Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
904
Views
0
Helpful
2
Replies

IPSEC Keyring Not Working With Supernet Address

beacra
Level 1
Level 1

‎10-05-2017 04:05 PM - edited ‎02-21-2020 09:24 PM

Hi

I am working on a DMVPN design with IPSEC. 
But i am having issues with the Keyring / ISAKMP Profile

If I have:

!
crypto keyring TEST
pre-shared-key address 10.0.0.0 255.0.0.0 key TESTKEY
!
crypto isakmp profile TEST
keyring TEST
match identity address 10.0.0.0 255.0.0.0 
local-address Lo0
!
crypto ipsec profile TEST
set-transform TEST
set pfs group14
set isakmp-profile TEST
!

 

it doesnt work, I keep seeing "fail_class_cnt:1"
But if I change it to a more specific:

!
crypto keyring TEST
pre-shared-key address 10.0.0.0 255.0.0.0 key TESTKEY
pre-shared-key address 10.1.1.0 255.255.255.252 key TESTKEY
!
crypto isakmp profile TEST
keyring TEST
match identity address 10.0.0.0 255.0.0.0 
match identity address 10.1.1.0 255.255.255.252
local-address Lo0
!
crypto ipsec profile TEST
set-transform TEST
set pfs group14
set isakmp-profile TEST
!

It will work just fine,

but my range of addresses makes it a nuissance to do specific addresses for each one, I really want them to all be able to be grouped into a supernet address / key

 

Is there something I am missing here? 

Does it just not like the 10.0.0.0/8 ?

 

 

edit: i have omitted the extra code as I don't think its necessary, but consider that the local address is 10.150.1.1 for example and remote (spoke) is 10.1.1.1

Labels:
0 Helpful
2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

‎10-05-2017 06:45 PM

Are you sure there is not another entry that might be matching instead?

Personally - I think it is easier using a certificate based deployment. Then you don't match on IP addresses at all.

https://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/117688-config-dmvpn-00.html
0 Helpful

beacra
Level 1
Level 1
In response to Philip D'Ath

‎10-08-2017 02:08 PM

Nah no other matching entry, in this instance there is a different ipsec/isakmp profile and keyring that has specific matches, but that profile is not applied to this tunnel, only the entries i've specified above.
I was wondering if something was going wrong that it was also referencing the other keyring/profile
however, since its all specified it shouldnt even look at that.

Very strange :/

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents