VPN erreur "CRYPTO-6-IKMP_MODE_FAILURE: ..." [Fermé]

Signaler
Messages postés
15
Date d'inscription
mardi 10 novembre 2015
Statut
Membre
Dernière intervention
10 mars 2018
-
Christophe-Rouen
Messages postés
15
Date d'inscription
mardi 10 novembre 2015
Statut
Membre
Dernière intervention
10 mars 2018
-
Bonjour,

L'erreur en entier c'est ça :
CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 62.160.XXX.XXX


Je veux faire un client pour un routeur Cisco existant. d'adresse comme ci-dessus : 62.160.XXX.XXX
Alors je lui ai mis cette config (au client VPN) :


! NVRAM config last updated at 01:02:23 CET Sat Mar 10 2018
! NVRAM config last updated at 01:02:23 CET Sat Mar 10 2018
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname C860-Paysage
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login vpn_client local
aaa authorization network vpn_client local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone CET 1 0
clock summer-time CEST recurring
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3453975763
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3453975763
revocation-check none
rsakeypair TP-self-signed-3453975763
!
!
crypto pki certificate chain TP-self-signed-3453975763
certificate self-signed 01 nvram:IOS-Self-Sig#3.cer
ip source-route
!
!
!
ip dhcp pool MonDHCP
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.240
dns-server 8.8.8.8
lease 0 2
!
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
!
!
license udi pid CISCO861-K9 sn FCZ1706C2N6
!
!
username toto privilege 15 password 0 tutu
username lseclient privilege 15 password 0 Graorr
!
!
!
policy-map TSE
class class-default
!
!
crypto keyring vpnL2L
pre-shared-key address 0.0.0.0 0.0.0.0 key blabla-1
!
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp fragmentation
!
crypto isakmp client configuration group vpn_client
key blabla-1
pool vpn_pool
acl 120
include-local-lan
crypto isakmp profile L2L
keyring vpnL2L
match identity address 0.0.0.0
crypto isakmp profile VPNNomade
match identity group vpn_client
client authentication list vpn_client
isakmp authorization list vpn_client
client configuration address respond
!
!
crypto ipsec transform-set Strong esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile vpntunnel
set security-association lifetime seconds 120
set isakmp-profile L2L
!
!
crypto dynamic-map dynmap 10
set transform-set Strong
set isakmp-profile VPNNomade
reverse-route
!
!
crypto map dynmap 2 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface Tunnel0
bandwidth 1000
ip address 172.16.1.2 255.255.255.0
ip mtu 1440
no ip split-horizon
tunnel destination 62.160.XXX.XXX
tunnel key 100000
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description To Internet
ip address 192.168.1.240 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map dynmap
!
interface Vlan1
description to lan
ip address 192.168.2.240 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
router odr
network 172.16.0.0
network 192.168.1.0
network 192.168.2.0
network 192.168.7.0
network 192.168.8.0
!
ip local pool vpn_pool 192.168.210.1 192.168.210.50
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 110 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 10.15.1.0 255.255.255.0 Tunnel0
!
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.210.0 0.0.0.255
access-list 110 deny ip 192.168.2.0 0.0.0.255 192.168.210.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 10.15.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.2.0 0.0.0.255 any
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.210.0 0.0.0.255
access-list 150 permit tcp any eq 3389 any eq 3389
no cdp run
!
!
banner exec ^C


ET LE CISCO que je veux atteindre, il a cette config (le serveur, quoi...) :


C871-siemo#sh conf
Using 2275 out of 262136 bytes, uncompressed size = 3852 bytes
Uncompressed configuration from 2275 bytes to 3852 bytes
!
! Last configuration change at 13:27:56 CET Mon Jan 2 2006
! NVRAM config last updated at 13:28:01 CET Mon Jan 2 2006
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname C871-Toto
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$PfrL$Q9SnMsuSpuVoIZUll5eyH0
!
aaa new-model
!
!
aaa authentication login vpn_client local

aaa authorization network vpn_client local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone CET 1
clock summer-time CEST recurring
!
!
ip source-route
!
!
!
ip cef
!
!
license udi pid CISCO861-K9 sn FCZ1533C0PL
!
!
archive
log config
hidekeys
username toto privilege 15 password 0 blabla-2
! etc...
!
!
!
class-map match-all TSE
match access-group 150
!
!
policy-map TSE
class class-default
bandwith 60
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp fragmentation
!
crypto isakmp client configuration group vpn_client
key blabla-1
pool vpn_pool
acl 120
include-local-lan
crypto isakmp profile VPNNomade
match identity group vpn_client
client authentication list vpn_client
isakmp authorization list vpn_client
client configuration address respond
!
!
crypto ipsec transform-set Strong esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile vpntunnel
set security-association lifetime seconds 120
set transform-set Strong
!
!
crypto dynamic-map dynmap 10
set transform-set Strong
set isakmp-profile VPNNomade
reverse-route
!
!
crypto map dynmap 2 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description To Internet
ip address 62.160.XXX.XXX 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe-client dial-pool-number 1
crypto map dynmap
service-policy output TSE
!
interface Vlan1
description to lan
ip address 10.43.59.240 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool vpn_pool 192.168.200.1 192.168.200.50
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 110 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 217.167.140.50
!
access-list 10 permit 10.43.59.0 0.0.0.255
access-list 110 deny ip 10.43.59.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 110 permit ip 10.43.59.0 0.0.0.255 any
access-list 120 permit ip 10.43.59.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 150 permit tcp any eq 3389 any eq 3389
!
control-plane
!
banner exec ^CCCCC
-----
-------------------------------------------------
^C
banner login ^CCCCC
-------------------------------------------------
console d'administration du Routeur
societe TOTO site
!
line con 0
no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end



et si je fais ...

C860-Paysage>en
C860-Paysage#debug crypto isakmp
Crypto ISAKMP debugging is on
C860-Paysage#ping 10.15.1.240
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.15.1.240, timeout is 2 seconds:

Mar 10 01:16:34.083: ISAKMP:(0): SA request profile is L2L
Mar 10 01:16:34.083: ISAKMP: Created a peer struct for 62.160.XXX.XXX, peer port 500
Mar 10 01:16:34.083: ISAKMP: New peer created peer = 0x8453F55C peer_handle = 0x8000000D
Mar 10 01:16:34.083: ISAKMP: Locking peer struct 0x8453F55C, refcount 1 for isakmp_initiator
Mar 10 01:16:34.083: ISAKMP: local port 500, remote port 500
Mar 10 01:16:34.083: ISAKMP: set new node 0 to QM_IDLE
Mar 10 01:16:34.087: ISAKMP:(0):insert sa successfully sa = 85FC2A60
Mar 10 01:16:34.087: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Mar 10 01:16:34.087: ISAKMP:(0):Found ADDRESS key in keyring vpnL2L
Mar 10 01:16:34.087: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Mar 10 01:16:34.087: ISAKMP:(0): constructed NAT-T vendor-07 ID
Mar 10 01:16:34.087: ISAKMP:(0): constructed NAT-T vendor-03 ID
Mar 10 01:16:34.087: ISAKMP:(0): constructed NAT-T vendor-02 ID
Mar 10 01:16:34.087: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 10 01:16:34.087: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

Mar 10 01:16:34.087: ISAKMP:(0): beginning Main Mode exchange
Mar 10 01:16:34.087: ISAKMP:(0): sending packet to 62.160.XXX.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 10 01:16:34.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 10 01:16:34.171: ISAKMP (0): received packet from 62.160.XXX.XXX dport 500 sport 500 Global (I) MM_NO_STATE
Mar 10 01:16:34.175: ISAKMP:(0):Notify has no hash. Rejected.
Mar 10 01:16:34.175: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
Mar 10 01:16:34.175: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Mar 10 01:16:34.175: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1

