Error Message-
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at X.X.X.X
Common Debug Commands-
debug crypto isakmp
debug crypto engine
debug crypto ipsec
Results from Debug Crypto Isakmp-
Jul 20 17:08:50: map_db_find_best did not find matching map
Jul 20 17:08:50: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 10.0.0.1
Jul 20 17:08:50: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.0.0.1, remote= 192.168.0.1,
local_proxy= 10.0.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
What this means-
Access list applied to crypto map is misconfigured.
For Instance-
RTR1
access-list encrypt permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
RTR2
access-list encrypt permit ip 192.168.0.0 0.0.0.255 10.0.1.0 0.0.0.255
These two access lists conflict which in turn produce the error message above.
Real World Application-
When working with a disparate team at another company, miscommunication will occur. With something as both simple and complex as a VPN connection, mistakes will occur. By producing the above debug code, you can inform the other team of the necessary corrections. Or even maybe make the corrections on your side.