Hi
We are unable to get a client connection to a router. It is the property of a customer who had client VPN's working for some time. He then attempted to configure a L2L VPN and screwed the whole thing up. I am at a loss to see why the client does not work. The debug shows the router attempting every combination of SA available then failing on:
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer > at x.x.x.x
Here is the config:
Building configuration...
Current configuration : 2613 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2801
!
boot-start-marker
boot system flash
boot-end-marker
!
enable password
!
aaa new-model
!
!
aaa authentication login telnet local
aaa authorization network Remote local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
ip domain name thames.priv
!
!
!
!
archive
log config
hidekeys
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
hash sha
!
crypto isakmp client configuration group RemoteAccess
key key
domain example.priv
pool vpnusers
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map Client 20
set transform-set ESP-3DES-SHA
!
!
crypto map Remote client authentication list local
crypto map Remote isakmp authorization list local
crypto map Remote client configuration address initiate
crypto map Remote 20 ipsec-isakmp dynamic Client
!
!
!
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
crypto map Remote
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/1/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Async0/2/0
no ip address
!
interface Async0/2/1
no ip address
!
interface Async0/3/0
no ip address
!
interface Async0/3/1
no ip address
!
interface Dialer0
description $FW_INSIDE$
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
!
ip local pool vpnusers 10.0.0.1 10.0.0.254
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
login authentication local
line aux 0
line 0/2/0 0/2/1
modem Dialin
stopbits 1
speed 115200
flowcontrol hardware
line 0/3/0 0/3/1
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
end
We are unable to get a client connection to a router. It is the property of a customer who had client VPN's working for some time. He then attempted to configure a L2L VPN and screwed the whole thing up. I am at a loss to see why the client does not work. The debug shows the router attempting every combination of SA available then failing on:
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer > at x.x.x.x
Here is the config:
Building configuration...
Current configuration : 2613 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2801
!
boot-start-marker
boot system flash
boot-end-marker
!
enable password
!
aaa new-model
!
!
aaa authentication login telnet local
aaa authorization network Remote local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
ip domain name thames.priv
!
!
!
!
archive
log config
hidekeys
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
hash sha
!
crypto isakmp client configuration group RemoteAccess
key key
domain example.priv
pool vpnusers
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map Client 20
set transform-set ESP-3DES-SHA
!
!
crypto map Remote client authentication list local
crypto map Remote isakmp authorization list local
crypto map Remote client configuration address initiate
crypto map Remote 20 ipsec-isakmp dynamic Client
!
!
!
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
crypto map Remote
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/1/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Async0/2/0
no ip address
!
interface Async0/2/1
no ip address
!
interface Async0/3/0
no ip address
!
interface Async0/3/1
no ip address
!
interface Dialer0
description $FW_INSIDE$
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
!
ip local pool vpnusers 10.0.0.1 10.0.0.254
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
login authentication local
line aux 0
line 0/2/0 0/2/1
modem Dialin
stopbits 1
speed 115200
flowcontrol hardware
line 0/3/0 0/3/1
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
end