07-21-2019 05:18 AM - edited 07-21-2019 05:38 AM
Hi All and thanks for any clues or solutions.
First Issue
My VPN setup seems to work ( Connects fine to my Iphone and Ipad) even with some issues in the log !! ?? Should I just ignore those ??
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 77.241.128.136
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
%IP_VFR-7-FEATURE_DISABLE_IN: VFR(in) is manually disabled through CLI; VFR support for features that have internally enabled, will be made available only when VFR is enabled manually on interface Virtual-Access2
Can't figure out how to enable "Aggressive mode" in my setup
Can't figure out how to enable "VFR" manually - looks like it is enabled
R2911(config-if)#do show ip virtual-reassembly features
Virtual-Template1:
Virtual Fragment Reassembly (VFR) Current Status is ENABLED [in]
Features to use if VFR is Enabled::NAT
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
ip nat inside
ip virtual-reassembly in
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile XXX-VPN-VTUNNEL-PROFILE
Second Question
Is my VPN setup the optimal way off connecting to my home base ??
Should I keep this setup or go for something smarter ??
Any pro's with Dynamic Map versus Static Maps ??
Here is the key stuff off my setup
crypto isakmp policy 150
encr aes 256
authentication pre-share
group 2
crypto isakmp client configuration group XXX-VPN
key XXXXXX
dns 208.67.222.222 208.67.220.220
pool REMOTE-VPN-CLIENTS
crypto isakmp profile XXX-VPN-PROFILE
match identity group XXX-VPN
client authentication list userauthen
isakmp authorization list userauthen
client configuration address initiate
client configuration address respond
virtual-template 1
crypto ipsec transform-set XXX-VPN-1 esp-aes 256 esp-sha-hmac
crypto ipsec profile XXX-VPN-VTUNNEL-PROFILE
set security-association lifetime kilobytes disable
set security-association lifetime seconds 86400
set transform-set XXX-VPN-1
set isakmp-profile XXX-VPN-PROFILE
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
ip nat inside
ip virtual-reassembly in
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile XXX-VPN-VTUNNEL-PROFILE
ip local pool REMOTE-VPN-CLIENTS 100.100.100.123 100.100.100.126
Solved! Go to Solution.
07-21-2019 11:01 AM
Hi,
If your VPN is working with Main Mode I wouldn't worry about the aggressive mode error, it's less secure than main mode anyway.
In regard to crypto maps, I wouldn't use either. Carry on using dVTI as you are doing. Cisco has considered crypto maps legacy for quite some time and VTI's are more scalable amongst otherthings.
You may want to consider FlexVPN which is a VTI VPN solution, this uses IKEv2 instead of ISAKMP which you are using. It is the latest VPN technology solution on Cisco Routers, Cisco Live presentation here.
Here is a FlexVPN Remote Access VPN example guide, which maybe useful to you.
HTH
07-21-2019 11:01 AM
Hi,
If your VPN is working with Main Mode I wouldn't worry about the aggressive mode error, it's less secure than main mode anyway.
In regard to crypto maps, I wouldn't use either. Carry on using dVTI as you are doing. Cisco has considered crypto maps legacy for quite some time and VTI's are more scalable amongst otherthings.
You may want to consider FlexVPN which is a VTI VPN solution, this uses IKEv2 instead of ISAKMP which you are using. It is the latest VPN technology solution on Cisco Routers, Cisco Live presentation here.
Here is a FlexVPN Remote Access VPN example guide, which maybe useful to you.
HTH
07-21-2019 12:06 PM
Hello,
on a side note, I think, since in remote access VPNs, the clients are usually initiating the connection, globally enabling aggressive mode on your IOS router should be sufficient, using the command below:
no crypto isakmp aggressive-mode disable
07-21-2019 12:47 PM
Hi - and thanks for taking your time to help ;-)
I tried to use your command - crypto isakmp aggressive-mode disable
That resulted in not being able to connect via VPN
So - no crypto isakmp aggressive-mode disable - and the connection is open again
Here is the log - it might share so light for you
%CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
%SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection
%CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
%CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
%CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
And I still have
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 77.241.140.161
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: