local user authentication for remote vpn client users on pix

Discussion in 'Cisco' started by Bill F, Nov 1, 2004.

  1. Bill F

    Bill F Guest

    Here's what I think is the relevant cfg parts.


    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    aaa authorization command LOCAL
    ......
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set myset esp-des esp-sha-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap client configuration address initiate
    crypto map mymap client configuration address respond
    crypto map mymap client authentication LOCAL
    crypto map mymap interface outside
    isakmp enable outside
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup hulavpn address-pool ippool
    vpngroup hulavpn dns-server ns1-in
    vpngroup hulavpn wins-server ns1-in
    vpngroup hulavpn default-domain hulanetworks.com
    vpngroup hulavpn split-tunnel 80
    vpngroup hulavpn split-dns hulanetworks.com
    vpngroup hulavpn idle-time 1800
    vpngroup hulavpn password ********
    ......
    username ....
    #########################3

    Here's the error I'm getting from a 4.x client. Peer Info Not Found.

    crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500 dpt:500
    OAK_AG exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 128
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 128
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 128
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 128
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
    ISAKMP: encryption 3DES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP (0): atts are not acceptable.
    crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x
    spt:500 dpt:500
    VPN Peer:ISAKMP: Peer Info for 68.121.111.24/500 not found - peers:0

    ISAKMP: larval sa found
    crypto_isakmp_process_block:src:68.121.111.24, dest:69.224.21.130
    spt:500 dpt:500
    VPN Peer:ISAKMP: Peer Info for 68.121.111.24/500 not found - peers:0

    ISAKMP: larval sa found
    crypto_isakmp_process_block:src:68.121.111.24, dest:69.224.21.130
    spt:500 dpt:500
    VPN Peer:ISAKMP: Peer Info for 68.121.111.24/500 not found - peers:0
    Bill F, Nov 1, 2004
    #1
    1. Advertising

  2. In article <Alihd.18483$>,
    Bill F <> wrote:
    :Here's what I think is the relevant cfg parts.

    :aaa-server LOCAL protocol local

    :crypto ipsec transform-set myset esp-des esp-sha-hmac
    :crypto dynamic-map dynmap 10 set transform-set myset
    :crypto map mymap 10 ipsec-isakmp dynamic dynmap

    :crypto map mymap client authentication LOCAL

    :isakmp policy 10 encryption des
    :isakmp policy 10 hash sha
    :isakmp policy 10 group 2

    :Here's the error I'm getting from a 4.x client. Peer Info Not Found.

    :ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
    :ISAKMP: encryption 3DES-CBC
    :ISAKMP: hash SHA
    :ISAKMP: default group 2
    :ISAKMP: extended auth pre-share (init)
    :ISAKMP: life type in seconds
    :ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    :ISAKMP (0): atts are not acceptable.
    :crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500 dpt:500
    :VPN Peer:ISAKMP: Peer Info for 68.121.111.24/500 not found - peers:0

    Notice that you never get an 'atts acceptable' message.
    The VPN client is not offering to allow a transform that the PIX
    has been configured to accept. The PIX only wants DES SHA-HMAC Group 2,
    and the VPN client isn't offering anything less than 3DES.

    Your problem is thus not to do with local authentication, but rather
    to do with the transforms.

    I would suggest that if you are not one of the State Department
    banned persons (the list of which is fairly small), and you are
    not working for one of the 6 or so banned countries (e.g., Cuba),
    then you apply for a free 3DES key for your PIX. For
    information on the process, please see

    https://tools.cisco.com/SWIFT/Licensing/jsp/formGenerator/Pix3DesMsgDisplay.jsp


    --
    Ceci, ce n'est pas une idée.
    Walter Roberson, Nov 1, 2004
    #2
    1. Advertising

  3. Bill F

    Bill F Guest

    Thanks for the response. Yeah, I know we can get the 3des license for
    free, but, I was going to do that later. So, the 4.x client simply
    doesn't support single des?

