08-08-2016 08:39 AM - edited 02-21-2020 08:55 PM
All,
I've created an IPsec vpn which is currently working from external work stations. They are on Windows and have no issues with connectivity and accessing local resources.
However, when I try to connect vpn through an ipad, I get an error that the connection cannot be negotiated. On the router console, I get the below error:
*Aug 8 15:22:56.990: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 107.107.56.116
Can anyone point me in the right direction as to why IOS is failing? I recall reading that IPsec only encrypts IP traffic, is IOS using IPX or something? Do I need to reconfigure the VPN with GRE over IPsec? I appreciate any feedback you can provide, thanks.
08-08-2016 10:08 AM
Hi
As I know only anyconnect is supported vpn client.
08-08-2016 12:07 PM
sorry, please allow me to elaborate. I'm not using certificates, and this is just a pre-shared key VPN. So my router has the following config:
Router#sh run
Building configuration...
Current configuration : 2663 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$YJJ3$rRjr0oCGS0QIDrdAB9hYa0
!
aaa new-model
!
!
aaa authentication login VPN_CLIENT_LOGIN local
aaa authorization network VPN_CLIENT_GROUP local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.99
!
ip dhcp pool vlan1
network 192.168.0.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.0.1
lease 0 4
!
!
ip name-server 8.8.8.8
!
!
!
username bmwna secret 5 $1$GMFd$fsEKrwzxMWq9gdfloD322.
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp client configuration group testUSER
key testPASS
dns 8.8.8.8
pool VPN_CLIENT_POOL
acl 110
!
!
crypto ipsec transform-set TRANS_AES esp-aes esp-sha-hmac
!
crypto dynamic-map EXT_DYMAP 10
set transform-set TRANS_AES
!
!
crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
crypto map EXT_MAP client configuration address respond
crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYMAP
!
!
!
!
interface FastEthernet0
ip address x.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map EXT_MAP
!
interface FastEthernet1
no ip address
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool VPN_CLIENT_POOL 192.168.50.200 192.168.50.210
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 192.168.1.0 255.255.255.0 192.168.0.2
ip route 192.168.2.0 255.255.255.0 192.168.0.2
ip route 192.168.3.0 255.255.255.0 192.168.0.2
!
!
no ip http server
no ip http secure-server
ip nat inside source list NAT interface FastEthernet0 overload
ip nat inside source static tcp 192.168.0.175 443 x.x.x.x 443 extendable
!
ip access-list extended NAT
deny ip 192.168.0.0 0.0.3.255 192.168.50.0 0.0.0.255
permit ip 192.168.0.0 0.0.3.255 any
!
access-list 110 permit ip 192.168.0.0 0.0.3.255 192.168.50.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
AnyConnect doesn't allow me to use group authentication.
The above config works for regular devices. When I try to use an Ipad, I can get past the group authentication but the "aggressive mode" error happens, and when I try to enter the 2nd step user/pass authentication it will always fail.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide