09-03-2014 05:19 PM - edited 03-04-2019 11:41 PM
I got a problem to setup easy vpn. When I setup done for the easy vpn. It will work fine for a couple of days. Then the vpn will not work. and when I try use vpn client to connect router the router will get a message CRYPTO-6-IKMP_MODE_FAILURE : Processing of aggressive mode failed with peer at 192.168.0.76
And I also tried to reload it and work for 1-2 days then still not working and show that message for me.
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login USER local
!
aaa session-id common
!
resource policy
!
clock timezone utc -7
clock summer-time CDT recurring
no network-clock-participate wic 2
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.110
!
ip dhcp pool group
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 192.168.0.7 75.75.75.75 75.75.76.76
lease 0 4
!
!
!
!
!
!
username test password 0 test
!
!
controller T1 0/2/0
framing esf
linecode b8zs
!
!
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key Cisco address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local EZVPN_POOL
!
crypto isakmp client configuration group group
key group
dns 192.168.0.7 75.75.75.75
wins 192.168.0.7
pool EZVPN_POOL
acl 100
netmask 255.255.255.0
crypto isakmp profile EZVPN_PROFILE
match identity group group
client authentication list USER
isakmp authorization list GROUP
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set EZVPN_SET esp-aes esp-sha-hmac
!
crypto ipsec profile EZVPN_PROFILE
set transform-set EZVPN_SET
set isakmp-profile EZVPN_PROFILE
!
!
!
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 50.79.xx.xxx 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/1
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile EZVPN_PROFILE
!
ip local pool EZVPN_POOL 192.168.0.100 192.168.0.110
ip route 0.0.0.0 0.0.0.0 50.79.xx.xxx
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
disable-eadi
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
end
09-04-2014 05:35 AM
Hi @bonan.xu@caogro...,
The first think is that you have to make sure that all the ISAKMP parameters match at both ends of the VPN. Maybe there is something that the peers are negotiating or creating by themselves.
I let you this link here that can be useful:
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46402-16b.html
HTH.
Rgrds,
Martin, IT Specialist
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide