Encryption algorithm offered does not match policy! 1

[burtsbees]

This is what I get when trying to connect to a new vpn I have configured. I have the same setup at home, and I vpn from work no prob with Cisco VPN Client 4.6. Here is some output from debug crypto isakmp...

TO_ADTRAN#deb cryp isakmp
Crypto ISAKMP debugging is on
TO_ADTRAN#term mon
TO_ADTRAN#
Jun 21 22:35:27.445: ISAKMP (0:0): received packet from x.x.x.x dport 500 sport 500 Global (N) NEW SA
Jun 21 22:35:27.445: ISAKMP: Created a peer struct for x.x.x.x, peer port 500
Jun 21 22:35:27.449: ISAKMP: New peer created peer = 0x83295F08 peer_handle = 0x80000013
Jun 21 22:35:27.449: ISAKMP: Locking peer struct 0x83295F08, IKE refcount 1 for crypto_isakmp_process_block
Jun 21 22:35:27.449: ISAKMP0:0:N/A:0):Setting client config settings 837BEA00
Jun 21 22:35:27.449: ISAKMP0:0:N/A:0)Re)Setting client xauth list and state
Jun 21 22:35:27.449: ISAKMP/xauth: initializing AAA request
Jun 21 22:35:27.453: ISAKMP: local port 500, remote port 500
Jun 21 22:35:27.457: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8379F250
Jun 21 22:35:27.457: ISAKMP0:0:N/A:0): processing SA payload. message ID = 0
Jun 21 22:35:27.457: ISAKMP0:0:N/A:0): processing ID payload. message ID = 0
Jun 21 22:35:27.457: ISAKMP (0:0): ID payload
next-payload : 13
type : 11
group id : xxxxxxxxxxx
protocol : 17
port : 500
length : 18
Jun 21 22:35:27.461: ISAKMP0:0:N/A:0):: peer matches *none* of the profiles
Jun 21 22:35:27.461: ISAKMP0:0:N/A:0): processing vendor id payload
Jun 21 22:35:27.461: ISAKMP0:0:N/A:0): vendor ID seems Unity/DPD but major 215 mismatch
Jun 21 22:35:27.461: ISAKMP0:0:N/A:0): vendor ID is XAUTH
Jun 21 22:35:27.461: ISAKMP0:0:N/A:0): processing vendor id payload
Jun 21 22:35:27.461: ISAKMP0:0:N/A:0): vendor ID is DPD
Jun 21 22:35:27.465: ISAKMP0:0:N/A:0): processing vendor id payload
Jun 21 22:35:27.465: ISAKMP0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
Jun 21 22:35:27.465: ISAKMP0:0:N/A:0): vendor ID is NAT-T v2
Jun 21 22:35:27.465: ISAKMP0:0:N/A:0): processing vendor id payload
Jun 21 22:35:27.465: ISAKMP0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch
Jun 21 22:35:27.469: ISAKMP0:0:N/A:0): processing vendor id payload
Jun 21 22:35:27.469: ISAKMP0:0:N/A:0): vendor ID is Unity
Jun 21 22:35:27.469: ISAKMP0:0:N/A:0): Authentication by xauth preshared
Jun 21 22:35:27.469: ISAKMP0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
Jun 21 22:35:27.473: ISAKMP: encryption AES-CBC
Jun 21 22:35:27.473: ISAKMP: hash SHA
Jun 21 22:35:27.473: ISAKMP: default group 2
Jun 21 22:35:27.477: ISAKMP: auth XAUTHInitPreShared
Jun 21 22:35:27.477: ISAKMP: life type in seconds
Jun 21 22:35:27.477: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jun 21 22:35:27.481: ISAKMP: keylength of 256
Jun 21 22:35:27.481: ISAKMP0:0:N/A:0):Encryption algorithm offered does not match policy!
Jun 21 22:35:27.481: ISAKMP0:0:N/A:0):atts are not acceptable. Next payload is 3
Jun 21 22:35:27.485: ISAKMP0:0:N/A:0):Checking ISAKMP transform 2 against priority 1 policy
Jun 21 22:35:27.485: ISAKMP: encryption AES-CBC
Jun 21 22:35:27.485: ISAKMP: hash MD5
Jun 21 22:35:27.485: ISAKMP: default group 2
Jun 21 22:35:27.485: ISAKMP: auth XAUTHInitPreShared
Jun 21 22:35:27.489: ISAKMP: life type in seconds
Jun 21 22:35:27.489: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jun 21 22:35:27.493: ISAKMP: keylength of 256
Jun 21 22:35:27.493: ISAKMP0:0:N/A:0):Encryption algorithm offered does not match policy!
Jun 21 22:35:27.493: ISAKMP0:0:N/A:0):atts are not acceptable. Next payload is 3
Jun 21 22:35:27.497: ISAKMP0:0:N/A:0):Checking ISAKMP transform 3 against priority 1 policy
Jun 21 22:35:27.497: ISAKMP: encryption AES-CBC
Jun 21 22:35:27.497: ISAKMP: hash SHA
Jun 21 22:35:27.501: ISAKMP: default group 2
Jun 21 22:35:27.501: ISAKMP: auth pre-share
Jun 21 22:35:27.501: ISAKMP: life type in seconds
Jun 21 22:35:27.501: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jun 21 22:35:27.505: ISAKMP: keylength of 256
Jun 21 22:35:27.509: ISAKMP0:0:N/A:0):Encryption algorithm offered does not match policy!
Jun 21 22:35:27.509: ISAKMP0:0:N/A:0):atts are not acceptable. Next payload is 3
Jun 21 22:35:27.509: ISAKMP0:0:N/A:0):Checking ISAKMP transform 4 against priority 1 policy
Jun 21 22:35:27.509: ISAKMP: encryption AES-CBC
Jun 21 22:35:27.509: ISAKMP: hash MD5
Jun 21 22:35:27.513: ISAKMP: default group 2
Jun 21 22:35:27.513: ISAKMP: auth pre-share
Jun 21 22:35:27.513: ISAKMP: life type in seconds
Jun 21 22:35:27.513: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jun 21 22:35:27.517: ISAKMP: keylength of 256
Jun 21 22:35:27.517: ISAKMP0:0:N/A:0):Encryption algorithm offered does not match policy!
Jun 21 22:35:27.521: ISAKMP0:0:N/A:0):atts are not acceptable. Next payload is 3
Jun 21 22:35:27.521: ISAKMP0:0:N/A:0):Checking ISAKMP transform 5 against priority 1 policy
Jun 21 22:35:27.521: ISAKMP: encryption AES-CBC
Jun 21 22:35:27.525: ISAKMP: hash SHA
Jun 21 22:35:27.525: ISAKMP: default group 2
Jun 21 22:35:27.525: ISAKMP: auth XAUTHInitPreShared
Jun 21 22:35:27.525: ISAKMP: life type in seconds
Jun 21 22:35:27.529: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jun 21 22:35:27.533: ISAKMP: keylength of 128
Jun 21 22:35:27.533: ISAKMP0:0:N/A:0):Encryption algorithm offered does not match policy!
Jun 21 22:35:27.533: ISAKMP0:0:N/A:0):atts are not acceptable. Next payload is 3
Jun 21 22:35:27.533: ISAKMP0:0:N/A:0):Checking ISAKMP transform 6 against priority 1 policy
Jun 21 22:35:27.537: ISAKMP: encryption AES-CBC
Jun 21 22:35:27.537: ISAKMP: hash MD5
Jun 21 22:35:27.537: ISAKMP: default group 2
Jun 21 22:35:27.537: ISAKMP: auth XAUTHInitPreShared
Jun 21 22:35:27.537: ISAKMP: life type in seconds
Jun 21 22:35:27.541: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jun 21 22:35:27.545: ISAKMP: keylength of 128
Jun 21 22:35:27.545: ISAKMP0:0:N/A:0):Encryption algorithm offered does not match policy!
Jun 21 22:35:27.545: ISAKMP0:0:N/A:0):atts are not acceptable. Next payload is 3
Jun 21 22:35:27.545: ISAKMP0:0:N/A:0):Checking ISAKMP transform 7 against priority 1 policy
Jun 21 22:35:27.549: ISAKMP: encryption AES-CBC
Jun 21 22:35:27.549: ISAKMP: hash SHA
Jun 21 22:35:27.549: ISAKMP: default group 2
Jun 21 22:35:27.549: ISAKMP: auth pre-share
Jun 21 22:35:27.553: ISAKMP: life type in seconds
Jun 21 22:35:27.553: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jun 21 22:35:27.557: ISAKMP: keylength of 128
Jun 21 22:35:27.557: ISAKMP0:0:N/A:0):Encryption algorithm offered does not match policy!
Jun 21 22:35:27.557: ISAKMP0:0:N/A:0):atts are not acceptable. Next payload is 3
Jun 21 22:35:27.561: ISAKMP0:0:N/A:0):Checking ISAKMP transform 8 against priority 1 policy
Jun 21 22:35:27.561: ISAKMP: encryption AES-CBC
Jun 21 22:35:27.561: ISAKMP: hash MD5
Jun 21 22:35:27.561: ISAKMP: default group 2
Jun 21 22:35:27.561: ISAKMP: auth pre-share
Jun 21 22:35:27.565: ISAKMP: life type in seconds
Jun 21 22:35:27.565: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jun 21 22:35:27.569: ISAKMP: keylength of 128
Jun 21 22:35:27.569: ISAKMP0:0:N/A:0):Encryption algorithm offered does not match policy!
Jun 21 22:35:27.573: ISAKMP0:0:N/A:0):atts are not acceptable. Next payload is 3
Jun 21 22:35:27.573: ISAKMP0:0:N/A:0):Checking ISAKMP transform 9 against priority 1 policy
Jun 21 22:35:27.573: ISAKMP: encryption 3DES-CBC
Jun 21 22:35:27.573: ISAKMP: hash SHA
Jun 21 22:35:27.577: ISAKMP: default group 2
Jun 21 22:35:27.577: ISAKMP: auth XAUTHInitPreShared
Jun 21 22:35:27.577: ISAKMP: life type in seconds
Jun 21 22:35:27.581: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jun 21 22:35:27.581: ISAKMP0:0:N/A:0):atts are acceptable. Next payload is 3
Jun 21 22:35:27.589: CryptoEngine0: generating alg parameter for connid 6
Jun 21 22:35:27.809: CRYPTO_ENGINE: Dh phase 1 status: 0
Jun 21 22:35:27.809: CRYPTO_ENGINE: Dh phase 1 status: OK
Jun 21 22:35:27.809: ISAKMP0:6:SW:1): processing KE payload. message ID = 0
Jun 21 22:35:27.809: CryptoEngine0: generating alg parameter for connid 0
Jun 21 22:35:28.089: ISAKMP0:6:SW:1): processing NONCE payload. message ID = 0
Jun 21 22:35:28.093: ISAKMP0:6:SW:1): vendor ID is NAT-T v2
Jun 21 22:35:28.093: ISAKMP (0:134217734): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY
Jun 21 22:35:28.093: ISAKMP0:6:SW:1):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Jun 21 22:35:28.093: ISAKMP0:6:SW:1):Old State = IKE_READY New State = IKE_READY

Here's the config...

TO_ADTRAN#sh run
Building configuration...

Current configuration : 3297 bytes
!
! Last configuration change at 15:08:47 CST Sat Jun 21 2008 by xxxxxxx
! NVRAM config last updated at 14:56:26 CST Sat Jun 21 2008 by xxxxxxxxx
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TO_ADTRAN
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 2 log
enable secret 5 $1$R74j$w2IZDh8wliaeazFltAvCZ.
enable password xxxxxxx
!
aaa new-model
!
!
aaa authentication login my_vpn_xauth local
aaa authorization network my_vpn_group local
!
aaa session-id common
!
resource policy
!
clock timezone cst -6
clock summer-time CST recurring
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
ip domain name sms.stl.com
ip host lan 192.168.2.2
ip name-server x.x.x.x
ip name-server x.x.x.x
!
no ftp-server write-enable
!
!
!
username xxxxxx privilege 15 password 0 xxxxxxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
no crypto isakmp ccm
!
crypto isakmp client configuration group xxxxxxxxxxx
key xxxxxxxxxxx
pool vpn_pool_1
include-local-lan
max-users 2
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map vpn_dynmap_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map vpn_cmap_1 client authentication list sms_vpn_xauth
crypto map vpn_cmap_1 isakmp authorization list sms_vpn_group
crypto map vpn_cmap_1 client configuration address respond
crypto map vpn_cmap_1 65535 ipsec-isakmp dynamic vpn_dynmap_1
!
!
!
interface FastEthernet0/0
description TO_ADTRAN
ip address x.x.x.x y.y.y.y
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn_cmap_1
!
interface Serial0/0
description TO_LAN
ip address 192.168.2.1 255.255.255.252
ip nat inside
ip virtual-reassembly
encapsulation ppp
no dce-terminal-timing-enable
!
interface Serial0/1
no ip address
shutdown
no dce-terminal-timing-enable
!
router eigrp 69
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
auto-summary
!
ip local pool vpn_pool_1 192.168.2.5 192.168.2.6
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 192.168.1.0 255.255.255.0 192.168.2.2
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 192.168.1.111 3389 interface FastEthernet0/0 3389
ip nat inside source route-map vpn_routemap_1 interface FastEthernet0/0 overload
!
access-list 101 deny ip any 192.168.2.4 0.0.0.3
access-list 101 permit ip 192.168.2.0 0.0.0.3 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
route-map vpn_routemap_1 permit 1
match ip address 101
!
!
!
control-plane
!
!
!
banner motd ^C ___ _ ____ _ ___
/ \__/ \__/ \__/ \__/ \ Hey Rocky!
| _|@ @ __ | Watch me pull a hacker's IP
\________/ | | \________/ address out of my log files!
__/ _/
/) (o _/
\____/^C
!
line con 0
password xxxxxxxxx
logging synchronous
transport output all
line aux 0
line vty 0 4
password xxxxxxxxxxxx
transport input ssh
!
ntp clock-period 17179904
ntp server 64.113.32.5 source FastEthernet0/0
!
end

some show commands...

TO_ADTRAN#sh crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
M - Continuous Channel Mode
psk - Preshared key, rsig - RSA signature
renc - RSA encryption

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
6 x.x.x.x y.y.y.y ACTIVE 3des sha 2 0
Connection-id:Engine-id = 6:1(software)
5 x.x.x.x y.y.y.y ACTIVE 3des sha 2 0
Connection-id:Engine-id = 5:1(software)
4 x.x.x.x y.y.y.y ACTIVE aes sha 2 0
Connection-id:Engine-id = 4:1(software)
3 x.x.x.x y.y.y.y ACTIVE 3des sha 2 0
Connection-id:Engine-id = 3:1(software)
2 x.x.x.x y.y.y.y ACTIVE 3des sha 2 0
Connection-id:Engine-id = 2:1(software)
1 x.x.x.x y.y.y.y ACTIVE 3des sha 2 0
Connection-id:Engine-id = 1:1(software)
TO_ADTRAN#show crypto ipsec sa



Any suggestions? The client is set with the default settings. Thanks.

Burt

 

[burtsbees]

Bump...

It looks like IKE phase one completes, but i get a "remote server has stopped responding" in the client. This is going through a T1 and hosted VoIP on an MPLS backbone...could this be the problem? Thanks.

Burt

 

[brianinms]

I would remove this ...

crypto map vpn_cmap_1 isakmp authorization list sms_vpn_group

and add this....


crypto map vpn_cmap_1 client configuration address initiate

 

[burtsbees]

Tried that...no dice. Thanks for the response though...

Burt

 

[brianinms]

I don't see anything else wrong.

 

[burtsbees]

Must be blocked on the provider's MPLS network then...what do you think? I wanted opinions before I spend 3 hours on their help desk line with a 17 year old kid...

Burt

 

[brianinms]

It certainly is possible. Alot of mpls providers are "nice" enough to provide you with a managed firewall service that you are unaware of.

 

[burtsbees]

Thanks for the help.

Burt

 

[burtsbees]

Figured it out...simple typo...

aaa authentication login my_vpn_xauth local
aaa authorization network my_vpn_group local

does not match the list names for the login parameters...

crypto map vpn_cmap_1 client authentication list sms_vpn_xauth
crypto map vpn_cmap_1 isakmp authorization list sms_vpn_group

I changed the aaa authentication and authorization names to sms_vpn_xauth and sms_vpn_group. Now it works, but I can't RDP into anything...I can ping, but not rdp. I'll work on it, maybe change the vpn pool and routing statements or something.

Burt

 

[burtsbees]

Also figured out the RDP thing---I forgot I had a static NAT entry for RDP from the outside. Removed that, and all is well.

Burt