求大神解救，数字证书认证的remote access VPN，证书认证通过，但是连接不上

patforever · 发表于 2015-1-5 11:09:44

拓扑图

R1的E0/0和C1连接，R1 E0/0 地址10.123.17.140。C1地址是10.123.17.8
我用GNS做的模拟测试，R1的IOS是3640，R1自己做CA，而且自己也作为一个client和自己CA证书认证，然后C1是自己的PC，在PC上用VPN client软件先进行CA认证。然后在R1上配置remote access VPN，C1通过选择证书方式连接。
现在情况是，R1和自身证书认证通过，C1和R1证书认证也通过，我在R1上配置完了VPN，但是C1上连接显示对端没反应，不知道是配置问题还是什么问题。
下面说下我做测试的情况吧。
首先，R1和C1都用我们内网的NTP服务器做时间同步，这也是做CA认证的第一步。

file:///C:\Users\pu\AppData\Roaming\Tencent\Users\564327591\QQ\WinTemp\RichOle\3ZAN)YQALZ_C2USBG9ED~_V.jpg

R1#show ntp status
Clock is synchronized, stratum 5, reference is 10.123.1.66

其次，在R1上起domain-nam和crypto key，和http server
R1(config)#ip domain-name cisco.com
R1(config)#crypto key generate rsa general-keys label testkey modulus 1024 ex
R1(config)#$generate rsa general-keys label testkey modulus 1024 exportable
The name for the keys will be: testkey

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...[OK]

R1(config)#ip http server

接着，就是做ca server
crypto pki server ca
database level names
database archive pem password cisco123
issuer-name CN=gz,OU=tt
grant auto

no sh

%Some server settings cannot be changed after CA certificate generation.
% Exporting Certificate Server signing certificate and keys...
% Certificate Server enabled.

因为设备节约，因此先自己和自己做CA认证，所以依然在R1上起trustpoint，然后和自己认证
crypto pki trustpoint test
enrollment mode ra
enrollment url http://10.123.17.140
password justtest
revocation-check none
rsakeypair testkey
auto-enroll 70

然后获取根证书
R1(config)#crypto pki authenticate test
Certificate has the following attributes:
   Fingerprint MD5: 6B21FA14 ACCD2C15 A6B98F37 456CC412
   Fingerprint SHA1: D35D2C62 B2C9F2AE 5F835F0F D21E4C7B B5BEC205

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

然后发布个人证书
R1(config)#crypto pki enroll test
%
% Start certificate enrollment ..

% The subject name in the certificate will include: R1.cisco.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate test verbose' command will show the fingerprint.

R1(config)#
Jan  5 02:40:51.256: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 447D2581 FD9F72F5 A1539FCF BD2E3CDD
Jan  5 02:40:51.256: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: F8664B9B F3135D24 29A91AFC DC52B37E FBC5CDEE
R1(config)#
Jan  5 02:40:53.652: %PKI-6-CERTRET: Certificate received from Certificate Authority
R1(config)#

此时R1已经和自己认证通过了，也获取到自己的签名证书。看状态已经授权了
R1#crypto pki server ca info requests
Enrollment Request Database:

Subordinate CA certificate requests:
ReqID  State    Fingerprint                   SubjectName
--------------------------------------------------------------

RA certificate requests:
ReqID  State    Fingerprint                   SubjectName
--------------------------------------------------------------

Router certificates requests:
ReqID  State    Fingerprint                   SubjectName
--------------------------------------------------------------
1    authorized 447D2581FD9F72F5A1539FCFBD2E3CDD hostname=R1.cisco.com

接着就是到在PC上用VPN client和R1做认证了
5W`I0J5@J}4A_RJRGHF1JOH.jpg

此时证书认证成功。在R1上看到授权情况正常
R1#crypto pki server ca info requests
Enrollment Request Database:

Subordinate CA certificate requests:
ReqID  State    Fingerprint                   SubjectName
--------------------------------------------------------------

RA certificate requests:
ReqID  State    Fingerprint                   SubjectName
--------------------------------------------------------------

Router certificates requests:
ReqID  State    Fingerprint                   SubjectName
--------------------------------------------------------------
2    authorized 328FCE7C527836860EE862DAA707A038 cn=justtest
1    authorized 447D2581FD9F72F5A1539FCFBD2E3CDD hostname=R1.cisco.com

接下来就开始在R1上做remote access VPN了
R1的总配置如下
R1#show run
Building configuration...

Current configuration : 5927 bytes
!
! Last configuration change at 10:59:40 BJ Mon Jan 5 2015
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable password cisco123
!
aaa new-model
!
!
aaa authentication login client local
aaa authorization network client local
!
aaa session-id common
memory-size iomem 5
clock timezone BJ 8
!
!
ip cef
no ip domain lookup
ip domain name cisco.com
!
!
!
!
!
crypto pki server ca
database level names
database archive pem password 7 070C285F4D06485744
issuer-name CN=gz,OU=tt
grant auto
!
crypto pki trustpoint ca
revocation-check crl
rsakeypair ca
!
crypto pki trustpoint test
enrollment url http://10.123.17.140:80
password 7 060C1A32585A0C0A11
revocation-check none
rsakeypair testkey
auto-enroll 70
!
!
crypto pki certificate chain ca
certificate ca 01
  3082020D 30820176 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  1A310B30 09060355 040B1302 7474310B 30090603 55040313 02677A30 1E170D31
  35303130 35303233 3233395A 170D3138 30313034 30323332 33395A30 1A310B30
  09060355 040B1302 7474310B 30090603 55040313 02677A30 819F300D 06092A86
  4886F70D 01010105 0003818D 00308189 02818100 D9B7C4CE 385050B0 0B3EE187
  B792628C D2FC5C1B 3E9CB587 6F109DAC AB983188 B1039014 11876F69 3746F712
  CF5B848C E6581975 BE9C42A3 9951E33C 54DB8520 00911773 EF9F541D 9D6FF9E0
  3A9ABB2A C77A8DED DA47239B 020F80B7 D82F58B0 048E4E0A 4FF84BEC 9D6FEF0E
  ABE4A474 7371D06C 750B8F51 7D876966 65536923 02030100 01A36330 61300F06
  03551D13 0101FF04 05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F
  0603551D 23041830 168014F3 710105BC 71476856 079605BF 99A19048 84C62930
  1D060355 1D0E0416 0414F371 0105BC71 47685607 9605BF99 A1904884 C629300D
  06092A86 4886F70D 01010405 00038181 001F4AC2 C9C985AD ADC2BD3B 6823CA26
  F73FAF3C D8F5F65E AF17D4CC 276E8892 55423E2F BC92D6AB 62F44880 23CAD935
  1EB92B0B B60F68C1 633FED1E CF30DBD2 476A464A 312152EF 597E420A 0C0245C1
  4FAB2896 63A8B38F 809C9398 967B687F E6C91313 F6FEB0C6 53199FDD 5E07767E
  38638088 E91D102C 69540A7B 5E3A06B1 37
  quit
crypto pki certificate chain test
certificate 02
  308201FC 30820165 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
  1A310B30 09060355 040B1302 7474310B 30090603 55040313 02677A30 1E170D31
  35303130 35303234 3035325A 170D3136 30313035 30323430 35325A30 1D311B30
  1906092A 864886F7 0D010902 160C5231 2E636973 636F2E63 6F6D3081 9F300D06
  092A8648 86F70D01 01010500 03818D00 30818902 818100BB 02C178E2 E9D41C82
  3977C6E4 A39957D1 72215ABA A348BFFF 195587CF E05B56D3 6E5C1F3F 822344A7
  1080922F 966E4B30 B324AD7D 29C8E928 4BDD0661 0A896093 D457CE5E EC1B0D43
  85D55AD8 C9D2BF51 62BDE61C 0A5BE7E0 D803E8EA DED56539 9BD0AC8C 359041ED
  910003A2 296D7A0F CA22FF3F A7AF271A 55545B54 1C94E702 03010001 A34F304D
  300B0603 551D0F04 04030205 A0301F06 03551D23 04183016 8014F371 0105BC71
  47685607 9605BF99 A1904884 C629301D 0603551D 0E041604 148A2AA9 17DA58B5
  F3A6ED26 6A24C542 641402BF 4E300D06 092A8648 86F70D01 01040500 03818100
  534721E3 EF8EC504 B2C014F3 616DE8AA E9641CA0 699AD690 8D366BD9 DB5B964B
  621C4BE6 AEAD455B D94ABA52 C4669618 4D4A988A 7A40CA2A 68A043FF 74A15F64
  B6ED4F9A 7070DDE2 487A9C46 8F465391 84BB91ED 585241A0 439CB46D C739F70E
  CDC65212 5E0F1F3E 72578B3A 8048BC0C A89F4C95 E86073F0 28FB6880 8AB14FC3
  quit
certificate ca 01
  3082020D 30820176 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  1A310B30 09060355 040B1302 7474310B 30090603 55040313 02677A30 1E170D31
  35303130 35303233 3233395A 170D3138 30313034 30323332 33395A30 1A310B30
  09060355 040B1302 7474310B 30090603 55040313 02677A30 819F300D 06092A86
  4886F70D 01010105 0003818D 00308189 02818100 D9B7C4CE 385050B0 0B3EE187
  B792628C D2FC5C1B 3E9CB587 6F109DAC AB983188 B1039014 11876F69 3746F712
  CF5B848C E6581975 BE9C42A3 9951E33C 54DB8520 00911773 EF9F541D 9D6FF9E0
  3A9ABB2A C77A8DED DA47239B 020F80B7 D82F58B0 048E4E0A 4FF84BEC 9D6FEF0E
  ABE4A474 7371D06C 750B8F51 7D876966 65536923 02030100 01A36330 61300F06
  03551D13 0101FF04 05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F
  0603551D 23041830 168014F3 710105BC 71476856 079605BF 99A19048 84C62930
  1D060355 1D0E0416 0414F371 0105BC71 47685607 9605BF99 A1904884 C629300D
  06092A86 4886F70D 01010405 00038181 001F4AC2 C9C985AD ADC2BD3B 6823CA26
  F73FAF3C D8F5F65E AF17D4CC 276E8892 55423E2F BC92D6AB 62F44880 23CAD935
  1EB92B0B B60F68C1 633FED1E CF30DBD2 476A464A 312152EF 597E420A 0C0245C1
  4FAB2896 63A8B38F 809C9398 967B687F E6C91313 F6FEB0C6 53199FDD 5E07767E
  38638088 E91D102C 69540A7B 5E3A06B1 37
  quit
!
!
!
!
!
!
!
!
!
!
!
username vpn password 0 cisco123
!
!
!
!
crypto isakmp policy 1
group 2
!
crypto isakmp client configuration group ttvpn
dns 10.1.1.5
wins 10.1.1.5
domain cisco.com
pool vpnpool
acl 101
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto dynamic-map vpnclient 10
set transform-set myset
!
!
crypto map vpn client authentication list client
crypto map vpn isakmp authorization list client
crypto map vpn client configuration address respond
crypto map vpn 10 ipsec-isakmp dynamic vpnclient
!
!
!
!
interface Ethernet0/0
ip address 10.123.17.140 255.255.255.0
full-duplex
crypto map vpn
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
ip local pool vpnpool 10.1.1.10 10.1.1.50
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.123.17.254
!
!
!
access-list 101 permit ip any any
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
!
ntp clock-period 17179870
ntp source Ethernet0/0
ntp server 10.123.1.66
!
end

R1#

做完VPN，就在PC上做VPN连接了
CS~TAVY71U{U(5A~Q5LQ3IL.jpg

保存后连接，输入证书预设密码后，连接没反应，然后显示
VXFK}OP2D3QAPFXT{D0~9$Q.jpg

我在R1上debug信息如下
R1#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#
R1#
R1#
R1#
R1#
R1#
R1#
R1#
Jan  5 03:05:40.696: ISAKMP (0:0): received packet from 10.123.17.8 dport 500 sport 63585 Global (N) NEW SA
Jan  5 03:05:40.700: ISAKMP: Created a peer struct for 10.123.17.8, peer port 63585
Jan  5 03:05:40.704: ISAKMP: New peer created peer = 0x6507FADC peer_handle = 0x80000003
Jan  5 03:05:40.704: ISAKMP: Locking peer struct 0x6507FADC, IKE refcount 1 for crypto_isakmp_process_block
Jan  5 03:05:40.704: ISAKMP

0:0:N/A:0):Setting client config settings 6507FBA0
Jan 5 03:05:40.704: ISAKMP

0:0:N/A:0)

Re)Setting client xauth list  and state
Jan  5 03:05:40.708: ISAKMP/xauth: initializing AAA request
Jan  5 03:05:40.712: ISAKMP: local port 500, remote port 63585
Jan  5 03:05:40.712: insert sa successfully sa = 6507F0CC
Jan  5 03:05:40.716: ISAKMP

0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 5 03:05:40.716: ISAKMP

0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1

Jan 5 03:05:40.720: ISAKMP

0:0:N/A:0): processing SA payload. message ID = 0
Jan 5
R1#03:05:40.720: ISAKMP

0:0:N/A:0): processing vendor id payload
Jan 5 03:05:40.720: ISAKMP

0:0:N/A:0): vendor ID seems Unity/DPD but major 215 mismatch
Jan 5 03:05:40.724: ISAKMP

0:0:N/A:0): vendor ID is XAUTH
Jan 5 03:05:40.724: ISAKMP

0:0:N/A:0): processing vendor id payload
Jan 5 03:05:40.724: ISAKMP

0:0:N/A:0): vendor ID is DPD
Jan 5 03:05:40.724: ISAKMP

0:0:N/A:0): processing vendor id payload
Jan 5 03:05:40.728: ISAKMP

0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch
Jan 5 03:05:40.728: ISAKMP

0:0:N/A:0): processing vendor id payload
Jan 5 03:05:40.728: ISAKMP

0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
Jan 5 03:05:40.728: ISAKMP

0:0:N/A:0): vendor ID is NAT-T v2
Jan 5 03:05:40.732: ISAKMP

0:0:N/A:0): processing vendor id payload
Jan 5 03:05:40.732: ISAKMP

0:0:N/A:0): vendor ID is Unity
Jan 5 03:05:40.732: ISAKMP

0:0:N/A:0): Authentication by xauth preshared
Jan 5 03:05:40.732: ISAKMP

0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
Jan  5 03:05:40.736: ISAKMP:    encryption AES-CBC
Jan  5 03:05:40.736: ISAKMP:    hash SHA
Jan  5 03:05:40.736: ISAKMP:    default group 5
Jan  5 03:05:40.736: ISAKMP:    auth XAUTHInitRSA
Jan  5 03:05:40.736: ISAKMP:    life type in seconds
Jan  5 03:05:40.736: ISAKMP:    life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan  5 03:05:40.740: ISAKMP:    keylength of 256
Jan  5 03:05:40.740: ISAKMP

0:0:N/A:0):Encryption algorithm offered does not match policy!
Jan 5 03:05:40.740: ISAKMP

0:0:N/A:0):atts are not acceptable. Next payload is 3
Jan 5 03:05:40.740: ISAKMP

0:0:N/A:0):Checking ISAKMP transform 2 against priority 1 policy
Jan  5 03:05:40.744: ISAKMP:    encryption AES-CBC
Jan  5 03:05:40.744: ISAKMP:    hash MD5
Jan  5 03:05:40.744: ISAKMP:    default group 5
Jan  5 03:05:40.744: ISAKMP:    auth XAUTHInitRSA
Jan  5 03:05:40.744: ISAKMP:    life type in seconds
Jan  5 03:05:40.744: ISAKMP:    life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan  5 03:05:40.748: ISAKMP:    keylength of 256
Jan  5 03:05:40.748: ISAKMP

0:0:N/A:0):Encryption algorithm offered does not match policy!
Jan 5 03:05:40.748: ISAKMP

0:0:N/A:0):atts are not acceptable. Next payload is 3
Jan 5 03:05:40.752: ISAKMP

0:0:N/A:0):Checking ISAKMP transform 3 against priority 1 policy
Jan  5 03:05:40.752: ISAKMP:    encryption AES-CBC
Jan  5 03:05:40.752: ISAKMP:    hash SHA
Jan  5 03:05:40.752: ISAKMP:    default group 5
Jan  5 03:05:40.752: ISAKMP:    auth RSA sig
Jan  5 03:05:40.752: ISAKMP:    life type in seconds
Jan  5 03:05:40.752: ISAKMP:    life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan  5 03:05:40.756: ISAKMP:    keylength of 256
Jan  5 03:05:40.756: ISAKMP

0:0:N/A:0):Encryption algorithm offered does not match policy!
Jan 5 03:05:40.756: ISAKMP

0:0:N/A:0):atts are not acceptable. Next payload is 3
Jan 5 03:05:40.760: ISAKMP

0:0:N/A:0):Checking ISAKMP transform 4 against priority 1 policy
Jan  5 03:05:40.760: ISAKMP:    encryption AES-CBC
Jan  5 03:05:40.760: ISAKMP:    hash MD5
Jan  5 03:05:40.760: ISAKMP:    default group 5
Jan  5 03:05:40.760: ISAKMP:    auth RSA sig
Jan  5 03:05:40.760: ISAKMP:    life type in seconds
Jan  5 03:05:40.764: ISAKMP:    life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan  5 03:05:40.764: ISAKMP:    keylength of 256
Jan  5 03:05:40.764: ISAKMP

0:0:N/A:0):Encryption algorithm offered does not match policy!
Jan 5 03:05:40.764: ISAKMP

0:0:N/A:0):atts are not acceptable. Next payload is 3
Jan 5 03:05:40.768: ISAKMP

0:0:N/A:0):Checking ISAKMP transform 5 against priority 1 policy
Jan  5 03:05:40.768: ISAKMP:    encryption AES-CBC
Jan  5 03:05:40.768: ISAKMP:    hash SHA
Jan  5 03:05:40.768: ISAKMP:    default group 2
Jan  5 03:05:40.768: ISAKMP:    auth XAUTHInitRSA
Jan  5 03:05:40.768: ISAKMP:    life type in seconds
Jan  5 03:05:40.768: ISAKMP:    life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan  5 03:05:40.768: ISAKMP:    keylength of 256
Jan  5 03:05:40.768: ISAKMP

0:0:N/A:0):Encryption algorithm offered does not match policy!
Jan 5 03:05:40.768: ISAKMP

0:0:N/A:0):atts are not acceptable. Next payload is 3
Jan 5 03:05:40.768: ISAKMP

0:0:N/A:0):Checking ISAKMP transform 6 against priority 1 policy
Jan  5 03:05:40.768: ISAKMP:    encryption AES-CBC
Jan  5 03:05:40.768: ISAKMP:    hash MD5
Jan  5 03:05:40.768: ISAKMP:    default group 2
Jan  5 03:05:40.768: ISAKMP:    auth XAUTHInitRSA
Jan  5 03:05:40.768: ISAKMP:    life type in seconds
Jan  5 03:05:40.768: ISAKMP:    life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan  5 03:05:40.768: ISAKMP:    keylength of 256
Jan  5 03:05:40.768: ISAKMP

0:0:N/A:0):Encryption algorithm offered does not match policy!
Jan 5 03:05:40.768: ISAKMP

0:0:N/A:0):atts are not acceptable. Next payload is 3
Jan 5 03:05:40.768: ISAKMP

0:0:N/A:0):Checking ISAKMP transform 7 against priority 1 policy
Jan  5 03:05:40.768: ISAKMP:    encryption AES-CBC
Jan  5 03:05:40.768: ISAKMP:    hash SHA
Jan  5 03:05:40.768: ISAKMP:    default group 2
Jan  5 03:05:40.768: ISAKMP:    auth RSA sig
Jan  5 03:05:40.768: ISAKMP:    life type in seconds
Jan  5 03:05:40.768: ISAKMP:    life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan  5 03:05:40.768: ISAKMP:    keylength of 256
Jan  5 03:05:40.768: ISAKMP

0:0:N/A:0):Encryption algorithm offered does not match policy!
Jan 5 03:05:40.768: ISAKMP

0:0:N/A:0):atts are not acceptable. Next payload is 3
Jan 5 03:05:40.772: ISAKMP

0:0:N/A:0):Checking ISAKMP transform 8 against priority 1 policy
Jan  5 03:05:40.772: ISAKMP:    encryption AES-CBC
Jan  5 03:05:40.772: ISAKMP:    hash MD5
Jan  5 03:05:40.772: ISAKMP:    default group 2
Jan  5 03:05:40.772: ISAKMP:    auth RSA sig
Jan  5 03:05:40.772: ISAKMP:    life type in seconds
Jan  5 03:05:40.772: ISAKMP:    life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan  5 03:05:40.772: ISAKMP:    keylength of 256
Jan  5 03:05:40.772: ISAKMP

0:0:N/A:0):Encryption algorithm offered does not match policy!
Jan 5 03:05:40.772: ISAKMP

0:0:N/A:0):atts are not acceptable. Next payload is 3
Jan 5 03:05:40.772: ISAKMP

0:0:N/A:0):Checking ISAKMP transform 9 against priority 1 policy
Jan  5 03:05:40.772: ISAKMP:    encryption AES-CBC
Jan  5 03:05:40.772: ISAKMP:    hash SHA
Jan  5 03:05:40.772: ISAKMP:    default group 5
Jan  5 03:05:40.772: ISAKMP:    auth XAUTHInitRSA
Jan  5 03:05:40.772: ISAKMP:    life type in seconds
Jan  5 03:05:40.772: ISAKMP:    life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan  5 03:05:40.772: ISAKMP:    keylength of 128
Jan  5 03:05:40.772: ISAKMP

0:0:N/A:0):Encryption algorithm offered does not match policy!
Jan 5 03:05:40.772: ISAKMP

0:0:N/A:0):atts are not acceptable. Next payload is 3
Jan 5 03:05:40.772: ISAKMP

0:0:N/A:0):Checking ISAKMP transform 10 against priority 1 policy
Jan  5 03:05:40.772: ISAKMP:    encryption AES-CBC
Jan  5 03:05:40.772: ISAKMP:    hash MD5
Jan  5 03:05:40.772: ISAKMP:    default group 5
Jan  5 03:05:40.772: ISAKMP:    auth XAUTHInitRSA
Jan  5 03:05:40.772: ISAKMP:    life type in seconds
Jan  5 03:05:40.772: ISAKMP:    life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan  5 03:05:40.772: ISAKMP:    keylength of 128
Jan  5 03:05:40.772: ISAKMP

0:0:N/A:0):Encryption algorithm offered does not match policy!
Jan 5 03:05:40.772: ISAKMP

0:0:N/A:0):atts are not acceptable. Next payload is 3
Jan 5 03:05:40.772: ISAKMP

0:0:N/A:0):Checking ISAKMP transform 11 against priority 1 policy
Jan  5 03:05:40.772: ISAKMP:    encryption AES-CBC
Jan  5 03:05:40.772: ISAKMP:    hash SHA
Jan  5 03:05:40.772: ISAKMP:    default group 5
Jan  5 03:05:40.772: ISAKMP:    auth RSA sig
Jan  5 03:05:40.772: ISAKMP:    life type in seconds
Jan  5 03:05:40.772: ISAKMP:    life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan  5 03:05:40.772: ISAKMP:    keylength of 128
Jan  5 03:05:40.772: ISAKMP

0:0:N/A:0):Encryption algorithm offered does not match policy!
Jan 5 03:05:40.772: ISAKMP

0:0:N/A:0):atts are not acceptable. Next payload is 3
Jan 5 03:05:40.772: ISAKMP

0:0:N/A:0):Checking ISAKMP transform 12 against priority 1 policy
Jan  5 03:05:40.772: ISAKMP:    encryption AES-CBC
Jan  5 03:05:40.772: ISAKMP:    hash MD5
Jan  5 03:05:40.772: ISAKMP:    default group 5
Jan  5 03:05:40.772: ISAKMP:    auth RSA sig
Jan  5 03:05:40.772: ISAKMP:    life type in seconds
Jan  5 03:05:40.772: ISAKMP:    life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan  5 03:05:40.776: ISAKMP:    keylength of 128
Jan  5 03:05:40.776: ISAKMP