    Walter Roberson wrote:
    > In article <Alihd.18483$>,
    > Bill F <> wrote:
    > :Here's what I think is the relevant cfg parts.
    >
    > :aaa-server LOCAL protocol local
    >
    > :crypto ipsec transform-set myset esp-des esp-sha-hmac
    > :crypto dynamic-map dynmap 10 set transform-set myset
    > :crypto map mymap 10 ipsec-isakmp dynamic dynmap
    >
    > :crypto map mymap client authentication LOCAL
    >
    > :isakmp policy 10 encryption des
    > :isakmp policy 10 hash sha
    > :isakmp policy 10 group 2
    >
    > :Here's the error I'm getting from a 4.x client. Peer Info Not Found.
    >
    > :ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
    > :ISAKMP: encryption 3DES-CBC
    > :ISAKMP: hash SHA
    > :ISAKMP: default group 2
    > :ISAKMP: extended auth pre-share (init)
    > :ISAKMP: life type in seconds
    > :ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    > :ISAKMP (0): atts are not acceptable.
    > :crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500 dpt:500
    > :VPN Peer:ISAKMP: Peer Info for 68.121.111.24/500 not found - peers:0
    >
    > Notice that you never get an 'atts acceptable' message.
    > The VPN client is not offering to allow a transform that the PIX
    > has been configured to accept. The PIX only wants DES SHA-HMAC Group 2,
    > and the VPN client isn't offering anything less than 3DES.
    >
    > Your problem is thus not to do with local authentication, but rather
    > to do with the transforms.
    >
    > I would suggest that if you are not one of the State Department
    > banned persons (the list of which is fairly small), and you are
    > not working for one of the 6 or so banned countries (e.g., Cuba),
    > then you apply for a free 3DES key for your PIX. For
    > information on the process, please see
    >
    > https://tools.cisco.com/SWIFT/Licensing/jsp/formGenerator/Pix3DesMsgDisplay.jsp
    >
    >
    Bill F, Nov 1, 2004
    #3
  4. In article <Oyjhd.18503$>,
    Bill F <> wrote:
    :Thanks for the response. Yeah, I know we can get the 3des license for
    :free, but, I was going to do that later. So, the 4.x client simply
    :doesn't support single des?

    The 4.x client does support single DES [according to the 4.0 release
    notes], but the PIX gives up after 10 proposals. There is no way
    to modify the number of proposals that PIX will pay attention to,
    and there is no way to alter the order or varieties of proposals
    the 4.0 client offers [with the exception that you can modify
    the default DH group away from 2.]
    --
    The image data is transmitted back to Earth at the speed of light
    and usually at 12 bits per pixel.
    Walter Roberson, Nov 1, 2004
    #4
  5. "Walter Roberson" <-cnrc.gc.ca> wrote:

    > The 4.x client does support single DES [according to
    > the 4.0 release notes]...


    Yes, it does, but the 3.5 client was the last to support
    DES + SHA combination. So in order to use DES you must
    switch to MD5.
    Jyri Korhonen, Nov 1, 2004
    #5
  6. Bill F

    Bill F Guest

    Ok 3des is now enabled and configured and still atts not acceptable??
    I'm curious about the extended auth pre-share. I'm attempting to
    authenticate users against the local database. Here's the config again

    .....
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    aaa authorization command LOCAL
    .......

    sysopt connection permit-ipsec
    ......
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap client configuration address initiate
    crypto map mymap client configuration address respond
    crypto map mymap client authentication LOCAL
    crypto map mymap interface outside
    isakmp enable outside
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup hulavpn address-pool ippool
    vpngroup hulavpn dns-server ns1-in
    vpngroup hulavpn wins-server ns1-in
    vpngroup hulavpn default-domain hulanetworks.com
    vpngroup hulavpn split-tunnel 80
    vpngroup hulavpn split-dns hulanetworks.com
    vpngroup hulavpn idle-time 1800
    vpngroup hulavpn password ********



    crypto_isakmp_process_block:src:68.x.x.24, dest:69.x.x.130 spt:500 dpt:500
    OAK_AG exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 128
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 128
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 128
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 128
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
    ISAKMP: encryption 3DES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP (0): atts are acceptable.
    crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500 dpt:500
    ISAKMP: error, msg not encrypted
    crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500 dpt:500
    ISAKMP: error, msg not encrypted
    ISAKMP (0): deleting SA: src 68.121.111.24, dst x.x.x.x

    ISADB: reaper checking SA 0x1120c84, conn_id = 0 DELETE IT!

    VPN Peer:ISAKMP: Peer Info for 68.121.111.24/500 not found - peers:0


    Jyri Korhonen wrote:
    > "Walter Roberson" <-cnrc.gc.ca> wrote:
    >
    >> The 4.x client does support single DES [according to
    >> the 4.0 release notes]...

    >
    >
    > Yes, it does, but the 3.5 client was the last to support
    > DES + SHA combination. So in order to use DES you must
    > switch to MD5.
    >
    Bill F, Nov 2, 2004
    #6
  7. Bill F

    Bill F Guest

    On closer look, I see atts are acceptable, and then a msg not encrypted
    error???

