03-14-2014 10:43 AM
Hello all,
Can't see to fight my way out of this configuration. We have a router that is configured with IPSec Dynamic L2L peers and Remote access (pretty much using this configuration: LINK ). I'm not use to the keyring / Profile configuration. But trying to add a tunnel without a profile, maybe "non-dynamic" peer?
Here is the configuration:
crypto keyring spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key PSK1
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key L2L-PSK2 address 76.113.24.103
crypto isakmp keepalive 10 10
crypto isakmp nat keepalive 10
!
crypto isakmp client configuration group VPN-Users
key PSK1
pool ippool
acl 171
!
crypto isakmp profile VPNclient
match identity group VPN-Users
client authentication list default
isakmp authorization list groupauthor
client configuration address respond
crypto isakmp profile L2L
keyring spokes
match identity address 0.0.0.0
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set transform-1 esp-3des esp-md5-hmac
crypto ipsec transform-set testset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto dynamic-map DynIPSecMap01 2
set transform-set ESP-3DES-MD5
set isakmp-profile VPNclient
crypto dynamic-map DynIPSecMap01 5
description tunnel_to_EEUU
set transform-set testset
match address 110
!
!
crypto map IPSecMap01 10 ipsec-isakmp
description REMO_ST_VPN
set peer 76.113.24.103
set transform-set ESP-AES-SHA
match address REMO_ST_VPN
crypto map IPSecMap01 10000 ipsec-isakmp dynamic DynIPSecMap01
interface Serial0/0/0:0
ip address 178.31.76.1 255.255.255.252
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
crypto map IPSecMap01
ip access-list extended REMO_ST_VPN
permit ip 172.18.38.0 0.0.0.255 172.16.202.0 0.0.0.255
!
access-list 10 permit 65.122.15.2
access-list 110 permit ip 172.18.35.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 110 permit ip 172.18.38.0 0.0.0.255 10.1.2.0 0.0.0.255
We are failing on Phase 1 because the PSK's are not matching. And getting this error:
ISAKMP:(3134):Key not found in keyrings of profile , aborting exchange
Can someone point me in the right direction?
Thanks for your time and support,
Nick
Solved! Go to Solution.
03-16-2014 09:56 PM
Try creating a new crypto isakmp profile to match the IP off the L2L peer. Then create a new crypto keyring for this peer instead of using the 'crypto isakmp key' command.
03-16-2014 09:56 PM
Try creating a new crypto isakmp profile to match the IP off the L2L peer. Then create a new crypto keyring for this peer instead of using the 'crypto isakmp key' command.
03-16-2014 10:04 PM
crypto keyring L2L2
pre-shared-key address 76.113.24.103 key L2LPSK
crypto isakmp profile L2L2
keyring L2L2
self-identity address
match identity address 76.113.24.103
04-09-2014 01:47 PM
Thanks guys, but I had fixed the problem before your replies. Just haven't had time to update my post. LA-Engineer was very close and might work. But I tried a configuration very close to his above, and was not working for me. But again maybe I was doing something wrong.
What I read somewhere (I've tried to find where but no luck) was that ISAKMP Profiles are match to the closest match. Can someone confirm or deny this? As I can not find where I read that. Anyway what worked for me was a config very close to LA-Eng's config:
crypto isakmp profile L2L_SiteBA
keyring default
match identity address 76.113.24.103 255.255.255.255
and kept:
crypto isakmp key CandyIsGood address 76.113.24.103
This worked perfectly for me.
Thanks,
Nick
03-18-2014 03:50 AM
Hi Nick,
For L2L VPN preshared key you have defined both keyring as well as crypto isakmp key with specific remote peer ip address.
crypto isakmp key L2L-PSK2 address 76.113.24.103
crypto keyring spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key PSK1
crypto isakmp profile L2L
keyring spokes
match identity address 0.0.0.0
Although you have called keyring in the isakmp profile for any remote site ip address, but it seems it is asking for pre-shared key with more specific peer. Remove specific config using
no crypto isakmp key L2L-PSK2 address 76.113.24.103
HTH
"Please do rate helpful posts"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide