topic MULTIPLE CRYPTO AUTHENTICATION ERROR in Network Access Control https://community.cisco.com/t5/network-access-control/multiple-crypto-authentication-error/m-p/532602#M5735 <P>I have two crypto map, one dynamic for my vpn clients and another for vpn site-to-site. The thing is that the vpn site-to-site works perfect until I put authentication for the dynamic vpn. After that, my vpn clients authenticate perfect but my vpn site-to-site won´t pass phase 2. The logs says "ISAKMP Phase 2 retransmission". If I remove the authentication line, in a couple of minutes vpn site-to-site is up again. Any ideas to solve this? Thanks in advance.</P><P></P><P></P><P>The problematic line</P><P>crypto map mymap client authentication ias (radius server)</P><P></P><P></P><P></P><P>the configuration of crypto map</P><P></P><P>crypto ipsec transform-set myset esp-3des esp-md5-hmac </P><P>crypto dynamic-map dynmap 100 set transform-set myset</P><P></P><P>crypto ipsec transform-set set_london esp-3des esp-sha-hmac </P><P>crypto map mymap 20 ipsec-isakmp</P><P>crypto map mymap 20 match address acl_aeiou</P><P>crypto map mymap 20 set pfs group2</P><P>crypto map mymap 20 set peer 11.22.33.44</P><P>crypto map mymap 20 set transform-set set_london</P><P>crypto map mymap 100 ipsec-isakmp dynamic dynmap</P><P>crypto map mymap interface outside</P><P></P><P></P><P>isakmp key netscreen address aa.bb.cc.dd netmask 255.255.aa.bb </P><P>isakmp identity address</P><P>isakmp policy 20 authentication pre-share</P><P>isakmp policy 20 encryption 3des</P><P>isakmp policy 20 hash sha</P><P>isakmp policy 20 group 2</P><P>isakmp policy 20 lifetime 28800</P><P></P><P></P><P></P> Fri, 21 Feb 2020 18:15:50 GMT edimonte1980 2020-02-21T18:15:50Z MULTIPLE CRYPTO AUTHENTICATION ERROR https://community.cisco.com/t5/network-access-control/multiple-crypto-authentication-error/m-p/532602#M5735 <P>I have two crypto map, one dynamic for my vpn clients and another for vpn site-to-site. The thing is that the vpn site-to-site works perfect until I put authentication for the dynamic vpn. After that, my vpn clients authenticate perfect but my vpn site-to-site won´t pass phase 2. The logs says "ISAKMP Phase 2 retransmission". If I remove the authentication line, in a couple of minutes vpn site-to-site is up again. Any ideas to solve this? Thanks in advance.</P><P></P><P></P><P>The problematic line</P><P>crypto map mymap client authentication ias (radius server)</P><P></P><P></P><P></P><P>the configuration of crypto map</P><P></P><P>crypto ipsec transform-set myset esp-3des esp-md5-hmac </P><P>crypto dynamic-map dynmap 100 set transform-set myset</P><P></P><P>crypto ipsec transform-set set_london esp-3des esp-sha-hmac </P><P>crypto map mymap 20 ipsec-isakmp</P><P>crypto map mymap 20 match address acl_aeiou</P><P>crypto map mymap 20 set pfs group2</P><P>crypto map mymap 20 set peer 11.22.33.44</P><P>crypto map mymap 20 set transform-set set_london</P><P>crypto map mymap 100 ipsec-isakmp dynamic dynmap</P><P>crypto map mymap interface outside</P><P></P><P></P><P>isakmp key netscreen address aa.bb.cc.dd netmask 255.255.aa.bb </P><P>isakmp identity address</P><P>isakmp policy 20 authentication pre-share</P><P>isakmp policy 20 encryption 3des</P><P>isakmp policy 20 hash sha</P><P>isakmp policy 20 group 2</P><P>isakmp policy 20 lifetime 28800</P><P></P><P></P><P></P> Fri, 21 Feb 2020 18:15:50 GMT https://community.cisco.com/t5/network-access-control/multiple-crypto-authentication-error/m-p/532602#M5735 edimonte1980 2020-02-21T18:15:50Z Re: MULTIPLE CRYPTO AUTHENTICATION ERROR https://community.cisco.com/t5/network-access-control/multiple-crypto-authentication-error/m-p/532603#M5739 <HTML><HEAD></HEAD><BODY><P>Please find fully working configuration from my lab, hope this helps also as reference check the following document:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml</A></P><P></P><P></P><P>access-list nonat permit ip <INSIDE_LAN_IP> 255.255.255.0 <REMOTE_LAN_IP> 255.255.255.0</REMOTE_LAN_IP></INSIDE_LAN_IP></P><P>access-list nonat permit ip <INSIDE_LAN_IP> 255.255.255.0 <VPN-RAS-POOL-IP> 255.255.255.240</VPN-RAS-POOL-IP></INSIDE_LAN_IP></P><P>access-list 700 permit ip <INSIDE_LAN_IP> 255.255.255.0 <REMOTE_LAN_IP> 255.255.255.0</REMOTE_LAN_IP></INSIDE_LAN_IP></P><P>access-list 300 permit ip <INSIDE_LAN_IP> 255.255.255.0 <VPN-RAS-POOL-IP> 255.255.255.240</VPN-RAS-POOL-IP></INSIDE_LAN_IP></P><P></P><P>ip local pool vpn-ras-pool 172.x.x.1-172.x.x.10</P><P></P><P>nat (inside) 0 access-list nonat</P><P></P><P>aaa-server partnerauth (inside) host <LAN_RADIUS_SERVER_IP> <RADIUS_KEY> timeout 5</RADIUS_KEY></LAN_RADIUS_SERVER_IP></P><P></P><P></P><P>sysopt connection permit-ipsec</P><P></P><P>crypto ipsec transform-set LAB1 esp-3des esp-md5-hmac</P><P>crypto dynamic-map dynmap 100 set transform-set LAB1</P><P></P><P>crypto map labmap 1 ipsec-isakmp</P><P>crypto map labmap 1 match address 700</P><P>crypto map labmap 1 set peer <PEER ip="" address=""></PEER></P><P>crypto map labmap 1 set transform-set LAB1</P><P>crypto map labmap 65535 ipsec-isakmp dynamic dynmap</P><P>crypto map labmap client authentication partnerauth</P><P>crypto map labmap interface outside</P><P></P><P>isakmp enable outside</P><P>isakmp key secretkey address <PEER ip="" address=""> netmask 255.255.255.255</PEER></P><P>isakmp identity address</P><P>isakmp nat-traversal </P><P>isakmp policy 1 authentication pre-share</P><P>isakmp policy 1 encryption 3des</P><P>isakmp policy 1 hash md5</P><P>isakmp policy 1 group 2</P><P>isakmp policy 1 lifetime 86400</P><P></P><P>vpngroup labrasvpn address-pool vpn-ras-pool</P><P>vpngroup labrasvpn dns-server <DNS1> <DNS2></DNS2></DNS1></P><P>vpngroup labrasvpn wins-server <WINS_SERVER_IP></WINS_SERVER_IP></P><P>vpngroup labrasvpn default-domain <DOMAIN_NAME></DOMAIN_NAME></P><P>vpngroup labrasvpn split-tunnel 300</P><P>vpngroup labrasvpn idle-time 1800</P><P>vpngroup labrasvpn password <PASSWORD></PASSWORD></P><P></P><P></P><P>Please rate post if it helps you.</P><P></P><P>Jay</P><P></P><P></P></BODY></HTML> Wed, 24 May 2006 09:17:24 GMT https://community.cisco.com/t5/network-access-control/multiple-crypto-authentication-error/m-p/532603#M5739 jmia 2006-05-24T09:17:24Z Re: MULTIPLE CRYPTO AUTHENTICATION ERROR https://community.cisco.com/t5/network-access-control/multiple-crypto-authentication-error/m-p/532604#M5742 <HTML><HEAD></HEAD><BODY><P>Just wonder if you need to disable extended authentication </P><P></P><P>isakmp key netscreen address aa.bb.cc.dd netmask 255.255.aa.bb no-xauth</P></BODY></HTML> Wed, 24 May 2006 09:28:29 GMT https://community.cisco.com/t5/network-access-control/multiple-crypto-authentication-error/m-p/532604#M5742 attrgautam 2006-05-24T09:28:29Z