Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
3758
Views
0
Helpful
0
Comments

IPSec VPN tunnel does not come up with ISAKMP profile on router

TCC_2
Level 10
Level 10

on ‎06-18-2009 03:54 PM

Core issue

The VPN tunnel might not come up on the router if the Internet Security Association and Key Management Protocol (ISAKMP) profile is in use.

If the remote peer's IP address is statically natted, ISAKMP datagram is looked at for the remote endpoint address instead of the packet header. With an ISAKMP profile, it appears that that it does phase 1 and a psuedo 1.5, so it actually looks at the datagram for the peer address instead of the header. When you use a crypto isakmp key line without ISAKMP profiles, it just looks at the packet header for the remote peer address.

Resolution

Issuing the match identity address command for the private IP address of the remote end to the ISAKMP profile should resolve this issue, as shown:

match identity address (remote peers private ip address) 255.255.255.255

For more information, refer to ISAKMP Profile Overview.

Problem Type

Troubleshoot software feature

Product Family

Routers

VPN - 3000 series concentrator

VPN 3000 Software Version

4.1

4.7

Cisco IOS Software Version

12.3

VPN Tunnel End Points

Router

VPN 3000 series

Selected PIX or Router Commands

isakmp

VPN Protocols

Internet Security Association and Key Management Protocol (ISAKMP) Authentication Methods

VPN Tunnel Initialization

IPSec session is not established

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents