cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

IPSec VPN tunnel does not come up with ISAKMP profile on router

2830
Views
0
Helpful
0
Comments

Core issue

The VPN tunnel might not come up on the router if the Internet Security Association and Key Management Protocol (ISAKMP) profile is in use.

If the remote peer's IP address is statically natted, ISAKMP datagram is looked at for the remote endpoint address instead of the packet header. With an ISAKMP profile, it appears that that it does phase 1 and a psuedo 1.5, so it actually looks at the datagram for the peer address instead of the header. When you use a crypto isakmp key line without ISAKMP profiles, it just looks at the packet header for the remote peer address.

Resolution

Issuing the match identity address command for the private IP address of the remote end to the ISAKMP profile should resolve this issue, as shown:

match identity address (remote peers private ip address) 255.255.255.255

For more information, refer to ISAKMP Profile Overview.

Problem Type

Troubleshoot software feature

Product Family

Routers

VPN - 3000 series concentrator

VPN 3000 Software Version

4.1

4.7

Cisco IOS Software Version

12.3

VPN Tunnel End Points

Router

VPN 3000 series

Selected PIX or Router Commands

isakmp

VPN Protocols

Internet Security Association and Key Management Protocol (ISAKMP) Authentication Methods

VPN Tunnel Initialization

IPSec session is not established