Mar 10 01:16:34.175: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 62.160..195.169....
Success rate is 0 percent (0/5)
C860-Paysage#
Mar 10 01:16:44.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 10 01:16:44.087: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Mar 10 01:16:44.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 10 01:16:44.087: ISAKMP:(0): sending packet to 62.160.XXX.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 10 01:16:44.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 10 01:16:54.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 10 01:16:54.087: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Mar 10 01:16:54.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 10 01:16:54.087: ISAKMP:(0): sending packet to 62.160.XXX.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 10 01:16:54.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 10 01:17:04.083: ISAKMP: set new node 0 to QM_IDLE
Mar 10 01:17:04.083: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 192.168.1.240, remote 62.160.195.169)
Mar 10 01:17:04.083: ISAKMP: Error while processing SA request: Failed to initialize SA
Mar 10 01:17:04.083: ISAKMP: Error while processing KMI message 0, error 2.
Mar 10 01:17:04.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 10 01:17:04.087: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Mar 10 01:17:04.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 10 01:17:04.087: ISAKMP:(0): sending packet to 62.160.XXX.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 10 01:17:04.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 10 01:17:14.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 10 01:17:14.087: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Mar 10 01:17:14.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 10 01:17:14.087: ISAKMP:(0): sending packet to 62.160.XXX.XXXmy_port 500 peer_port 500 (I) MM_NO_STATE
Mar 10 01:17:14.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 10 01:17:24.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 10 01:17:24.087: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Mar 10 01:17:24.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 10 01:17:24.087: ISAKMP:(0): sending packet to 62.160.XXX.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 10 01:17:24.087: ISAKMP:(0):Sending an IKE IPv4 Packet.

AU S'COUUUUUUUUURS !!!!!

ça fait des jours, des heures, que je fais des essais, que je cherche... rien à faire ! (j'en peux plus en fait...)


Si quelqu'un peut m'aider, ce serait super. Je ne suis pas très bon en Cisco. non. Je suis mauvais. Oui, voilà. Mais je le sais ! Et sans des sites pour aider, je pourrais rester bloqué sans jamais trouver jusqu'à la fin de ma vie.

Merci par avance !

Salut!

Christophe

<config>Windows / Internet Explorer 11.0</confi

1 réponse

Pour quelqu'un qui n'est pas bon en Cisco, tu t'attaques à du lourd là,
Bon, je te recopie la réponse de Cisco.. En gros, il y a un problème dans la négociation des paramètres IPSEC /IKE qui échoue entre les deux peers (le 62.160.x.x et l'autre), tu devrais reverifier ces paramètres sur les deux côtés et s'assurer qu'ils sont compatibles
Christophe-Rouen
Messages postés
15
Date d'inscription
mardi 10 novembre 2015
Statut
Membre
Dernière intervention
10 mars 2018

Même ce week end en plus !
Salut !
Christophe-Rouen
Messages postés
15
Date d'inscription
mardi 10 novembre 2015
Statut
Membre
Dernière intervention
10 mars 2018

On dirait que le pb commence avec "xxxxx has no hash"...Non? Et aussi je précise : si je mets un client du VPN nomade, ça par contre, ça marche. Que ce soit shrewsoft ou Cisco VPN Client, je me retrouve bien en LAN-TO-LAN. .. euh... Ça donne une indication ? ... Merci. !
Christophe-Rouen
Messages postés
15
Date d'inscription
mardi 10 novembre 2015
Statut
Membre
Dernière intervention
10 mars 2018

Quoiqu'il en soit je te remercie Weoui !
Christophe-Rouen
Messages postés
15
Date d'inscription
mardi 10 novembre 2015
Statut
Membre
Dernière intervention
10 mars 2018

Weoui, en fait je ne vois rien qui parle de Cisco et de cette erreur en particulier... il y a juste une liste de liens... Je me suis mis sur un OS Windows pour voir si des fois, il y aurait eu des problèmes d'affichage de page avec Androïd, mais où est cette fameuse recopie dont tu parles, qui serait la réponse de Cisco ? merci.
Christophe-Rouen
Messages postés
15
Date d'inscription
mardi 10 novembre 2015
Statut
Membre
Dernière intervention
10 mars 2018

J'ai trouvé !!! LE PROFIL POUR IPSEC ET ISAKMP n'existait pas sur le routeur "serveur".
Il me reste un petit chagrin : mon tunnel ne marche que si j'indique (sur ce même Cisco "serveur",un tunnel destination = adresse IP WAN côté "client". Pourtant si ça marche pour les VPN Nomades, que faut-il faire pour qu'il en soit autant avec un vrai routeur ? Dès que j'enlève c'est fini il n'y a plus personne...