cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1480
Views
5
Helpful
3
Replies

2911 VPN remote access - interface Virtual-Template type tunnel - static vs dynamic map ??

lars.arler
Level 1
Level 1

Hi All and thanks for any clues or solutions.

 

First Issue 

My VPN setup seems to work ( Connects fine to my Iphone and Ipad) even with some issues in the log !! ?? Should I just ignore those ?? 

 

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 77.241.128.136

%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down

%IP_VFR-7-FEATURE_DISABLE_IN: VFR(in) is manually disabled through CLI; VFR support for features that have internally enabled, will be made available only when VFR is enabled manually on interface Virtual-Access2

Can't figure out how to enable "Aggressive mode"  in my setup 

Can't figure out how to enable "VFR" manually - looks like it is enabled 

R2911(config-if)#do show ip virtual-reassembly features
Virtual-Template1:
  Virtual Fragment Reassembly (VFR) Current Status is ENABLED [in]
  Features to use if VFR is Enabled::NAT 
interface Virtual-Template1 type tunnel
 ip unnumbered GigabitEthernet0/0
 ip nat inside
 ip virtual-reassembly in
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile XXX-VPN-VTUNNEL-PROFILE

 

Second Question

Is my VPN setup the optimal way off connecting to my home base ??

Should I keep this setup or go for something smarter  ??

Any pro's with Dynamic Map versus Static Maps ??

 

Here is the key stuff off my setup

 

crypto isakmp policy 150
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp client configuration group XXX-VPN
 key XXXXXX
 dns 208.67.222.222 208.67.220.220
 pool REMOTE-VPN-CLIENTS
crypto isakmp profile XXX-VPN-PROFILE
   match identity group XXX-VPN
   client authentication list userauthen
   isakmp authorization list userauthen
   client configuration address initiate
   client configuration address respond
   virtual-template 1
crypto ipsec transform-set XXX-VPN-1 esp-aes 256 esp-sha-hmac 
crypto ipsec profile XXX-VPN-VTUNNEL-PROFILE
 set security-association lifetime kilobytes disable
 set security-association lifetime seconds 86400
 set transform-set XXX-VPN-1 
 set isakmp-profile XXX-VPN-PROFILE

 

 

interface Virtual-Template1 type tunnel
 ip unnumbered GigabitEthernet0/0
 ip nat inside
 ip virtual-reassembly in
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile XXX-VPN-VTUNNEL-PROFILE
ip local pool REMOTE-VPN-CLIENTS 100.100.100.123 100.100.100.126

 

1 Accepted Solution

Accepted Solutions

Hi,

If your VPN is working with Main Mode I wouldn't worry about the aggressive mode error, it's less secure than main mode anyway.

 

In regard to crypto maps, I wouldn't use either. Carry on using dVTI as you are doing. Cisco has considered crypto maps legacy for quite some time and VTI's are more scalable amongst otherthings.

 

You may want to consider FlexVPN which is a VTI VPN solution, this uses IKEv2 instead of ISAKMP which you are using. It is the latest VPN technology solution on Cisco Routers, Cisco Live presentation here.

 

Here is a FlexVPN Remote Access VPN example guide, which maybe useful to you.


HTH

View solution in original post

3 Replies 3

Hi,

If your VPN is working with Main Mode I wouldn't worry about the aggressive mode error, it's less secure than main mode anyway.

 

In regard to crypto maps, I wouldn't use either. Carry on using dVTI as you are doing. Cisco has considered crypto maps legacy for quite some time and VTI's are more scalable amongst otherthings.

 

You may want to consider FlexVPN which is a VTI VPN solution, this uses IKEv2 instead of ISAKMP which you are using. It is the latest VPN technology solution on Cisco Routers, Cisco Live presentation here.

 

Here is a FlexVPN Remote Access VPN example guide, which maybe useful to you.


HTH

Hello,

 

on a side note, I think, since in remote access VPNs, the clients are usually initiating the connection, globally enabling aggressive mode on your IOS router should be sufficient, using the command below:

 

no crypto isakmp aggressive-mode disable

Hi - and thanks for taking your time to help ;-)

I tried to use your command - crypto isakmp aggressive-mode disable

That resulted in not being able to connect via VPN

So - no crypto isakmp aggressive-mode disable - and the connection is open again

 

Here is the log - it might share so light for you

%CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
%SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection
%CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
%CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
%CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled

 

And I still have 

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 77.241.140.161

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: