Re: MULTIPLE CRYPTO AUTHENTICATION ERROR

edimonte1980 · ‎05-24-2006

I have two crypto map, one dynamic for my vpn clients and another for vpn site-to-site. The thing is that the vpn site-to-site works perfect until I put authentication for the dynamic vpn. After that, my vpn clients authenticate perfect but my vpn site-to-site won´t pass phase 2. The logs says "ISAKMP Phase 2 retransmission". If I remove the authentication line, in a couple of minutes vpn site-to-site is up again. Any ideas to solve this? Thanks in advance.

The problematic line

crypto map mymap client authentication ias (radius server)

the configuration of crypto map

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 100 set transform-set myset

crypto ipsec transform-set set_london esp-3des esp-sha-hmac

crypto map mymap 20 ipsec-isakmp

crypto map mymap 20 match address acl_aeiou

crypto map mymap 20 set pfs group2

crypto map mymap 20 set peer 11.22.33.44

crypto map mymap 20 set transform-set set_london

crypto map mymap 100 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp key netscreen address aa.bb.cc.dd netmask 255.255.aa.bb

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 28800

jmia · ‎05-24-2006

Please find fully working configuration from my lab, hope this helps also as reference check the following document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

access-list nonat permit ip 255.255.255.0 255.255.255.0

access-list nonat permit ip 255.255.255.0 255.255.255.240

access-list 700 permit ip 255.255.255.0 255.255.255.0

access-list 300 permit ip 255.255.255.0 255.255.255.240

ip local pool vpn-ras-pool 172.x.x.1-172.x.x.10

nat (inside) 0 access-list nonat

aaa-server partnerauth (inside) host timeout 5

sysopt connection permit-ipsec

crypto ipsec transform-set LAB1 esp-3des esp-md5-hmac

crypto dynamic-map dynmap 100 set transform-set LAB1

crypto map labmap 1 ipsec-isakmp

crypto map labmap 1 match address 700

crypto map labmap 1 set peer

crypto map labmap 1 set transform-set LAB1

crypto map labmap 65535 ipsec-isakmp dynamic dynmap

crypto map labmap client authentication partnerauth

crypto map labmap interface outside

isakmp enable outside

isakmp key secretkey address netmask 255.255.255.255

isakmp identity address

isakmp nat-traversal

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

vpngroup labrasvpn address-pool vpn-ras-pool

vpngroup labrasvpn dns-server

vpngroup labrasvpn wins-server

vpngroup labrasvpn default-domain

vpngroup labrasvpn split-tunnel 300

vpngroup labrasvpn idle-time 1800

vpngroup labrasvpn password

Please rate post if it helps you.

Jay

attrgautam · ‎05-24-2006

Just wonder if you need to disable extended authentication

isakmp key netscreen address aa.bb.cc.dd netmask 255.255.aa.bb no-xauth