    ISAKMP (0): atts are acceptable.
    crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500 dpt:500
    ISAKMP: error, msg not encrypted
    crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500 dpt:500
    ISAKMP: error, msg not encrypted
    ISAKMP (0): deleting SA: src 68.121.111.24, dst x.x.x.x

    ISADB: reaper checking SA 0x1120c84, conn_id = 0 DELETE IT!

    VPN Peer:ISAKMP: Peer Info for 68.121.111.24/500 not found - peers:0

    Bill F wrote:
    > Ok 3des is now enabled and configured and still atts not acceptable??
    > I'm curious about the extended auth pre-share. I'm attempting to
    > authenticate users against the local database. Here's the config again
    >
    > ....
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ max-failed-attempts 3
    > aaa-server TACACS+ deadtime 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS max-failed-attempts 3
    > aaa-server RADIUS deadtime 10
    > aaa-server LOCAL protocol local
    > aaa authentication ssh console LOCAL
    > aaa authorization command LOCAL
    > ......
    >
    > sysopt connection permit-ipsec
    > .....
    > crypto ipsec transform-set myset esp-3des esp-sha-hmac
    > crypto dynamic-map dynmap 10 set transform-set myset
    > crypto map mymap 10 ipsec-isakmp dynamic dynmap
    > crypto map mymap client configuration address initiate
    > crypto map mymap client configuration address respond
    > crypto map mymap client authentication LOCAL
    > crypto map mymap interface outside
    > isakmp enable outside
    > isakmp identity address
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption 3des
    > isakmp policy 10 hash sha
    > isakmp policy 10 group 2
    > isakmp policy 10 lifetime 86400
    > vpngroup hulavpn address-pool ippool
    > vpngroup hulavpn dns-server ns1-in
    > vpngroup hulavpn wins-server ns1-in
    > vpngroup hulavpn default-domain hulanetworks.com
    > vpngroup hulavpn split-tunnel 80
    > vpngroup hulavpn split-dns hulanetworks.com
    > vpngroup hulavpn idle-time 1800
    > vpngroup hulavpn password ********
    >
    >
    >
    > crypto_isakmp_process_block:src:68.x.x.24, dest:69.x.x.130 spt:500 dpt:500
    > OAK_AG exchange
    > ISAKMP (0): processing SA payload. message ID = 0
    >
    > ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    > ISAKMP: encryption AES-CBC
    > ISAKMP: hash SHA
    > ISAKMP: default group 2
    > ISAKMP: extended auth pre-share (init)
    > ISAKMP: life type in seconds
    > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    > ISAKMP: keylength of 256
    > ISAKMP (0): atts are not acceptable. Next payload is 3
    > ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
    > ISAKMP: encryption AES-CBC
    > ISAKMP: hash MD5
    > ISAKMP: default group 2
    > ISAKMP: extended auth pre-share (init)
    > ISAKMP: life type in seconds
    > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    > ISAKMP: keylength of 256
    > ISAKMP (0): atts are not acceptable. Next payload is 3
    > ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
    > ISAKMP: encryption AES-CBC
    > ISAKMP: hash SHA
    > ISAKMP: default group 2
    > ISAKMP: auth pre-share
    > ISAKMP: life type in seconds
    > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    > ISAKMP: keylength of 256
    > ISAKMP (0): atts are not acceptable. Next payload is 3
    > ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
    > ISAKMP: encryption AES-CBC
    > ISAKMP: hash MD5
    > ISAKMP: default group 2
    > ISAKMP: auth pre-share
    > ISAKMP: life type in seconds
    > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    > ISAKMP: keylength of 256
    > ISAKMP (0): atts are not acceptable. Next payload is 3
    > ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
    > ISAKMP: encryption AES-CBC
    > ISAKMP: hash SHA
    > ISAKMP: default group 2
    > ISAKMP: extended auth pre-share (init)
    > ISAKMP: life type in seconds
    > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    > ISAKMP: keylength of 128
    > ISAKMP (0): atts are not acceptable. Next payload is 3
    > ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
    > ISAKMP: encryption AES-CBC
    > ISAKMP: hash MD5
    > ISAKMP: default group 2
    > ISAKMP: extended auth pre-share (init)
    > ISAKMP: life type in seconds
    > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    > ISAKMP: keylength of 128
    > ISAKMP (0): atts are not acceptable. Next payload is 3
    > ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
    > ISAKMP: encryption AES-CBC
    > ISAKMP: hash SHA
    > ISAKMP: default group 2
    > ISAKMP: auth pre-share
    > ISAKMP: life type in seconds
    > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    > ISAKMP: keylength of 128
    > ISAKMP (0): atts are not acceptable. Next payload is 3
    > ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
    > ISAKMP: encryption AES-CBC
    > ISAKMP: hash MD5
    > ISAKMP: default group 2
    > ISAKMP: auth pre-share
    > ISAKMP: life type in seconds
    > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    > ISAKMP: keylength of 128
    > ISAKMP (0): atts are not acceptable. Next payload is 3
    > ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
    > ISAKMP: encryption 3DES-CBC
    > ISAKMP: hash SHA
    > ISAKMP: default group 2
    > ISAKMP: extended auth pre-share (init)
    > ISAKMP: life type in seconds
    > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    > ISAKMP (0): atts are acceptable.
    > crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500 dpt:500
    > ISAKMP: error, msg not encrypted
    > crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500 dpt:500
    > ISAKMP: error, msg not encrypted
    > ISAKMP (0): deleting SA: src 68.121.111.24, dst x.x.x.x
    >
    > ISADB: reaper checking SA 0x1120c84, conn_id = 0 DELETE IT!
    >
    > VPN Peer:ISAKMP: Peer Info for 68.121.111.24/500 not found - peers:0
    >
    >
    > Jyri Korhonen wrote:
    >
    >> "Walter Roberson" <-cnrc.gc.ca> wrote:
    >>
    >>> The 4.x client does support single DES [according to
    >>> the 4.0 release notes]...

    >>
    >>
    >>
    >> Yes, it does, but the 3.5 client was the last to support
    >> DES + SHA combination. So in order to use DES you must
    >> switch to MD5.
    >>

    >
    Bill F, Nov 2, 2004
    #7
  8. Bill F

    Bill F Guest

    It's working now. typo on vpngroup command

    Bill F wrote:
    > On closer look, I see atts are acceptable, and then a msg not encrypted
    > error???
    >
    > ISAKMP (0): atts are acceptable.
    > crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500 dpt:500
    > ISAKMP: error, msg not encrypted
    > crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500 dpt:500
    > ISAKMP: error, msg not encrypted
    > ISAKMP (0): deleting SA: src 68.121.111.24, dst x.x.x.x
    >
    > ISADB: reaper checking SA 0x1120c84, conn_id = 0 DELETE IT!
    >
    > VPN Peer:ISAKMP: Peer Info for 68.121.111.24/500 not found - peers:0
    >
    > Bill F wrote:
    >
    >> Ok 3des is now enabled and configured and still atts not acceptable??
    >> I'm curious about the extended auth pre-share. I'm attempting to
    >> authenticate users against the local database. Here's the config again
    >>
    >> ....
    >> aaa-server TACACS+ protocol tacacs+
    >> aaa-server TACACS+ max-failed-attempts 3
    >> aaa-server TACACS+ deadtime 10
    >> aaa-server RADIUS protocol radius
    >> aaa-server RADIUS max-failed-attempts 3
    >> aaa-server RADIUS deadtime 10
    >> aaa-server LOCAL protocol local
    >> aaa authentication ssh console LOCAL
    >> aaa authorization command LOCAL
    >> ......
    >>
    >> sysopt connection permit-ipsec
    >> .....
    >> crypto ipsec transform-set myset esp-3des esp-sha-hmac
    >> crypto dynamic-map dynmap 10 set transform-set myset
    >> crypto map mymap 10 ipsec-isakmp dynamic dynmap
    >> crypto map mymap client configuration address initiate
    >> crypto map mymap client configuration address respond
    >> crypto map mymap client authentication LOCAL
    >> crypto map mymap interface outside
    >> isakmp enable outside
    >> isakmp identity address
    >> isakmp policy 10 authentication pre-share
    >> isakmp policy 10 encryption 3des
    >> isakmp policy 10 hash sha
    >> isakmp policy 10 group 2
    >> isakmp policy 10 lifetime 86400
    >> vpngroup hulavpn address-pool ippool
    >> vpngroup hulavpn dns-server ns1-in
    >> vpngroup hulavpn wins-server ns1-in
    >> vpngroup hulavpn default-domain hulanetworks.com
    >> vpngroup hulavpn split-tunnel 80
    >> vpngroup hulavpn split-dns hulanetworks.com
    >> vpngroup hulavpn idle-time 1800
    >> vpngroup hulavpn password ********
    >>
    >>
    >>
    >> crypto_isakmp_process_block:src:68.x.x.24, dest:69.x.x.130 spt:500
    >> dpt:500
    >> OAK_AG exchange
    >> ISAKMP (0): processing SA payload. message ID = 0
    >>
    >> ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    >> ISAKMP: encryption AES-CBC
    >> ISAKMP: hash SHA
    >> ISAKMP: default group 2
    >> ISAKMP: extended auth pre-share (init)
    >> ISAKMP: life type in seconds
    >> ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    >> ISAKMP: keylength of 256
    >> ISAKMP (0): atts are not acceptable. Next payload is 3
    >> ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
    >> ISAKMP: encryption AES-CBC
    >> ISAKMP: hash MD5
    >> ISAKMP: default group 2
    >> ISAKMP: extended auth pre-share (init)
    >> ISAKMP: life type in seconds
    >> ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    >> ISAKMP: keylength of 256
    >> ISAKMP (0): atts are not acceptable. Next payload is 3
    >> ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
    >> ISAKMP: encryption AES-CBC
    >> ISAKMP: hash SHA
    >> ISAKMP: default group 2
    >> ISAKMP: auth pre-share
    >> ISAKMP: life type in seconds
    >> ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    >> ISAKMP: keylength of 256
    >> ISAKMP (0): atts are not acceptable. Next payload is 3
    >> ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
    >> ISAKMP: encryption AES-CBC
    >> ISAKMP: hash MD5
    >> ISAKMP: default group 2
    >> ISAKMP: auth pre-share
    >> ISAKMP: life type in seconds
    >> ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    >> ISAKMP: keylength of 256
    >> ISAKMP (0): atts are not acceptable. Next payload is 3
    >> ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
    >> ISAKMP: encryption AES-CBC
    >> ISAKMP: hash SHA
    >> ISAKMP: default group 2
    >> ISAKMP: extended auth pre-share (init)
    >> ISAKMP: life type in seconds
    >> ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    >> ISAKMP: keylength of 128
    >> ISAKMP (0): atts are not acceptable. Next payload is 3
    >> ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
    >> ISAKMP: encryption AES-CBC
    >> ISAKMP: hash MD5
    >> ISAKMP: default group 2
    >> ISAKMP: extended auth pre-share (init)
    >> ISAKMP: life type in seconds
    >> ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    >> ISAKMP: keylength of 128
    >> ISAKMP (0): atts are not acceptable. Next payload is 3
    >> ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
    >> ISAKMP: encryption AES-CBC
    >> ISAKMP: hash SHA
    >> ISAKMP: default group 2
    >> ISAKMP: auth pre-share
    >> ISAKMP: life type in seconds
    >> ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    >> ISAKMP: keylength of 128
    >> ISAKMP (0): atts are not acceptable. Next payload is 3
    >> ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
    >> ISAKMP: encryption AES-CBC
    >> ISAKMP: hash MD5
    >> ISAKMP: default group 2
    >> ISAKMP: auth pre-share
    >> ISAKMP: life type in seconds
    >> ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    >> ISAKMP: keylength of 128
    >> ISAKMP (0): atts are not acceptable. Next payload is 3
    >> ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
    >> ISAKMP: encryption 3DES-CBC
    >> ISAKMP: hash SHA
    >> ISAKMP: default group 2
    >> ISAKMP: extended auth pre-share (init)
    >> ISAKMP: life type in seconds
    >> ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    >> ISAKMP (0): atts are acceptable.
    >> crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500
    >> dpt:500
    >> ISAKMP: error, msg not encrypted
    >> crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500
    >> dpt:500
    >> ISAKMP: error, msg not encrypted
    >> ISAKMP (0): deleting SA: src 68.121.111.24, dst x.x.x.x
    >>
    >> ISADB: reaper checking SA 0x1120c84, conn_id = 0 DELETE IT!
    >>
    >> VPN Peer:ISAKMP: Peer Info for 68.121.111.24/500 not found - peers:0
    >>
    >>
    >> Jyri Korhonen wrote:
    >>
    >>> "Walter Roberson" <-cnrc.gc.ca> wrote:
    >>>
    >>>> The 4.x client does support single DES [according to
    >>>> the 4.0 release notes]...
    >>>
    >>>
    >>>
    >>>
    >>> Yes, it does, but the 3.5 client was the last to support
    >>> DES + SHA combination. So in order to use DES you must
    >>> switch to MD5.
    >>>

    >>

    >
    Bill F, Nov 2, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tejlor
    Replies:
    2
    Views:
    2,263
    tejlor
    Nov 25, 2003
  2. Nuno Martins
    Replies:
    0
    Views:
    669
    Nuno Martins
    Feb 17, 2004
  3. Matt
    Replies:
    2
    Views:
    2,133
    Mark Green
    Apr 15, 2004
  4. l'illuminato
    Replies:
    1
    Views:
    1,456
  5. Giuen
    Replies:
    0
    Views:
    680
    Giuen
    Sep 12, 2008
Loading...

Share This Page