Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
572
Views
0
Helpful
2
Replies

Cisco VPN client to 837 router

cfiegert
Level 1
Level 1

‎04-02-2005 08:42 PM - edited ‎02-21-2020 01:41 PM

I'm having real issues getting this working. I have configured the router as below and am using the Cisco VPN client 4.6.02.0011

I get an error -

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at xx.xx.xx.xx

and the VPN then drops.

below is the config and the error -

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp nat keepalive 20

!

crypto isakmp client configuration group vpnclient

key cisco123

pool ippool

include-local-lan

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list grouputhor

crypto map clientmap client configuration address initiate

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

int Dialer1

ip nat outside

crypto map clientmap

ip local pool ippool 192.168.2.100 192.168.2.200

14398: *Mar 20 00:27:44.470 UTC: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 10 against priority 3 policy

414399: *Mar 20 00:27:44.470 UTC: ISAKMP: encryption 3DES-CBC

414400: *Mar 20 00:27:44.470 UTC: ISAKMP: hash MD5

414401: *Mar 20 00:27:44.470 UTC: ISAKMP: default group 2

414402: *Mar 20 00:27:44.470 UTC: ISAKMP: auth XAUTHInitPreShared

414403: *Mar 20 00:27:44.478 UTC: ISAKMP: life type in seconds

414404: *Mar 20 00:27:44.478 UTC: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

414405: *Mar 20 00:27:44.478 UTC: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3

414406: *Mar 20 00:27:44.482 UTC: CryptoEngine0: generating alg parameter for connid 1

414407: *Mar 20 00:27:44.482 UTC: CryptoEngine0: CRYPTO_ISA_DH_CREATE(hw)(ipsec)

414408: *Mar 20 00:27:44.930 UTC: CRYPTO_ENGINE: Dh phase 1 status: OK

414409: *Mar 20 00:27:44.934 UTC: ISAKMP:(0:1:HW:2): processing KE payload. message ID = 0

414410: *Mar 20 00:27:44.934 UTC: CryptoEngine0: generating alg parameter for connid 0

414411: *Mar 20 00:27:44.934 UTC: CryptoEngine0: CRYPTO_ISA_DH_SHARE_SECRET(hw)(ipsec)

414412: *Mar 20 00:27:45.382 UTC: ISAKMP:(0:1:HW:2): processing NONCE payload. message ID = 0

414413: *Mar 20 00:27:45.418 UTC: ISAKMP:(0:1:HW:2): vendor ID is NAT-T v2

414414: *Mar 20 00:27:45.418 UTC: ISAKMP (0:268435457): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY

414415: *Mar 20 00:27:45.418 UTC: ISAKMP:(0:1:HW:2):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

414416: *Mar 20 00:27:45.422 UTC: ISAKMP:(0:1:HW:2):Old State = IKE_READY New State = IKE_READY

414417: *Mar 20 00:27:45.422 UTC: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at

Labels:
0 Helpful
2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

‎04-02-2005 09:10 PM

Try this config wizard:

http://www.ifm.net.nz/cookbooks/configwizard.html

Note also that there are a lot of broken versions of the IOS for the 837. Try a different version if you think you have it right.

0 Helpful

cfiegert
Level 1
Level 1
In response to Philip D'Ath

‎04-02-2005 11:30 PM

Thanks for that...

It was the IOS version, I used a different version and everything started working as expected.

0 Helpful
Customers Also Viewed These Support Documents