Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
584
Views
0
Helpful
0
Replies

Different local ident values using the same VPN profile

Daniel Boling
Level 1
Level 1

‎06-13-2013 07:33 AM - edited ‎03-04-2019 08:11 PM

I have this configuration in many routers:


ip local pool COMPANYVPN_POOL 172.30.255.1 172.30.255.254

crypto ipsec transform-set COMPANYVPN_SET esp-3des esp-sha-hmac

crypto isakmp client configuration group COMPANYVPN
key <company_password>
dns <company_dns_ip>
domain <company_domain_name>

pool COMPANYVPN_POOL
acl COMPANYVPN_ACL
netmask 255.255.255.0

crypto isakmp profile COMPANY_IKE_PROFILE
match identity group COMPANYVPN
client authentication list COMPANYVPN_VPN_XAUTH
isakmp authorization list COMPANYVPN_VPN_GROUP
client configuration address respond
      virtual-template 1

crypto ipsec profile COMPANYVPN_IPSEC_PROFILE
set transform-set COMPANYVPN_SET
set isakmp-profile COMPANYVPN_IKE_PROFILE

interface Virtual-Template1 type tunnel
ip unnumbered <internet-facing interface>
tunnel mode ipsec ipv4
tunnel protection ipsec profile COMPANYVPN_IPSEC_PROFILE


ip access-list extended COMPANYVPN_ACL
permit ip 172.30.255.0 0.0.0.255 any
permit ip <company_subnet_id> <company_wildcard_mask> any


aaa new-model
aaa authentication login default local
aaa authentication login COMPANYVPN_VPN_XAUTH group radius
aaa authorization exec default local
aaa authorization network COMPANYVPN_VPN_GROUP local
radius-server host <company_radius_ip> key <radius_key>

                  

This configuration works perfectly on every router I've configured using the Cisco VPN Client on Windows, and the native Cisco IPsec VPN client on Mac, except for this one. 

I have the above configured on a CISCO861-K9 and can successfully connect with both PC and Mac.  However, the Mac is unable to contact the local network. The show crypto ipsec sa command reveals the following:

PC:

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.30.255.52/255.255.255.255/0/0)

Mac:

   local  ident (addr/mask/prot/port): (172.30.255.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (172.30.255.53/255.255.255.255/0/0)

The difference in this router than the others with the same configuration, is that this router also has a site-to-site VPN configured (crypto map is configured under the internet-facing interface).  Why is the local ident assigned a different value for the Mac?

Thank you

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card