10-05-2017 04:05 PM - edited 02-21-2020 09:24 PM
Hi
I am working on a DMVPN design with IPSEC.
But i am having issues with the Keyring / ISAKMP Profile
If I have:
! crypto keyring TEST pre-shared-key address 10.0.0.0 255.0.0.0 key TESTKEY ! crypto isakmp profile TEST keyring TEST match identity address 10.0.0.0 255.0.0.0 local-address Lo0 ! crypto ipsec profile TEST set-transform TEST set pfs group14 set isakmp-profile TEST !
it doesnt work, I keep seeing "fail_class_cnt:1"
But if I change it to a more specific:
! crypto keyring TEST pre-shared-key address 10.0.0.0 255.0.0.0 key TESTKEY pre-shared-key address 10.1.1.0 255.255.255.252 key TESTKEY ! crypto isakmp profile TEST keyring TEST match identity address 10.0.0.0 255.0.0.0 match identity address 10.1.1.0 255.255.255.252 local-address Lo0 ! crypto ipsec profile TEST set-transform TEST set pfs group14 set isakmp-profile TEST !
It will work just fine,
but my range of addresses makes it a nuissance to do specific addresses for each one, I really want them to all be able to be grouped into a supernet address / key
Is there something I am missing here?
Does it just not like the 10.0.0.0/8 ?
edit: i have omitted the extra code as I don't think its necessary, but consider that the local address is 10.150.1.1 for example and remote (spoke) is 10.1.1.1
10-05-2017 06:45 PM
10-08-2017 02:08 PM
Nah no other matching entry, in this instance there is a different ipsec/isakmp profile and keyring that has specific matches, but that profile is not applied to this tunnel, only the entries i've specified above.
I was wondering if something was going wrong that it was also referencing the other keyring/profile
however, since its all specified it shouldnt even look at that.
Very strange :/
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide