Showing results for 
Search instead for 
Did you mean: 

Who Me Too'd this topic

Different local ident values using the same VPN profile

Daniel Boling

I have this configuration in many routers:

ip local pool COMPANYVPN_POOL

crypto ipsec transform-set COMPANYVPN_SET esp-3des esp-sha-hmac

crypto isakmp client configuration group COMPANYVPN
key <company_password>
dns <company_dns_ip>
domain <company_domain_name>


crypto isakmp profile COMPANY_IKE_PROFILE
match identity group COMPANYVPN
client authentication list COMPANYVPN_VPN_XAUTH
isakmp authorization list COMPANYVPN_VPN_GROUP
client configuration address respond
      virtual-template 1

crypto ipsec profile COMPANYVPN_IPSEC_PROFILE
set transform-set COMPANYVPN_SET
set isakmp-profile COMPANYVPN_IKE_PROFILE

interface Virtual-Template1 type tunnel
ip unnumbered <internet-facing interface>
tunnel mode ipsec ipv4
tunnel protection ipsec profile COMPANYVPN_IPSEC_PROFILE

ip access-list extended COMPANYVPN_ACL
permit ip any
permit ip <company_subnet_id> <company_wildcard_mask> any

aaa new-model
aaa authentication login default local
aaa authentication login COMPANYVPN_VPN_XAUTH group radius
aaa authorization exec default local
aaa authorization network COMPANYVPN_VPN_GROUP local
radius-server host <company_radius_ip> key <radius_key>


This configuration works perfectly on every router I've configured using the Cisco VPN Client on Windows, and the native Cisco IPsec VPN client on Mac, except for this one. 

I have the above configured on a CISCO861-K9 and can successfully connect with both PC and Mac.  However, the Mac is unable to contact the local network. The show crypto ipsec sa command reveals the following:


   local  ident (addr/mask/prot/port): (
   remote ident (addr/mask/prot/port): (


   local  ident (addr/mask/prot/port): (

   remote ident (addr/mask/prot/port): (

The difference in this router than the others with the same configuration, is that this router also has a site-to-site VPN configured (crypto map is configured under the internet-facing interface).  Why is the local ident assigned a different value for the Mac?

Thank you

Who Me Too'd this topic