|
|
|
|
01-15-2008, 03:04 PM
|
#1 |
vpn problem with c2821
Helo
We change our isp and start bgp, so we change our ip address. Now we have problem with vpn, we can't connect. This is log from client: 1 15:33:55.070 01/15/08 Sev=Warning/2 IKE/0xE3000099 Invalid SPI size (PayloadNotify:116) 2 15:33:55.070 01/15/08 Sev=Warning/3 IKE/0xA3000058 Received malformed message or negotiation no longer active (message id: 0x00000000) and this is my conf: version 12.4 aaa new-model ! aaa authentication login userauthen local aaa authentication login ADMIN local aaa authorization network groupauthor local ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key qazxswedcvfr address 10.10.10.10 crypto isakmp keepalive 20 10 ! crypto isakmp client configuration group SKKVPN key 7_Wad_07 dns 192.168.1.1 wins 192.168.1.1 pool CLIENT_POOL2 ! ! crypto ipsec transform-set myset esp-3des esp-sha-hmac crypto ipsec transform-set 3des_sha esp-3des esp-sha-hmac crypto dynamic-map dynmap 1 set transform-set myset ! ! crypto map CryptoMap_old_map 10 ipsec-isakmp description Quantum set peer 10.10.10.10 set transform-set 3des_sha set pfs group2 match address Acl_Ipsec_Quantum_Permit ! crypto map dynmap client authentication list userauthen crypto map dynmap isakmp authorization list groupauthor crypto map dynmap client configuration address respond crypto map dynmap 1 ipsec-isakmp dynamic dynmap ! ! crypto pki trustpoint TP-self-signed-3385040646 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3385040646 revocation-check none rsakeypair TP-self-signed-3385040646 ! crypto pki certificate chain TP-self-signed-3385040646 certificate self-signed 01 3082154 308201BD A0030201 02220101 300D0609 2A864886 F70D02301 ... ! ip local pool CLIENT_POOL2 192.168.10.1 192.168.10.254 ! when i delete all acl on input interface i have the same problem - nobody can't connect thanks for help or some clue Ted ted |
|
|
|
01-15-2008, 03:13 PM
|
#2 |
|
Posts: n/a
|
Re: vpn problem with c2821
ted pisze:
> Helo > > We change our isp and start bgp, so we change our ip address. Now we > have problem with vpn, we can't connect. > > > This is log from client: > > 1 15:33:55.070 01/15/08 Sev=Warning/2 IKE/0xE3000099 > Invalid SPI size (PayloadNotify:116) > > 2 15:33:55.070 01/15/08 Sev=Warning/3 IKE/0xA3000058 > Received malformed message or negotiation no longer active (message id: > 0x00000000) > > > and this is my conf: > > > version 12.4 > aaa new-model > ! > aaa authentication login userauthen local > aaa authentication login ADMIN local > aaa authorization network groupauthor local > ! > crypto isakmp policy 1 > encr 3des > authentication pre-share > group 2 > ! > crypto isakmp policy 10 > encr 3des > authentication pre-share > group 2 > crypto isakmp key qazxswedcvfr address 10.10.10.10 > crypto isakmp keepalive 20 10 > ! > crypto isakmp client configuration group SKKVPN > key 7_Wad_07 > dns 192.168.1.1 > wins 192.168.1.1 > pool CLIENT_POOL2 > ! > ! > crypto ipsec transform-set myset esp-3des esp-sha-hmac > crypto ipsec transform-set 3des_sha esp-3des esp-sha-hmac > > crypto dynamic-map dynmap 1 > set transform-set myset > ! > ! > crypto map CryptoMap_old_map 10 ipsec-isakmp > description Quantum > set peer 10.10.10.10 > set transform-set 3des_sha > set pfs group2 > match address Acl_Ipsec_Quantum_Permit > ! > crypto map dynmap client authentication list userauthen > crypto map dynmap isakmp authorization list groupauthor > crypto map dynmap client configuration address respond > crypto map dynmap 1 ipsec-isakmp dynamic dynmap > ! > ! > crypto pki trustpoint TP-self-signed-3385040646 > enrollment selfsigned > subject-name cn=IOS-Self-Signed-Certificate-3385040646 > revocation-check none > rsakeypair TP-self-signed-3385040646 > ! > crypto pki certificate chain TP-self-signed-3385040646 > certificate self-signed 01 > 3082154 308201BD A0030201 02220101 300D0609 2A864886 F70D02301 ... > ! > ip local pool CLIENT_POOL2 192.168.10.1 192.168.10.254 > ! > > > when i delete all acl on input interface i have the same problem - > nobody can't connect > > thanks for help or some clue > > Ted > and router's logs : %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 177.10.64.2 %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 177.10.64.2 %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 177.10.64.2 Ted ted |
|
|
|
01-16-2008, 05:40 PM
|
#3 |
|
Posts: n/a
|
Re: vpn problem with c2821
On Jan 15, 10:13*am, ted <t...@interia.eu> wrote:
> ted pisze: > > > > > > > Helo > > > We change our isp and start bgp, so we change our ip address. Now we > > have problem with vpn, we can't connect. > > > This is log from client: > > > 1 15:33:55.070 01/15/08 Sev=Warning/2 IKE/0xE3000099 > > Invalid SPI size (PayloadNotify:116) > > > 2 15:33:55.070 01/15/08 Sev=Warning/3 IKE/0xA3000058 > > Received malformed message or negotiation no longer active (message id: > > 0x00000000) > > > and this is my conf: > > > version 12.4 > > aaa new-model > > ! > > aaa authentication login userauthen local > > aaa authentication login ADMIN local > > aaa authorization network groupauthor local > > ! > > crypto isakmp policy 1 > > *encr 3des > > *authentication pre-share > > *group 2 > > ! > > crypto isakmp policy 10 > > *encr 3des > > *authentication pre-share > > *group 2 > > crypto isakmp key qazxswedcvfr address 10.10.10.10 > > crypto isakmp keepalive 20 10 > > ! > > crypto isakmp client configuration group SKKVPN > > *key 7_Wad_07 > > *dns 192.168.1.1 > > *wins 192.168.1.1 > > *pool CLIENT_POOL2 > > ! > > ! > > crypto ipsec transform-set myset esp-3des esp-sha-hmac > > crypto ipsec transform-set 3des_sha esp-3des esp-sha-hmac > > > crypto dynamic-map dynmap 1 > > *set transform-set myset > > ! > > ! > > crypto map CryptoMap_old_map 10 ipsec-isakmp > > *description Quantum > > *set peer 10.10.10.10 > > *set transform-set 3des_sha > > *set pfs group2 > > *match address Acl_Ipsec_Quantum_Permit > > ! > > crypto map dynmap client authentication list userauthen > > crypto map dynmap isakmp authorization list groupauthor > > crypto map dynmap client configuration address respond > > crypto map dynmap 1 ipsec-isakmp dynamic dynmap > > ! > > ! > > crypto pki trustpoint TP-self-signed-3385040646 > > *enrollment selfsigned > > *subject-name cn=IOS-Self-Signed-Certificate-3385040646 > > *revocation-check none > > *rsakeypair TP-self-signed-3385040646 > > ! > > crypto pki certificate chain TP-self-signed-3385040646 > > *certificate self-signed 01 > > * 3082154 308201BD A0030201 02220101 300D0609 2A864886 F70D02301 ... > > ! > > ip local pool CLIENT_POOL2 192.168.10.1 192.168.10.254 > > ! > > > when i delete all acl on input interface i have the same problem - > > nobody can't connect > > > thanks for help or some clue > > > Ted > > and router's logs : > > %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with > peer at 177.10.64.2 > %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with > peer at 177.10.64.2 > %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with > peer at 177.10.64.2 > > Ted- Hide quoted text - > > - Show quoted text - Do you have the peer's configuration that you may also post? S Reese |
|
|
 |
| Thread Tools | Search this Thread |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Dial Up Problem | smackedass | A+ Certification | 3 | 02-02-2007 11:59 PM |
| Re: Virus Problem ** Help!** | David BlandIII | A+ Certification | 1 | 03-02-2004 06:00 PM |
| Pioneer DVR3100S problem with Satellite receiver Samsung DCR 9500 | Fredrik Bengtsson | DVD Video | 0 | 12-12-2003 02:32 PM |
| Re: Serious Computer Problem | hootnholler | A+ Certification | 1 | 11-24-2003 12:18 PM |
| Re: Serious Computer Problem | Bret | A+ Certification | 0 | 11-19-2003 12:51 AM |
