Errore 877W e Client VPN: NO_PROPOSAL_CHOSEN

[spadini]

Non so più da che parte farmi, in qualsiasi modo riconfiguri il router continuo ad avere questo errore sul client:

154 22:17:48.395 12/27/07 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.2.11, GW IP = 88.61.XXX.XXX, Remote IP = 0.0.0.0

155 22:17:48.395 12/27/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 88.61.XXX.XXX

156 22:17:49.407 12/27/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 88.61.XXX.XXX

157 22:17:49.407 12/27/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 88.61.XXX.XXX

158 22:17:49.407 12/27/07 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=E8D5A3E1

159 22:17:49.407 12/27/07 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=06BBED14D8FB2472 R_Cookie=0C91CE740C58438A) reason = DEL_REASON_IKE_NEG_FAILED


Vi mostro la mia ultima configurazione, dove cerco di attivare la connessione VPN. Col client arrivo alla richiesta della password, se inserisco quella giusta ottengo l'errore che vi ho esposto.

Codice: Seleziona tutto

Using 3916 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
service udp-small-servers
!
hostname T-UnicaPrimoMaggio
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 XXXXXXXXXXXXXXXXXXXX
!
no aaa new-model
!
resource policy
!
no ip source-route
ip cef
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.3.1 192.168.3.99
!
ip dhcp pool interbusiness
   network 192.168.3.0 255.255.255.0
   domain-name interbusiness.it
   dns-server 151.99.125.1
   default-router 192.168.3.1
!
ip dhcp pool wi-fi
   network 192.168.100.0 255.255.255.0
   default-router 192.168.100.254
   dns-server 151.99.125.2 151.99.0.100
!
!
ip domain name interbusiness.it
ip name-server 151.99.125.2
!
!
!
username unica privilege 15 secret 5 $1$9RFXXXXXXXXXXXXXX
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group unica
 key unica
 pool SDM_POOL_1
 acl 151
 max-users 10
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set security-association idle-time 1800
 set transform-set ESP-3DES-SHA
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address initiate
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
bridge irb
!
!
interface ATM0
 no ip address
 ip nat outside
 ip virtual-reassembly
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 ip address 88.PuntoAPunto 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 no snmp trap link-status
 pvc 8/35
  oam-pvc manage
  oam retry 5 5 1
  encapsulation aal5snap
 !
 crypto map SDM_CMAP_1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 ip address 192.168.100.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
 encryption key 1 size 40bit 7 FFFFFFFFFFFFF transmit-key
 encryption mode wep mandatory
 !
 ssid UNICA
    authentication open
    guest-mode
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 ip address 192.168.3.1 255.255.255.0 secondary
 ip address 88.61.IP1 255.255.255.248
 ip nat inside
 ip virtual-reassembly
!
ip local pool SDM_POOL_1 10.10.20.1 10.10.20.10
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip http server
ip http authentication local
no ip http secure-server
ip nat pool interbusiness 88.61.IP2 88.61.107.250 netmask 255.255.255.248
ip nat pool wi-fi 88.61.107.251 88.61.IP3 netmask 255.255.255.248
ip nat inside source list 1 pool interbusiness overload
ip nat inside source list 2 pool wi-fi overload
!
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 2 permit 192.168.100.0 0.0.0.255
access-list 151 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 log
no cdp run
!
!
control-plane
!
banner motd ^CC

TESTO
^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 login local
!
scheduler max-task-time 5000
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

Avete suggerimenti per questo tipo di errore?

Grazie.

[andrewp]

Non matchano i parametri di quà e dillà...

[spadini]

Lo immaginavo anch'io, solo che di quà (cioè sul client VPN) non mi sembra si possa configurare nulla al riguardo, anzi, mi sembra che a parte gruppo utente e password non si possa configurare nulla sul client di Cisco, o mi sbaglio?

Di là mi pare una configurazione molto semplice. Avete se nò un esempio o una guida da indicarmi per scrivere una configurazione semplice semplice sul router?

Non matchano i parametri di quà e dillà...

[Wizard]

Cambia il transform-set. Prima prova con 3des - md5 poi, se non va neppure così prova con des - md5 e magari aggiorna anche il cisco vpn client