Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
327
Views
0
Helpful
1
Replies

4.0.2(B) VPN Client to 7204VXR 12.2(15)T9 VPN issue

jason.fletcher
Level 1
Level 1

‎12-18-2003 12:54 AM - edited ‎02-21-2020 12:58 PM

Good day, I have an issue that I am hoping someone has encountered and can provide me some advice on. This message is kinda long. I am fairly new to VPN's and am being forced to learn this as I go. First off, we have a 7204VXR router running 12.2(15)T9 in place and it currently has a public IP interface that we are using for a LAN-to-LAN VPN for a client. The goal is to use the same interface to allow VPN remote client connectivity and be able to authenticate with our TACACS+ server. I THOUGHT I had this figured out, but obviuosly not. The issue is that when I try to connect from the client I get the following log messages every time:

(date time stamp) Sev=Warning/2 IKE/0xE3000099 Invalid SPI size (PayloadNotify:116)

(date time stamp) Sev=Warning/3 IKE/0xA3000058 Received malformed message or negotation no longer active (message id:0x00000000)

On the router, I receive the following log output:

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 68.13.120.120

My understanding here is that IKE Phase I is not even completing properly. Here are the relavent parts of my router config:

aaa new-model

aaa group server tacacs+ IPR_TACACS

server 172.16.2.20

aaa authentication login default group IPR_TACACS enable

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key A5fJ89L#d$d2FFk address X.X.X.X

crypto isakmp client configuration address-pool local iprpool

crypto isakmp xauth timeout 60

crypto isakmp client configuration group IPR-VPN

key IPRTEST

dns 172.16.2.57 172.16.2.20

wins 172.16.2.57 172.16.2.20

domain iprevolution.net

pool iprpool

acl 150

crypto isakmp profile VPNClients

description VPN Clients

match identity group IPR-VPN

client authentication list IPR_TACACS

client configuration address respond

crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac

crypto ipsec transform-set LANtoLAN_VPN esp-3des esp-md5-hmac

crypto dynamic-map dynmap 1

set transform-set transform-1

set isakmp-profile VPNClients

crypto map LAN-to-LAN 10 ipsec-isakmp

set peer X.X.X.X

set transform-set LANtoLAN_VPN

match address 161

crypto map LAN-to-LAN 20 ipsec-isakmp dynamic dynmap

ip local pool iprpool 172.16.2.250 172.16.2.251

access-list 150 permit ip any 172.16.0.0 0.0.255.255

access-list 150 permit ip any 172.17.0.0 0.0.255.255

access-list 150 permit ip any 10.0.0.0 0.255.255.255

access-list 161 permit ip 192.168.80.0 0.0.1.255 10.0.0.0 0.255.255.255

access-list 161 permit ip 192.168.80.0 0.0.1.255 192.168.127.0 0.0.0.255

interface Port-channel2.100

encapsulation dot1Q 100

ip address Y.Y.Y.Y 255.255.255.192

no ip redirects

service-policy output TenToThirty

no ip route-cache

no ip mroute-cache

crypto map LAN-to-LAN

Any advice would be GREATLY appreciated. Thanks.

Jason Fletcher

Labels:
0 Helpful
1 Reply 1

owillins
Level 6
Level 6

‎12-24-2003 07:34 AM

The error messages do indicate that there is a config issue with Phase I negotiation, but they don't necessary tell us where the problem is. The router handles the sa in seconds and some other devices handle it in minutes. When both the devices negotiate the sas and if the sa life time are different, then the router will not be able to negotiate the sa's properly. Check if this is the issue.

0 Helpful
Customers Also Viewed These Support Documents