Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
3035
Views
0
Helpful
9
Replies

vpn client

Go to solution
emilio1973
Level 1
Level 1

ā€Ž04-23-2010 05:55 AM

Mar  1 09:23:12.295: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 201.70.32.102

This is the config of router:

Router#sh run
Building configuration...

Current configuration : 1772 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
  hash md5
  authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local ourpool
!
!
crypto ipsec transform-set trans1 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
  set transform-set trans1
!
!
crypto map intmap client configuration address initiate
crypto map intmap client configuration address respond
crypto map intmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface FastEthernet0/0
  ip address 201.70.32.101 255.255.255.0
  ip nat outside
  ip virtual-reassembly
  no ip route-cache cef
  no ip route-cache
  no ip mroute-cache
  duplex auto
  speed auto
  crypto map intmap
!
interface Serial0/0
  no ip address
  shutdown
  no fair-queue
  clock rate 2000000
!
interface FastEthernet0/1
  ip address 10.2.2.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
!
interface Serial0/1
  no ip address
  shutdown
  clock rate 2000000
!
ip local pool ourpool 10.2.1.1 10.2.1.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 201.70.32.1
!
ip http server
no ip http secure-server
ip nat pool outsidepool 201.70.32.150 201.70.32.160 netmask 255.255.255.0
ip nat inside source route-map nonat pool outsidepool
!
access-list 101 deny   ip 10.2.2.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 101 permit ip 10.2.2.0 0.0.0.255 any
route-map nonat permit 10
  match ip address 101
!
!
!
!
control-plane
!
!
!
!
line con 0
line aux 0
line vty 0 4
  password ww
  login
!
!
end

In the vpn client fields "name" and "password", i don't be sure that what i must configure. Someone can help me?

Thanks

1 person had this problem
Labels:
Preview file
148 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

ā€Ž04-23-2010 06:02 AM

Your router has not been fully configured for VPN client access.

Here is a sample configuration for your reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to emilio1973

ā€Ž04-27-2010 02:45 AM

The bug is fixed in version 12.4(23a), and yes, 15.1(M1) also has the bug fix.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

ā€Ž04-23-2010 06:02 AM

Your router has not been fully configured for VPN client access.

Here is a sample configuration for your reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

0 Helpful

Go to solution
emilio1973
Level 1
Level 1
In response to Jennifer Halim

ā€Ž04-23-2010 12:08 PM

just what I needed. Thanks!!

0 Helpful

Go to solution
emilio1973
Level 1
Level 1
In response to emilio1973

ā€Ž04-26-2010 05:49 AM

Hi all,

Ok, the VPN connection works and obtain an IP address  in the pool but this message appears. Can someone explain it properly?.

*Mar  1 10:21:23.375: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2002 local=172.18.124.159 remote=172.18.124.160 spi=E3FAB83D seqno=00000100

Thanks

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to emilio1973

ā€Ž04-26-2010 06:00 AM

Seems to be just cosmetic bug as follows bugID: CSCsv43145:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsv43145

0 Helpful

Go to solution
emilio1973
Level 1
Level 1
In response to Jennifer Halim

ā€Ž04-26-2010 06:30 AM

Oh,  sorry. I am not Registered Customers or partners  so that I can not prove it. Please explain what the  bug and if it can solve

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to emilio1973

ā€Ž04-26-2010 06:35 AM

What is the version of router? If it is in the affected version, then it is cosmetic only bug and does not have any functional impact.

You can upgrade the router to the version which is not impacted, however, it is cosmetic only as advised., so nothing to worry about (depending on the version of your router).

0 Helpful

Go to solution
emilio1973
Level 1
Level 1
In response to Jennifer Halim

ā€Ž04-27-2010 12:15 AM

Hi,

I'm doing tests with a 2691 Router and ā€œc2691-advsecurityk9-mz.124-23.binā€ IOS, but really I have to deploy it to a 2911 with ā€œc2900-universalk9-mz.SPA.150-1.M1.binā€ IOS.

Can you tell me if in the most current fix the bug?

Thanks

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to emilio1973

ā€Ž04-27-2010 02:45 AM

The bug is fixed in version 12.4(23a), and yes, 15.1(M1) also has the bug fix.

0 Helpful

Go to solution
emilio1973
Level 1
Level 1
In response to Jennifer Halim

ā€Ž04-27-2010 06:06 AM

Thanks!!!!!!!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents