Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3378
Views
0
Helpful
1
Replies

easy vpn crypto-6-ikmp_mode_failure :processing of aggressive mode failed with peer

bonan.xu
Level 1
Level 1

‎09-03-2014 05:19 PM - edited ‎03-04-2019 11:41 PM

I got a problem to setup easy vpn. When I setup done for the easy vpn. It will work fine for a couple of days. Then the vpn will not work. and when I try use vpn client to connect router the router will get a message CRYPTO-6-IKMP_MODE_FAILURE : Processing of aggressive mode failed with peer at 192.168.0.76

And I also tried to reload it and work for 1-2 days then still not working and show that message for me.

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login USER local
!
aaa session-id common
!
resource policy
!
clock timezone utc -7
clock summer-time CDT recurring
no network-clock-participate wic 2
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.110
!

ip dhcp pool group
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 192.168.0.7 75.75.75.75 75.75.76.76
   lease 0 4
!
!
!
!
!
!
username test password 0 test
!
!
controller T1 0/2/0
 framing esf
 linecode b8zs
!
!
crypto isakmp policy 1

 encr  aes 
 hash md5
 authentication pre-share
 group 2
crypto isakmp key Cisco address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local EZVPN_POOL
!
crypto isakmp client configuration group group
 key group
 dns 192.168.0.7 75.75.75.75
 wins 192.168.0.7
 pool EZVPN_POOL
 acl 100
 netmask 255.255.255.0
crypto isakmp profile EZVPN_PROFILE
   match identity group group
   client authentication list USER
   isakmp authorization list GROUP
   client configuration address respond

 virtual-template 1
!
!
crypto ipsec transform-set EZVPN_SET esp-aes esp-sha-hmac
!
crypto ipsec profile EZVPN_PROFILE
 set transform-set EZVPN_SET
 set isakmp-profile EZVPN_PROFILE
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 50.79.xx.xxx 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet0/1
 tunnel mode ipsec ipv4
 tunnel path-mtu-discovery
 tunnel protection ipsec profile EZVPN_PROFILE
!
ip local pool EZVPN_POOL 192.168.0.100 192.168.0.110
ip route 0.0.0.0 0.0.0.0 50.79.xx.xxx
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
disable-eadi

!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
end

 

 

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Martin Moran
Level 3
Level 3

‎09-04-2014 05:35 AM

Hi @bonan.xu@caogro...,

The first think is that you have to make sure that all the ISAKMP parameters match at both ends of the VPN. Maybe there is something that the peers are negotiating or creating by themselves.

I let you this link here that can be useful:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46402-16b.html

HTH.

Rgrds,

Martin, IT Specialist

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card