cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
536
Views
0
Helpful
0
Replies

Different local ident values using the same VPN profile

Daniel Boling
Beginner
Beginner

I have this configuration in many routers:


ip local pool COMPANYVPN_POOL 172.30.255.1 172.30.255.254

crypto ipsec transform-set COMPANYVPN_SET esp-3des esp-sha-hmac

crypto isakmp client configuration group COMPANYVPN
key <company_password>
dns <company_dns_ip>
domain <company_domain_name>

pool COMPANYVPN_POOL
acl COMPANYVPN_ACL
netmask 255.255.255.0

crypto isakmp profile COMPANY_IKE_PROFILE
match identity group COMPANYVPN
client authentication list COMPANYVPN_VPN_XAUTH
isakmp authorization list COMPANYVPN_VPN_GROUP
client configuration address respond
      virtual-template 1

crypto ipsec profile COMPANYVPN_IPSEC_PROFILE
set transform-set COMPANYVPN_SET
set isakmp-profile COMPANYVPN_IKE_PROFILE

interface Virtual-Template1 type tunnel
ip unnumbered <internet-facing interface>
tunnel mode ipsec ipv4
tunnel protection ipsec profile COMPANYVPN_IPSEC_PROFILE


ip access-list extended COMPANYVPN_ACL
permit ip 172.30.255.0 0.0.0.255 any
permit ip <company_subnet_id> <company_wildcard_mask> any


aaa new-model
aaa authentication login default local
aaa authentication login COMPANYVPN_VPN_XAUTH group radius
aaa authorization exec default local
aaa authorization network COMPANYVPN_VPN_GROUP local
radius-server host <company_radius_ip> key <radius_key>

                  

This configuration works perfectly on every router I've configured using the Cisco VPN Client on Windows, and the native Cisco IPsec VPN client on Mac, except for this one. 

I have the above configured on a CISCO861-K9 and can successfully connect with both PC and Mac.  However, the Mac is unable to contact the local network. The show crypto ipsec sa command reveals the following:

PC:

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.30.255.52/255.255.255.255/0/0)

Mac:

   local  ident (addr/mask/prot/port): (172.30.255.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (172.30.255.53/255.255.255.255/0/0)

The difference in this router than the others with the same configuration, is that this router also has a site-to-site VPN configured (crypto map is configured under the internet-facing interface).  Why is the local ident assigned a different value for the Mac?

Thank you

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers