Regards _____ The battle for the FIH Hockey World Cup Drag n' drop <http://specials.msn.co.in/sp10/hockey/index.aspx> _____ The latest auto launches and test drives Drag n' drop <http://autos.in.msn.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
