Solved: Re: Cisco IPSec site-to-site Tunnel - Page 2

GW M · ‎03-12-2018

I have two Cisco 2911 routers configured with a site to site IPSec tunnel w/pre-shared keys between the main site and a remote site. Both sites are also providing remote Anyconnect VPN client access. I would like to use Main mode versus Aggressive mode for the site-to-site tunnel and only allow aggressive mode for the VPN clients. Is there a way to do this? Below is the remote site config

crypto keyring site2site
pre-shared-key address x.x.x.50 key 6 xxxxxxxx
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10 periodic
!
crypto isakmp client configuration group remote-clients
key 6 xxxxxxxx
pool VPN-clients
acl 104
max-logins 1
crypto isakmp profile site-to-site
description Site to site VPN Tunnel profile connection
keyring site2site
match identity address x.x.x.50 255.255.255.255
keepalive 30 retry 3
crypto isakmp profile vpnclients
description VPN Clients profile connection
match identity group remote-clients
client authentication list vpnclientauth
isakmp authorization list vpngroupauth
client configuration address respond
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec fragmentation after-encryption
crypto ipsec df-bit clear
!
crypto dynamic-map SDM_DYNMAP_1 2
set transform-set ESP-3DES-SHA
set isakmp-profile vpnclients
reverse-route
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer x.x.x.50
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile site-to-site
match address 100
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

interface GigabitEthernet0/0
ip address dhcp client-id GigabitEthernet0/0
crypto map SDM_CMAP_1

GW M · ‎03-15-2018

I can force the site-to-site to use Main mode by issuing the "crypto isakmp aggressive-mode disable" command and it works great! Unfortunately, the VPN clients can't connect because they want to use Aggressive mode. Is there a way to use the "crypto isakmp aggressive-mode disable" command to force all site-to-site tunnels to use Main mode and issue some other command specifically for the VPN clients that forces them to use Aggressive mode?

GW

Richard Burts · ‎03-15-2018

GW

Unfortunately my reading of the documentation is that aggressive-mode disable is a global command. If you disable it then it is disabled for everyone. I continue to wonder if the way to resolve your issue is to have a way to tell whether the incoming request for ISAKMP is related to site to site or to remote access.

You have logic in the config that would do the right thing once we know whether the request will be for remote access or for site to site. But when that initial request comes in the router does not know which it will be.

HTH

Rick

HTH

Rick

GW M · ‎03-15-2018

Agree. I will have to run debug and find out if it's using Main mode or Aggressive mode again without the "crypto isakmp aggressive-mode disable" command.

Thank you for your help

GW

Richard Burts · ‎03-15-2018

GW

I agree that debug ISAKMP may provide useful information. I am interested in how this turns out. Please update us as you make progress with this.

HTH

Rick

HTH

Rick

Richard Burts · ‎03-16-2018

GW

I have thought about this some more and believe that it is important to run debug for ISAKMP and to understand what is happening in the negotiation. I would suggest that we need to look at the negotiation when the tunnel is first initiated but also need to look at the negotiation as an existing SA is about to expire and a new SA is negotiated to take its place.

HTH

Rick

HTH

Rick