Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
694
Views
0
Helpful
5
Replies

IOS Router Cisco VPN Client 4.8

pwenger
Level 3
Level 3

‎09-26-2006 05:16 AM - edited ‎02-21-2020 02:38 PM

Hi

I recieve always an error message(%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 213.180.170.230) when I try to connect with the VPN Client.

See the configuration on the Router:

Router#sh run

Building configuration...

Current configuration : 2164 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret xxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login VPN_USER local

!

aaa session-id common

!

resource policy

!

ip cef

!

!

username delec password xxx

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!!

crypto isakmp client configuration group VPN_HEIDELBERG

key smart700

dns 192.168.10.100

domain santhera.intra

pool VPN_POOL

!

!

crypto ipsec transform-set 3DES esp-aes 256 esp-sha-hmac

!

crypto dynamic-map VPN_DYNAMIC 10

set transform-set 3DES

reverse-route

!

!

crypto map CLIENTMAP client authentication list VPN_USER

crypto map CLIENTMAP client configuration address respond

crypto map CLIENTMAP 10 ipsec-isakmp dynamic VPN_DYNAMIC

!

!

!

interface FastEthernet0/0

description $ETH-LAN$$FW_OUTSIDE$

ip address 192.168.32.33 255.255.255.0

ip nat outside

no ip virtual-reassembly

duplex auto

speed auto

crypto map CLIENTMAP

!

interface FastEthernet0/1

description $ETH-LAN$$FW_INSIDE$

ip address 192.168.40.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip local pool VPN_POOL 10.199.2.0 10.199.2.50

ip route 0.0.0.0 0.0.0.0 192.168.32.32

!

!

ip http server

no ip http secure-server

ip nat inside source list 100 interface FastEthernet0/0 overload

!

access-list 100 remark SDM_ACL Category=2

access-list 100 deny ip 192.168.40.0 0.0.0.255 10.199.1.0 0.0.0.255

access-list 100 deny ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list 100 deny ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 100 deny ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 100 deny ip 192.168.40.0 0.0.0.255 10.199.2.0 0.0.0.255 log

access-list 100 permit ip 192.168.40.0 0.0.0.255 any log

!

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

password xxx

!

scheduler allocate 20000 1000

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

I'm running IOS 12.4(6)T3 AdvSecurity

So what's wrong?

Regards

Peter

Labels:
0 Helpful
5 Replies 5

m-haddad
Level 5
Level 5

‎09-26-2006 07:31 AM

Missing some configuration

crypto dynamic-map VPN_DYNAMIC 10

set transform-set 3DES

reverse-route

Where is the ACL to match. You need an ACL to match traffic and encrypt it. THe acl should include traffic from your LAN to the remote VPN Pool Subnet.

It should look like that:

crypto dynamic-map VPN_DYNAMIC 10

set transform-set 3DES

reverse-route

acl 104

access-list 104 remark Remote VPN Clients

access-list 104 permit ip 10.199.2.0 0.0.0.255 192.168.32.0 0.0.0.255

Another thing:

crypto dynamic-map VPN_DYNAMIC 10

set transform-set 3DES

reverse-route

set isakmp-profile VPN_HEIDELBERG

You were missing the last line,

Please let me know if it works and rate if I could help,

Regards,

0 Helpful

m-haddad
Level 5
Level 5
In response to m-haddad

‎09-26-2006 07:32 AM

By the way you need a route map with the nat statement so that you don't NAT traffic between your LAN and the remote VPN client subnet. Therefore, the route-map should deny all traffic from your LAN to remote VPN client subnet and permit anything else.

Regards,

0 Helpful

m-haddad
Level 5
Level 5
In response to m-haddad

‎09-26-2006 07:34 AM

Sorry some mistakes:

crypto dynamic-map VPN_DYNAMIC 10

set transform-set 3DES

reverse-route

Where is the ACL to match. You need an ACL to match traffic and encrypt it. THe acl should include traffic from your LAN to the remote VPN Pool Subnet.

It should look like that:

crypto dynamic-map VPN_DYNAMIC 10

set transform-set 3DES

reverse-route

acl 104

access-list 104 remark Remote VPN Clients

access-list 104 permit ip 10.199.2.0 0.0.0.255 192.168.40.0 0.0.0.255

Another thing:

crypto dynamic-map VPN_DYNAMIC 10

set transform-set 3DES

reverse-route

set isakmp-profile VPN_HEIDELBERG

Regards,

0 Helpful

m-haddad
Level 5
Level 5
In response to m-haddad

‎09-26-2006 07:34 AM

No need for the route-map you already deny it using the ACL for the NAT.

Regards,

0 Helpful

pwenger
Level 3
Level 3
In response to m-haddad

‎09-26-2006 09:38 PM

I found the mistake I made.

I forgot some aaa statements.

Altough I tought, that there is no need for authorization you have to configure it.

Thanks anyway for all replies

Regards

Peter

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents