ISAKMP not accepting atts

[Jimtron26]

Hi all,

Related to a problem posted previously, I have reprogrammed a routers VPN settings, changing only the names of transform sets etc... Now our remote clients cannot connect:

Details as follows:

Old crypto configuration:

aaa authentication login userauthen local
aaa authorization network nclset local

crypto isakmp policy 20
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group <omitted>
key <omitted>
pool nclvpn
!
!
crypto ipsec transform-set nclset esp-des esp-md5-hmac
crypto ipsec transform-set nclvpn esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 1
set transform-set nclset
!
crypto map nclvpn client authentication list userauthen
crypto map nclvpn isakmp authorization list nclset
crypto map nclvpn client configuration address initiate
crypto map nclvpn client configuration address respond
crypto map nclvpn 20 ipsec-isakmp dynamic dynmap

interface Dialer1
description ADSL Internet Port
ip address <public IP address>
ip access-group 123 in
ip nat outside
encapsulation ppp
no ip route-cache same-interface
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname <omitted>
ppp chap password <omitted>
crypto map nclvpn

ip local pool nclvpn 192.168.50.100 192.168.50.150

I changed this to the following:

aaa authentication login NCL_Authen local
aaa authorization network NCL_Author local

crypto isakmp client configuration group <omitted>
key <omitted>
pool VPN_IP_Pool
!
!
crypto ipsec transform-set NCL_Tran_Set esp-des esp-md5-hmac
!
crypto dynamic-map NCL_Dyn_Map 1
set transform-set NCL_Tran_Set
!
!
crypto map NCL_CMap client authentication list NCL_Authen
crypto map NCL_CMap isakmp authorization list NCL_Author
crypto map NCL_CMap client configuration address initiate
crypto map NCL_CMap client configuration address respond
crypto map NCL_CMap 20 ipsec-isakmp dynamic NCL_Dyn_Map

interface Dialer1
description ADSL Internet Port
ip address <public ip address>
ip access-group 123 in
ip nat outside
encapsulation ppp
no ip route-cache same-interface
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname <omitted>
ppp chap password <omitted>
crypto map NCL_CMap

ip local pool VPN_IP_Pool 192.168.50.100 192.168.50.150

I have changed NONE of the incoming ACLs, NAT statements etc. The group authentication name under ISAKMP configuration is the same as is the pre-shared key entered by the clients. Below is part of a debug ISAKMP captured whilst a client is trying to connect... :

Nov 17 10:08:51.714: ISAKMP0:1:HW:2):Checking ISAKMP transform 14 against priority 20 policy
Nov 17 10:08:51.714: ISAKMP: encryption DES-CBC
Nov 17 10:08:51.714: ISAKMP: hash MD5
Nov 17 10:08:51.714: ISAKMP: default group 2
Nov 17 10:08:51.714: ISAKMP: auth pre-share
Nov 17 10:08:51.714: ISAKMP: life type in seconds
Nov 17 10:08:51.714: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Nov 17 10:08:51.714: ISAKMP0:1:HW:2)reshared authentication offered but does not match policy!
Nov 17 10:08:51.714: ISAKMP0:1:HW:2):atts are not acceptable. Next payload is 0

Given that the settings for ISAKMP policy 20 (as per the config above) are as follows:
DES
MD5
Pre-share
DH group 2

Why is this not establishing an SA?

I have also reloaded the router and checked to make sure there is no residue configuration statements left over from when I reprogrammed it

Any help is vastly appreciated.. I need to get this working by close of play today

Many many thanks

Jim
CCNA

 

[helpdeskdan]

That's odd. Do a sh crypto isakmp policy and post the output. On both routers. Or, is the other side a computer?

I believe there is only 3 choices you can pick for authentication. As a last resort, you could make a 30 and 40 a try rsa-encr and rsa-sig.

Sorry can't help more - just an R&S guy!

 

[Jimtron26]

Thanks Dan,

Got it sorted in the end but had to reload a 2 week old config so it has still defeated me! I suspect residue configuration in the router is stopping this from working despite reloads and "clear crypto sa" command being ran...

The connecting device is a PC running Cisco client...

The router I am working on is a 1721 and is in use as a LAN > Internet Firewall, IPSec VPN connection for sales and other remote workers, it also runs a DMZ for a hosted web server! This makes working on it particularly difficult as changes made impact upon other people doing their jobs!

