Can you check for two things:
- If the client is sending request to the interface on which crypto map is applied on the server - Does the group name configured on the client is "EZVPN" case - sensitive. With regards Kings On Sat, Jul 24, 2010 at 5:17 PM, yusef sheriff <[email protected]> wrote: > I'm getting following error in Ezvpn remote access VPN configuration > > CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer > at > > I m using cisco 7200 series router IOS version is :Version 12.4(24)T3 > (c7200-adventerprisek9-mz.124-24.T3.bin) > > Please help. Pleas find the config below:- > R3#sho run > Building configuration... > > Current configuration : 2193 bytes > ! > version 12.4 > service timestamps debug datetime msec > service timestamps log datetime msec > no service password-encryption > ! > hostname R3 > ! > boot-start-marker > boot-end-marker > ! > ! > aaa new-model > ! > ! > aaa authentication login CONSOLE none > aaa authentication login EZVPN local > aaa authorization network EZVPN local > ! > aaa session-id common > ! > ! > ip cef > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > username CISCO password 0 CISCO123 > ! > ! > ! > ! > crypto isakmp policy 10 > encr 3des > hash md5 > authentication pre-share > group 2 > crypto isakmp client configuration address-pool local EZVPN > ! > crypto isakmp client configuration group EZVPN > key CISCO > pool EZVPN > acl SPLIT-TUNNEL > ! > ! > crypto ipsec transform-set MYSET esp-3des esp-md5-hmac > ! > crypto dynamic-map DYNAMIC 10 > set transform-set MYSET > reverse-route > ! > ! > crypto map MYMAP client authentication list EZVPN67 > crypto map MYMAP isakmp authorization list EZVPN67 > crypto map MYMAP client configuration address respond > crypto map MYMAP 10 ipsec-isakmp dynamic DYNAMIC > ! > ! > ! > ! > interface FastEthernet0/0 > no ip address > shutdown > duplex half > ! > interface Ethernet1/0 > ip address 136.1.123.3 255.255.255.0 > duplex full > ! > interface Ethernet1/1 > ip address 136.1.100.3 255.255.255.0 > duplex full > crypto map MYMAP > ! > interface Ethernet1/2 > no ip address > shutdown > duplex half > ! > interface Ethernet1/3 > no ip address > shutdown > duplex half > ! > interface Serial2/0 > no ip address > shutdown > serial restart-delay 0 > no fair-queue > ! > interface Serial2/1 > ip address 136.1.23.3 255.255.255.0 > serial restart-delay 0 > ! > interface Serial2/2 > no ip address > shutdown > serial restart-delay 0 > ! > interface Serial2/3 > no ip address > shutdown > serial restart-delay 0 > ! > ! > router ospf 1 > log-adjacency-changes > redistribute static subnets > network 136.1.23.0 0.0.0.255 area 0 > network 136.1.100.0 0.0.0.255 area 0 > network 136.1.123.0 0.0.0.255 area 0 > ! > ip local pool EZVPN 20.0.0.1 20.0.0.254 > ip forward-protocol nd > ! > no ip http server > no ip http secure-server > ! > ! > ! > ip access-list extended SPLIT-TUNNEL > permit ip 10.0.0.0 0.0.0.255 any > ! > ! > ! > control-plane > ! > ! > ! > ! > ! > ! > gatekeeper > shutdown > ! > ! > line con 0 > login authentication CONSOLE > stopbits 1 > line aux 0 > stopbits 1 > line vty 0 4 > ! > ! > en > > -- > Thanks & Regards, > > Yusef Sherif > Sr. Network Engineer > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
