IPSec VPN and IOS clients

joel75941 · ‎08-08-2016

All,

I've created an IPsec vpn which is currently working from external work stations. They are on Windows and have no issues with connectivity and accessing local resources.

However, when I try to connect vpn through an ipad, I get an error that the connection cannot be negotiated. On the router console, I get the below error:

*Aug 8 15:22:56.990: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 107.107.56.116

Can anyone point me in the right direction as to why IOS is failing? I recall reading that IPsec only encrypts IP traffic, is IOS using IPX or something? Do I need to reconfigure the VPN with GRE over IPsec? I appreciate any feedback you can provide, thanks.

pawelzwierzynski · ‎08-08-2016

Hi

As I know only anyconnect is supported vpn client.

joel75941 · ‎08-08-2016

sorry, please allow me to elaborate. I'm not using certificates, and this is just a pre-shared key VPN. So my router has the following config:

Router#sh run
Building configuration...

Current configuration : 2663 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$YJJ3$rRjr0oCGS0QIDrdAB9hYa0
!
aaa new-model
!
!
aaa authentication login VPN_CLIENT_LOGIN local
aaa authorization network VPN_CLIENT_GROUP local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.99
!
ip dhcp pool vlan1
   network 192.168.0.0 255.255.255.0
   dns-server 8.8.8.8
   default-router 192.168.0.1
   lease 0 4
!
!
ip name-server 8.8.8.8
!
!
!
username bmwna secret 5 $1$GMFd$fsEKrwzxMWq9gdfloD322.
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp client configuration group testUSER
key testPASS
dns 8.8.8.8
pool VPN_CLIENT_POOL
acl 110
!
!
crypto ipsec transform-set TRANS_AES esp-aes esp-sha-hmac
!
crypto dynamic-map EXT_DYMAP 10
set transform-set TRANS_AES
!
!
crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
crypto map EXT_MAP client configuration address respond
crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYMAP
!
!
!
!
interface FastEthernet0
ip address x.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map EXT_MAP
!
interface FastEthernet1
no ip address
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool VPN_CLIENT_POOL 192.168.50.200 192.168.50.210
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 192.168.1.0 255.255.255.0 192.168.0.2
ip route 192.168.2.0 255.255.255.0 192.168.0.2
ip route 192.168.3.0 255.255.255.0 192.168.0.2
!
!
no ip http server
no ip http secure-server
ip nat inside source list NAT interface FastEthernet0 overload
ip nat inside source static tcp 192.168.0.175 443 x.x.x.x 443 extendable
!
ip access-list extended NAT
deny   ip 192.168.0.0 0.0.3.255 192.168.50.0 0.0.0.255
permit ip 192.168.0.0 0.0.3.255 any
!
access-list 110 permit ip 192.168.0.0 0.0.3.255 192.168.50.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

AnyConnect doesn't allow me to use group authentication.

The above config works for regular devices. When I try to use an Ipad, I can get past the group authentication but the "aggressive mode" error happens, and when I try to enter the 2nd step user/pass authentication it will always fail.