dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
77

tamz273
@batelco.com.bh

tamz273 to OVERKILL

Anon

to OVERKILL

Re: [Config] IPSec VPN with Cisco 877

Good news is the term mon output has changed, I no longer am getting a Xauth mismatch. Also, the client doesnt "disconnect". It keeps trying to connect until I cancel the connect. Ive made the changes you proposed, but kept all the IPs previously assigned to VLAN1, as they are not assigned to VLAN100. I simply changed the vlan tag to 100 instead of 1.

Here is the new term mon output when I try to connect:
 
000921: *Jan 11 03:28:06.982 PCTime: %CRYPTO-4-IKMP_NO_SA: IKE message from xx.xx.xx.xx has no SA and is not an initialization offer
000922: *Jan 11 03:28:09.106 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
000923: *Jan 11 03:28:09.106 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
000924: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
000925: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
000926: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
000927: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
000928: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
000929: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
000930: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
000931: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
000932: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
000933: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
000934: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
000935: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
000936: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
000937: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
000938: *Jan 11 03:29:09.166 PCTime: ISAKMP:(2004):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer xx.xx.xx.xx)
000939: *Jan 11 03:29:09.166 PCTime: ISAKMP:(2004):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer xx.xx.xx.xx)
000940: *Jan 11 03:31:01.536 PCTime: %CRYPTO-4-IKMP_NO_SA: IKE message from xx.xx.xx.xx has no SA and is not an initialization offer
 
 

As for the sh ver, here it is:

AOSWan#sh ver
Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(24)T5, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Fri 04-Mar-11 07:45 by prod_rel_team
 
ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE
 
AOSWan uptime is 1 day, 20 hours, 6 minutes
System returned to ROM by reload at 07:15:42 PCTime Mon Jan 9 2012
System image file is "flash:c870-advsecurityk9-mz.124-24.T5.bin"
Last reload reason: Reload Command
 
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
 
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
 
If you require further assistance please contact us by sending email to
export@cisco.com.
 
Cisco 877 (MPC8272) processor (revision 0x400) with 118784K/12288K bytes of memory.
Processor board ID FGL15242397
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)
 
Configuration register is 0x2102
 
AOSWan#
 

Ive attached the new config. Based on the output from the debug, it seems like the client is trying to connect with a different encryption algorithm? Im not too sure what its trying to connect using, but I was getting the same error when using AES vs 3des.

Thanks again for the help!

 
AOSWan#sh run
Building configuration...
 
Current configuration : 6340 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname AOSWan
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$Vbh9$wTX/PEcoYRcQZw9A8VILV.
!
aaa new-model
!
!
aaa authentication login default enable
aaa authentication login AOSVPNGroup local
aaa authorization network AOSVPNGroup local
!
!
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3217726297
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3217726297
 revocation-check none
 rsakeypair TP-self-signed-3217726297
!
!
crypto pki certificate chain TP-self-signed-3217726297
 certificate self-signed 01
  3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33323137 37323632 3937301E 170D3132 30313039 31323135
  35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32313737
  32363239 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D529 2268B7FF 46D198F0 0866E832 288BB583 D85E6909 E63297B3 97B2A97C
  D654FED9 E5C6433F 5F4E002D 1901F509 4A693A05 602B9EDA 522C61DC 69B48ACF
  44E3EEF6 0BD8AF73 30F16795 4278C84A 34B93397 9F389E66 8A9DAB9F C9867351
  5090E51F 8CD2D237 59E599F8 4F79C5AE 17BE36C8 C776D32D 3DCCAEF7 FBA75E0B
  0B1D0203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
  551D1104 0A300882 06414F53 57616E30 1F060355 1D230418 30168014 4641B8DD
  43E1A31B 82565FFA AE23199E D82FEDA8 301D0603 551D0E04 16041446 41B8DD43
  E1A31B82 565FFAAE 23199ED8 2FEDA830 0D06092A 864886F7 0D010104 05000381
  81002DA9 C8419220 F2925834 A9000A9E BD20B0DB F92ADF0E 8EADEC2E B92498A1
  90EE20B1 7676401E B08A66A0 51CDABF5 D567EB98 09706CC7 13C89056 333AF325
  861266F5 C46D04CF 52C23FBC 9048562A F5F583BB 6F07D96D 280AC807 0E1074E1
  36186BD8 D715EE51 57BE1DE8 8E4A67C2 0E7AC917 3C0736CB F8977013 9757F0DA FCE1
        quit
dot11 syslog
no ip source-route
!
!
ip cef
no ip bootp server
ip name-server 192.168.1.4
!
!
!
!
username admin privilege 15 secret 5 *********
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
!
crypto isakmp client configuration group AOS
 key *********************
 dns 192.168.1.4
 pool VPNPool
 acl 100
crypto isakmp profile AOS_isakmp_profile
   match identity group AOS
   client authentication list AOSVPNGroup
   isakmp authorization list AOSVPNGroup
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set AOS_encryption esp-3des esp-sha-hmac
!
crypto ipsec profile AOS_ipsec_profile
 set transform-set AOS_encryption
 set isakmp-profile AOS_isakmp_profile
!
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface Loopback0
 no ip address
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 ip flow ingress
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 switchport access vlan 100
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile AOS_ipsec_profile
!
interface Vlan1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface Vlan100
 description Uplink to AOSCore
 ip address 192.168.1.2 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname ***********
 ppp chap password 7 *****************
 ppp pap sent-username aylaint password 7 **************
!
ip local pool VPNPool 172.21.10.10 172.21.10.50
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.0 255.255.0.0 192.168.1.1
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.4 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.4 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.254 80 interface Dialer0 80
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.21.10.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
 
!
!
!
!
control-plane
!
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
 
 
hodgeswalt
join:2012-03-13
Ankeny, IA

hodgeswalt

Member

I am curious. Have you dad any luck with connecting successfully?

Regards,
--walt