These lines are from a configuration file that will allow the current (4.x) Cisco VPN client to connect to the 501. They took me a couple of hours to derive – hopefully sharing this with other people will help save someone some time.<\/p>\n
The problem: You’ve got a cisco 501, and users using the Cisco VPN client. They can’t connect, and you don’t know why. If you turn on ipsec debugging with<\/p>\n
# logging on<\/p>\n
# debug crypto ipsec<\/p>\n
# debug crypto isakmp<\/p>\n
You get things like this:<\/p>\n
——–
\n
\nISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 encryption AES-CBC
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 hash SHA
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 default group 2
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 extended auth pre-share (init)
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 life type in seconds
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 life duration (VPI) of\u00a0 0x0 0x20 0xc4 0x9b
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 keylength of 256
\nISAKMP (0): atts are not acceptable. Next payload is 3
\nISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 encryption AES-CBC
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 hash MD5
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 default group 2
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 extended auth pre-share (init)
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 life type in seconds
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 life duration (VPI) of\u00a0 0x0 0x20 0xc4 0x9b
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 keylength of 256
\nISAKMP (0): atts are not acceptable. Next payload is 3
\nISAKMP (0): Checking ISAKMP transform 3 against priority 1 policy
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 encryption AES-CBC
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 hash SHA
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 default group 2
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 auth pre-share
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 life type in seconds
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 life duration (VPI) of\u00a0 0x0 0x20 0xc4 0x9b
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 keylength of 256
\nISAKMP (0): atts are not acceptable. Next payload is 3
\nISAKMP (0): Checking ISAKMP transform 4 against priority 1 policy
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 encryption AES-CBC
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 hash MD5
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 default group 2
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 auth pre-share
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 life type in seconds
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 life duration (VPI) of\u00a0 0x0 0x20 0xc4 0x9b
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 keylength of 256
\nISAKMP (0): Proposed key length does not match policy
\nISAKMP (0): atts are not acceptable. Next payload is 3
\nISAKMP (0): Checking ISAKMP transform 5 against priority 1 policy
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 encryption AES-CBC
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 hash SHA
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 default group 2
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 extended auth pre-share (init)
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 life type in seconds
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 life duration (VPI) of\u00a0 0x0 0x20 0xc4 0x9b
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 keylength of 128
\nISAKMP (0): atts are not acceptable. Next payload is 3
\nISAKMP (0): Checking ISAKMP transform 6 against priority 1 policy
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 encryption AES-CBC
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 hash MD5
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 default group 2
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 extended auth pre-share (init)
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 life type in seconds
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 life duration (VPI) of\u00a0 0x0 0x20 0xc4 0x9b
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 keylength of 128
\nISAKMP (0): atts are not acceptable. Next payload is 3
\nISAKMP (0): Checking ISAKMP transform 7 against priority 1 policy
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 encryption AES-CBC
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 hash SHA
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 default group 2
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 auth pre-share
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 life type in seconds
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 life duration (VPI) of\u00a0 0x0 0x20 0xc4 0x9b
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 keylength of 128
\nISAKMP (0): atts are not acceptable. Next payload is 3
\nISAKMP (0): Checking ISAKMP transform 8 against priority 1 policy
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 encryption AES-CBC
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 hash MD5
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 default group 2
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 auth pre-share
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 life type in seconds
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 life duration (VPI) of\u00a0 0x0 0x20 0xc4 0x9b
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 keylength of 128
\nISAKMP (0): atts are not acceptable. Next payload is 3
\nISAKMP (0): Checking ISAKMP transform 9 against priority 1 policy
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 encryption 3DES-CBC
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 hash SHA
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 default group 2
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 extended auth pre-share (init)
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 life type in seconds
\nISAKMP:\u00a0\u00a0\u00a0\u00a0\u00a0 life duration (VPI) of\u00a0 0x0 0x20 0xc4 0x9b
\ncrypto_isakmp_process_block:src:10.101.1.61, dest:10.101.2.4 spt:500 dpt:500
\nVPN Peer:ISAKMP: Peer Info for 10.101.1.61\/500 not found – peers:0
\n<\/PRE>
\n————<\/p>\nThe solution: Try this<\/p>\n
\nsysopt connection permit-ipsec
\ncrypto ipsec transform-set default esp-3des esp-md5-hmac
\ncrypto dynamic-map dynmap 50 set transform-set default
\ncrypto map mymap 10 ipsec-isakmp dynamic dynmap
\ncrypto map mymap client configuration address initiate
\ncrypto map mymap interface outside
\nisakmp enable outside
\nisakmp identity address
\nisakmp policy 1 authentication pre-share
\nisakmp policy 1 encryption 3des
\nisakmp policy 1 hash md5
\nisakmp policy 1 group 1
\nisakmp policy 1 lifetime 86400
\nisakmp policy 2 authentication pre-share
\nisakmp policy 2 encryption 3des
\nisakmp policy 2 hash md5
\nisakmp policy 2 group 2
\nisakmp policy 3 authentication pre-share
\nisakmp policy 3 encryption 3des
\nisakmp policy 3 hash md5
\nisakmp policy 3 group 5
\nisakmp policy 3 lifetime 86400
\n<\/PRE><\/p>\n","protected":false},"excerpt":{"rendered":"These lines are from a configuration file that will allow the current (4.x) Cisco VPN client to connect to the 501. They took me a couple of hours to derive – hopefully sharing this with other people will help save someone some time. The problem: You’ve got a cisco 501, and users using the Cisco […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.sheer.us\/weblogs\/wp-json\/wp\/v2\/posts\/2113"}],"collection":[{"href":"https:\/\/www.sheer.us\/weblogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sheer.us\/weblogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sheer.us\/weblogs\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sheer.us\/weblogs\/wp-json\/wp\/v2\/comments?post=2113"}],"version-history":[{"count":0,"href":"https:\/\/www.sheer.us\/weblogs\/wp-json\/wp\/v2\/posts\/2113\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.sheer.us\/weblogs\/wp-json\/wp\/v2\/media?parent=2113"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sheer.us\/weblogs\/wp-json\/wp\/v2\/categories?post=2113"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sheer.us\/weblogs\/wp-json\/wp\/v2\/tags?post=2113"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}