03-05-2009 12:07 PM
I'm having configuration issues with a VPN connection that I'm trying to setup and I hope someone can help me out. I'm trying to establish a dynamic VPN connection from a remote 501 to a local 515. The 515 already has one tunnel setup but doesn't seem to want to setup the tunnel to the 501. I'm really new to VPN configuration so any assistance that anyone can offer would be greatly appreciated!
Thanks,
Steve
Here is the crypto configuration off of the 501:
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 101
crypto map newmap 10 set peer x.x.x.x
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
And from the 515:
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 5 ipsec-isakmp
crypto map mymap 5 match address 102
crypto map mymap 5 set peer x.x.x.x
crypto map mymap 5 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
crypto map colorado 10 ipsec-isakmp
crypto map colorado 10 set peer x.x.x.x
crypto map colorado 10 set peer y.y.y.y
crypto map colorado 10 set transform-set myset
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address y.y.y.y netmask 255.255.255.255
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp nat-traversal 20
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption aes-256
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
03-05-2009 01:11 PM
Why are you attempting to create a dynamic VPN? It sounds like you need a simple L2L VPN. Am I missing something?
03-05-2009 01:12 PM
By Dynamic, I meant that we don't know the IP address of the remote site. Sorry for the confusion.
Steve
03-05-2009 01:24 PM
Steve,
Have you referenced the following configuration example? I think this is what you're attempting to do:
-Eddie
03-05-2009 01:28 PM
Yes, thanks, that's the guide I've been trying to go off of.
03-05-2009 01:40 PM
I don't see 'sysopt connection permit-ipsec' and the 'isakmp identity address' in the 501 config. Is it present? Also, what do your crypto ACL's look like?
03-05-2009 01:44 PM
They are there I didn't include them in the output for some reason. I can see the negotation process start, but I get an IKMP_NO_ERR_NO_TRANS message as soon as the key negotation starts. I'm not familiar with this message, so I'm not sure why the key negotation is failing.
03-05-2009 01:53 PM
Steve,
Can you set your isakmp debug to a higher level and see if there are any other messages being generated? I don't think this message by itself is an indication of a specific problem. Please reference the following VPN debugging notes:
http://www.boerderie.com/VPNdebugging.html
-Eddie
03-05-2009 02:16 PM
Great site! Thanks a bunch. How do I set my ISAKMP debugging to a higher level? The only command I see is debug crypto isakmp.
Thanks,
Steve
03-05-2009 02:20 PM
debug crypto isakmp
I usually set it at 9 if I'm not seeing messages of any relevance.
Don't forget to do 'undebug all' when you're finished.
-Eddie
03-05-2009 02:37 PM
My groups were not lining up for ISAKMP - I had group 1 configured on the remote router, and group 2 configured on the primary PIX.
Steve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide