09-28-2011 12:56 PM - edited 02-21-2020 05:37 PM
I have been doing some testing with mGRE tunnels and adding ipsec encryption to them so I can route my voip phones through the tunnels. I have found something interesting and looking for an explanation as to why this is.
I have 3 sites one of which is considered the hub and the other two sites considered a spoke. I create the following configurations on all three routers:
crypto isakmp policy 5
encryption aes 128
authentication pre-share
group 2
crypto isakmp key XXXX address 0.0.0.0 0.0.0.0
crypto ipsec transform-set strong esp-aes esp-sha-hmac
crypto ipsec profile medium
set trasform-set medium
then under the tunnel interface I apply the following command:
tunnel protection ipsec profile medium
With this config the first tunnel between the hub and spoke 1 comes up no problems, however the spoke 2 router will never establish a tunnel.
What I have discovered is if I change this command on all three routers all of the tunnels come up and everything works but why?
crypto isakmp key XXXX address 0.0.0.0 0.0.0.0 no-xauth
Why does adding the no-xauth allow all of the tunnels to establish connectivity?
What exactly does the no-xauth do and does adding it pose any security risk?
Thanks for any input.
Solved! Go to Solution.
09-28-2011 01:33 PM
Hi There,
The "no x-auth" keyword is telling the router not try extended authentication for the VPN tunnels.
Extended authentication (username and password) is used only when you are connecting VPN clients. If you have VPN clients and dynamic keys configured on the router you must add the "no x-auth" keyword at the end of those lines so that it doesnt try to authenticate the routers using a a user/pass combination.
The keyword is there for that specific reason and you are not adding any security risk by adding it.
HTH.
Raga
09-28-2011 01:33 PM
Hi There,
The "no x-auth" keyword is telling the router not try extended authentication for the VPN tunnels.
Extended authentication (username and password) is used only when you are connecting VPN clients. If you have VPN clients and dynamic keys configured on the router you must add the "no x-auth" keyword at the end of those lines so that it doesnt try to authenticate the routers using a a user/pass combination.
The keyword is there for that specific reason and you are not adding any security risk by adding it.
HTH.
Raga
09-28-2011 02:12 PM
Raga,
Thank You for your answer. This certainly cleared up my questions and concerns about this command.
09-28-2011 02:14 PM
Great. Glad I could help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide