×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IOS Router Cisco VPN Client 4.8

Unanswered Question
Sep 26th, 2006
User Badges:

Hi

I recieve always an error message(%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 213.180.170.230) when I try to connect with the VPN Client.

See the configuration on the Router:

Router#sh run

Building configuration...


Current configuration : 2164 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret xxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login VPN_USER local

!

aaa session-id common

!

resource policy

!

ip cef

!

!

username delec password xxx

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!!

crypto isakmp client configuration group VPN_HEIDELBERG

key smart700

dns 192.168.10.100

domain santhera.intra

pool VPN_POOL

!

!

crypto ipsec transform-set 3DES esp-aes 256 esp-sha-hmac

!

crypto dynamic-map VPN_DYNAMIC 10

set transform-set 3DES

reverse-route

!

!

crypto map CLIENTMAP client authentication list VPN_USER

crypto map CLIENTMAP client configuration address respond

crypto map CLIENTMAP 10 ipsec-isakmp dynamic VPN_DYNAMIC

!

!

!

interface FastEthernet0/0

description $ETH-LAN$$FW_OUTSIDE$

ip address 192.168.32.33 255.255.255.0

ip nat outside

no ip virtual-reassembly

duplex auto

speed auto

crypto map CLIENTMAP

!

interface FastEthernet0/1

description $ETH-LAN$$FW_INSIDE$

ip address 192.168.40.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip local pool VPN_POOL 10.199.2.0 10.199.2.50

ip route 0.0.0.0 0.0.0.0 192.168.32.32

!

!

ip http server

no ip http secure-server

ip nat inside source list 100 interface FastEthernet0/0 overload

!

access-list 100 remark SDM_ACL Category=2

access-list 100 deny ip 192.168.40.0 0.0.0.255 10.199.1.0 0.0.0.255

access-list 100 deny ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list 100 deny ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 100 deny ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 100 deny ip 192.168.40.0 0.0.0.255 10.199.2.0 0.0.0.255 log

access-list 100 permit ip 192.168.40.0 0.0.0.255 any log

!

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

password xxx

!

scheduler allocate 20000 1000

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end


I'm running IOS 12.4(6)T3 AdvSecurity

So what's wrong?

Regards

Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
m-haddad Tue, 09/26/2006 - 07:31
User Badges:
  • Silver, 250 points or more

Missing some configuration

crypto dynamic-map VPN_DYNAMIC 10

set transform-set 3DES

reverse-route

Where is the ACL to match. You need an ACL to match traffic and encrypt it. THe acl should include traffic from your LAN to the remote VPN Pool Subnet.


It should look like that:

crypto dynamic-map VPN_DYNAMIC 10

set transform-set 3DES

reverse-route

acl 104


access-list 104 remark Remote VPN Clients

access-list 104 permit ip 10.199.2.0 0.0.0.255 192.168.32.0 0.0.0.255


Another thing:


crypto dynamic-map VPN_DYNAMIC 10

set transform-set 3DES

reverse-route

set isakmp-profile VPN_HEIDELBERG


You were missing the last line,


Please let me know if it works and rate if I could help,


Regards,



m-haddad Tue, 09/26/2006 - 07:32
User Badges:
  • Silver, 250 points or more

By the way you need a route map with the nat statement so that you don't NAT traffic between your LAN and the remote VPN client subnet. Therefore, the route-map should deny all traffic from your LAN to remote VPN client subnet and permit anything else.


Regards,


m-haddad Tue, 09/26/2006 - 07:34
User Badges:
  • Silver, 250 points or more

Sorry some mistakes:

crypto dynamic-map VPN_DYNAMIC 10

set transform-set 3DES

reverse-route

Where is the ACL to match. You need an ACL to match traffic and encrypt it. THe acl should include traffic from your LAN to the remote VPN Pool Subnet.


It should look like that:

crypto dynamic-map VPN_DYNAMIC 10

set transform-set 3DES

reverse-route

acl 104


access-list 104 remark Remote VPN Clients

access-list 104 permit ip 10.199.2.0 0.0.0.255 192.168.40.0 0.0.0.255


Another thing:


crypto dynamic-map VPN_DYNAMIC 10

set transform-set 3DES

reverse-route

set isakmp-profile VPN_HEIDELBERG



Regards,


m-haddad Tue, 09/26/2006 - 07:34
User Badges:
  • Silver, 250 points or more

No need for the route-map you already deny it using the ACL for the NAT.


Regards,


pwenger Tue, 09/26/2006 - 21:38
User Badges:

I found the mistake I made.

I forgot some aaa statements.

Altough I tought, that there is no need for authorization you have to configure it.


Thanks anyway for all replies

Regards

Peter

Actions

This Discussion