I think a lab environment is in order here....

Thanks for your post, next time I try I will add the two new ISAKMP policies to it

Jim
CCNA

 

[helpdeskdan]

Post your old VPN config, and we'll look at it. There should be no "residual" config that I can think of, expect perhaps if you didn't reload the router.

 

[Jimtron26]

Hi Dan,

Config now running on the router (old config)



hostname NCLRouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret <omitted>
!
username ryan password <omitted>
username mark password <omitted>
username jim password <omitted>
username sam password <omitted>
username james password <omitted>
username aaron password <omitted>
username dan password <omitted>
username chris password <omitted>
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network nclset local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
no ip domain lookup
ip host switch 192.168.42.172
ip name-server <external dns-server>
ip name-server <external dns-server>
ip cef
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect name standard cuseeme
ip inspect name standard ftp
ip inspect name standard h323
ip inspect name standard rcmd
ip inspect name standard realaudio
ip inspect name standard smtp
ip inspect name standard sqlnet
ip inspect name standard streamworks
ip inspect name standard tcp
ip inspect name standard tftp
ip inspect name standard udp
ip inspect name standard vdolive
ip inspect name standard icmp
ip inspect name insp http urlfilter
ip urlfilter exclusive-domain deny

http://www.yahoo.com

ip urlfilter exclusive-domain deny

http://www.bbc.co.uk

ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
crypto isakmp policy 20
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group <omitted>
key <omitted>
pool nclvpn
!
!
crypto ipsec transform-set nclset esp-des esp-md5-hmac
crypto ipsec transform-set nclvpn esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 1
set transform-set nclset
!
!
crypto map nclvpn client authentication list userauthen
crypto map nclvpn isakmp authorization list nclset
crypto map nclvpn client configuration address initiate
crypto map nclvpn client configuration address respond
crypto map nclvpn 20 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Loopback1
ip address 192.168.51.1 255.255.255.0
!
interface ATM0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0/0
description LAN Port
ip address 192.168.42.1 255.255.255.0
no ip unreachables
ip nat inside
ip inspect standard in
ip policy route-map nonat
speed auto
full-duplex
!
interface Ethernet1/0
description DMZ Port
ip address 192.168.60.1 255.255.255.0
ip access-group 150 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect standard in
ip route-cache flow
ip policy route-map nonat
full-duplex
no cdp enable
!
interface Virtual-Template1
no ip address
!
interface Dialer1
description ADSL Internet Port
ip address <public ip address>
ip access-group 123 in
ip nat outside
encapsulation ppp
no ip route-cache same-interface
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname <omitted>
ppp chap password <omitted>
crypto map nclvpn
!
ip local pool nclvpn 192.168.50.100 192.168.50.150
ip nat pool outsidepool <public ip address> <public ip address> netmask 255.255.255.0

Static NAT configured to forward incoming smtp traffic from the Internet to internal mail server
Static NAT configured to forward incoming http and ports 8080, 8081 and 8084 traffic from the Internet to DMZ server


ip nat inside source route-map rmap pool outsidepool overload


ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.0.0.0 255.0.0.0 192.168.42.50
ip route 10.56.48.0 255.255.255.0 Tunnel1
ip route 100.100.100.120 255.255.255.255 192.168.42.50
ip route 172.16.0.0 255.240.0.0 192.168.42.50
ip route 172.37.0.161 255.255.255.255 192.168.42.50
ip route 192.168.0.0 255.255.255.0 192.168.42.50
ip route 192.168.1.0 255.255.255.0 192.168.42.50
ip route 192.168.2.3 255.255.255.255 192.168.42.50
ip route 192.168.5.9 255.255.255.255 192.168.42.50
ip route 192.168.20.98 255.255.255.255 192.168.42.50
ip route 192.168.27.4 255.255.255.255 192.168.42.50
ip route 192.168.64.0 255.255.192.0 192.168.42.50
ip route 192.168.128.0 255.255.192.0 192.168.42.50
ip route 192.168.192.0 255.255.192.0 192.168.42.50
ip route 200.9.0.0 255.255.0.0 192.168.42.50
ip http server
ip http authentication local
no ip http secure-server
!
!
!
ip access-list extended Test
ip access-list extended test

access-list 102 deny ip 192.168.42.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 102 deny ip 192.168.60.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 102 permit ip 192.168.42.0 0.0.0.255 any
access-list 102 permit ip 192.168.60.0 0.0.0.255 any
access-list 102 permit ip 192.168.80.0 0.0.0.255 any
access-list 102 permit ip 192.168.200.0 0.0.0.255 any

access-list 123 remark Firewall_ACL
access-list 123 permit tcp any any eq www
access-list 123 permit esp any any
access-list 123 permit udp any any eq isakmp
access-list 123 permit udp any any eq non500-isakmp
access-list 123 permit ip any 192.168.42.0 0.0.0.255
access-list 123 permit tcp any any eq smtp
access-list 123 permit icmp any any
access-list 123 permit ip any 192.168.60.0 0.0.0.255
access-list 123 permit tcp any any eq 1723
access-list 123 permit tcp any host <DMZ Server> eq 8080
access-list 123 permit tcp any host <DMZ Server> eq 8081
access-list 123 permit tcp any host <DMZ Server> eq 8084
access-list 123 permit udp any host <DMZ Server> range 49252 49284
access-list 123 permit gre any any
access-list 123 permit udp any any eq 47
access-list 123 permit tcp any any eq 47
access-list 123 deny ip 10.0.0.0 0.255.255.255 any
access-list 123 deny ip 172.16.0.0 0.15.255.255 any
access-list 123 deny ip 192.160.0.0 0.15.255.255 any
access-list 123 deny ip 127.0.0.0 0.255.255.255 any
access-list 123 deny ip host 0.0.0.0 any
access-list 123 deny ip host 255.255.255.255 any

access-list 140 permit ip 192.168.42.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 140 permit ip 192.168.51.0 0.0.0.255 192.168.51.0 0.0.0.255
access-list 140 permit ip 192.168.60.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 140 permit ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255


access-list 141 permit ip 192.168.42.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 141 permit ip 192.168.51.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 141 permit ip 192.168.60.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 142 permit ip any any

access-list 150 remark DMZ ACL
access-list 150 permit tcp host <DMZ Server> 192.168.42.0 0.0.0.255 eq 1352
access-list 150 permit tcp any any eq 1533
access-list 150 permit tcp host <DMZ Server> host <LAN Server> eq 1503
access-list 150 permit tcp host <DMZ Server> host <LAN Server> eq 1516
access-list 150 permit tcp host <DMZ Server> host <LAN Server> eq 1503
access-list 150 permit tcp host <DMZ Server> host <LAN Server> eq 1516
access-list 150 deny ip 192.168.60.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 150 permit ip host <DMZ Server> any

dialer-list 1 protocol ip permit

snmp-server community <string> RW
snmp-server enable traps tty
!
route-map rmap permit 20
match ip address 102
!
route-map nonat permit 20
match ip address 141
set ip next-hop 192.168.51.2
!
!
control-plane
!
alias configure dsr do sh run
alias configure dsir show ip route
alias configure dsiib do sh ip int brief
alias configure dsal do sh access-lists
alias exec sr show run
alias exec sir sh ip ro
alias exec siib sh ip int brief
alias exec sal sh access-lists
alias exec crs copy run start
!
line con 0
password <omitted>
logging synchronous
line aux 0
line vty 0 4
privilege level 15
password <omitted>
transport input telnet ssh
line vty 5 15
privilege level 15
password <omitted>
transport input telnet ssh

Cheers!

Jim )
CCNA

 

[helpdeskdan]

It looks like you may not have changed your pool name correctly in the new example. Gotta run - bak l8r.

 

[helpdeskdan]

Nope, I'm wrong. I have no idea why it doesn't work - sorry to waste your time. It looks like it's setup correctly; it says preshared offered, and that is what you have.

Nov 17 10:08:51.714: ISAKMP0:1:HW:2)reshared authentication offered but does not match policy!

Keys not matching is a sanity check so I doubt it's further along in the config than that. I would think you would get that error if they keys were wrong in some way. It's definitely a main mode problem, yet you have it set to pre-share. There are 3 option, but, in the working example you have it set to pre-share. You can try changing them - that shouldn't work, but then again, pre-share should.

I don't get it - should work as far as I can see.