«
»

Cisco 501 w/ VPN configuration file

These lines are from a configuration file that will allow the current (4.x) Cisco VPN client to connect to the 501. They took me a couple of hours to derive – hopefully sharing this with other people will help save someone some time.

The problem: You’ve got a cisco 501, and users using the Cisco VPN client. They can’t connect, and you don’t know why. If you turn on ipsec debugging with

# logging on

# debug crypto ipsec

# debug crypto isakmp

You get things like this:

——–



ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy

ISAKMP:      encryption AES-CBC

ISAKMP:      hash SHA

ISAKMP:      default group 2

ISAKMP:      extended auth pre-share (init)

ISAKMP:      life type in seconds

ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b

ISAKMP:      keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy

ISAKMP:      encryption AES-CBC

ISAKMP:      hash MD5

ISAKMP:      default group 2

ISAKMP:      extended auth pre-share (init)

ISAKMP:      life type in seconds

ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b

ISAKMP:      keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 1 policy

ISAKMP:      encryption AES-CBC

ISAKMP:      hash SHA

ISAKMP:      default group 2

ISAKMP:      auth pre-share

ISAKMP:      life type in seconds

ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b

ISAKMP:      keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 1 policy

ISAKMP:      encryption AES-CBC

ISAKMP:      hash MD5

ISAKMP:      default group 2

ISAKMP:      auth pre-share

ISAKMP:      life type in seconds

ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b

ISAKMP:      keylength of 256

ISAKMP (0): Proposed key length does not match policy

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 1 policy

ISAKMP:      encryption AES-CBC

ISAKMP:      hash SHA

ISAKMP:      default group 2

ISAKMP:      extended auth pre-share (init)

ISAKMP:      life type in seconds

ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b

ISAKMP:      keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 1 policy

ISAKMP:      encryption AES-CBC

ISAKMP:      hash MD5

ISAKMP:      default group 2

ISAKMP:      extended auth pre-share (init)

ISAKMP:      life type in seconds

ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b

ISAKMP:      keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 1 policy

ISAKMP:      encryption AES-CBC

ISAKMP:      hash SHA

ISAKMP:      default group 2

ISAKMP:      auth pre-share

ISAKMP:      life type in seconds

ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b

ISAKMP:      keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 1 policy

ISAKMP:      encryption AES-CBC

ISAKMP:      hash MD5

ISAKMP:      default group 2

ISAKMP:      auth pre-share

ISAKMP:      life type in seconds

ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b

ISAKMP:      keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 1 policy

ISAKMP:      encryption 3DES-CBC

ISAKMP:      hash SHA

ISAKMP:      default group 2

ISAKMP:      extended auth pre-share (init)

ISAKMP:      life type in seconds

ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b

crypto_isakmp_process_block:src:10.101.1.61, dest:10.101.2.4 spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for 10.101.1.61/500 not found – peers:0

————

The solution: Try this



sysopt connection permit-ipsec

crypto ipsec transform-set default esp-3des esp-md5-hmac

crypto dynamic-map dynmap 50 set transform-set default

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption 3des

isakmp policy 2 hash md5

isakmp policy 2 group 2

isakmp policy 3 authentication pre-share

isakmp policy 3 encryption 3des

isakmp policy 3 hash md5

isakmp policy 3 group 5

isakmp policy 3 lifetime 86400

This entry was posted on Saturday, June 20th, 2009 at 7:04 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply