Re: IOS Router Cisco VPN Client 4.8

pwenger · ‎09-26-2006

Hi

I recieve always an error message(%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 213.180.170.230) when I try to connect with the VPN Client.

See the configuration on the Router:

Router#sh run

Building configuration...

Current configuration : 2164 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret xxx

!

aaa new-model

!

aaa authentication login default local

aaa authentication login VPN_USER local

!

aaa session-id common

!

resource policy

!

ip cef

!

username delec password xxx

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!!

crypto isakmp client configuration group VPN_HEIDELBERG

key smart700

dns 192.168.10.100

domain santhera.intra

pool VPN_POOL

!

crypto ipsec transform-set 3DES esp-aes 256 esp-sha-hmac

!

crypto dynamic-map VPN_DYNAMIC 10

set transform-set 3DES

reverse-route

!

crypto map CLIENTMAP client authentication list VPN_USER

crypto map CLIENTMAP client configuration address respond

crypto map CLIENTMAP 10 ipsec-isakmp dynamic VPN_DYNAMIC

!

interface FastEthernet0/0

description $ETH-LAN$$FW_OUTSIDE$

ip address 192.168.32.33 255.255.255.0

ip nat outside

no ip virtual-reassembly

duplex auto

speed auto

crypto map CLIENTMAP

!

interface FastEthernet0/1

description $ETH-LAN$$FW_INSIDE$

ip address 192.168.40.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip local pool VPN_POOL 10.199.2.0 10.199.2.50

ip route 0.0.0.0 0.0.0.0 192.168.32.32

!

ip http server

no ip http secure-server

ip nat inside source list 100 interface FastEthernet0/0 overload

!

access-list 100 remark SDM_ACL Category=2

access-list 100 deny ip 192.168.40.0 0.0.0.255 10.199.1.0 0.0.0.255

access-list 100 deny ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list 100 deny ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 100 deny ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 100 deny ip 192.168.40.0 0.0.0.255 10.199.2.0 0.0.0.255 log

access-list 100 permit ip 192.168.40.0 0.0.0.255 any log

!

control-plane

!

line con 0

line aux 0

line vty 0 4

password xxx

!

scheduler allocate 20000 1000

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

I'm running IOS 12.4(6)T3 AdvSecurity

So what's wrong?

Regards

Peter

m-haddad · ‎09-26-2006

Missing some configuration

crypto dynamic-map VPN_DYNAMIC 10

set transform-set 3DES

reverse-route

Where is the ACL to match. You need an ACL to match traffic and encrypt it. THe acl should include traffic from your LAN to the remote VPN Pool Subnet.

It should look like that:

crypto dynamic-map VPN_DYNAMIC 10

set transform-set 3DES

reverse-route

acl 104

access-list 104 remark Remote VPN Clients

access-list 104 permit ip 10.199.2.0 0.0.0.255 192.168.32.0 0.0.0.255

Another thing:

crypto dynamic-map VPN_DYNAMIC 10

set transform-set 3DES

reverse-route

set isakmp-profile VPN_HEIDELBERG

You were missing the last line,

Please let me know if it works and rate if I could help,

Regards,

m-haddad · ‎09-26-2006

By the way you need a route map with the nat statement so that you don't NAT traffic between your LAN and the remote VPN client subnet. Therefore, the route-map should deny all traffic from your LAN to remote VPN client subnet and permit anything else.

Regards,

m-haddad · ‎09-26-2006

Sorry some mistakes:

crypto dynamic-map VPN_DYNAMIC 10

set transform-set 3DES

reverse-route

Where is the ACL to match. You need an ACL to match traffic and encrypt it. THe acl should include traffic from your LAN to the remote VPN Pool Subnet.

It should look like that:

crypto dynamic-map VPN_DYNAMIC 10

set transform-set 3DES

reverse-route

acl 104

access-list 104 remark Remote VPN Clients

access-list 104 permit ip 10.199.2.0 0.0.0.255 192.168.40.0 0.0.0.255

Another thing:

crypto dynamic-map VPN_DYNAMIC 10

set transform-set 3DES

reverse-route

set isakmp-profile VPN_HEIDELBERG

Regards,

m-haddad · ‎09-26-2006

No need for the route-map you already deny it using the ACL for the NAT.

Regards,

pwenger · ‎09-26-2006

I found the mistake I made.

I forgot some aaa statements.

Altough I tought, that there is no need for authorization you have to configure it.

Thanks anyway for all replies

Regards

Peter