IPSec Router Dynamic LAN-to-LAN Peer and VPN Clients

J.altami01 · ‎03-01-2006

Does anyone can help me with this...????

I using a 2821 router as VPN server for mobile users and LAN2LAN sites

I using the next link configuration type

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

At this moment the mobile users are able to connect to the VPN server, but not the remote sites which are using Dynamic IP's (DSL)and NAT from the provider. I using a cisco 831 routers as terminal equipments.

The debug log shows a message like this

"""019088: *Feb 23 18:26:24.668 PCTime: ISAKMP: reserved not zero on ID payload!

019089: *Feb 23 18:26:24.668 PCTime: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 201.102.203.208 f

ailed its sanity check or is malformed""""

I attaching the log message as well the used configs.

Best regards

JCar

attrgautam · ‎03-02-2006

Iam kind of confused on this. Why do you want to NAT the traffic going to the hub through IPSec ? And I suggest doing Tunnel mode instead of Transport mode and natting it. What you have done looks kind of scary to me ;-)

Why iam saying this is that IPSec transport mode requires you to define traffic between the Crypto peers in the Crypto ACL and not the internal LAN. Let me know if you need any more info.

J.altami01 · ‎03-02-2006

There is a third box (from DSL provider) which is making NAT. If a remove the NAT from Cisco 831 I loss the comunication truh the HUB.

Schema

cisco 831-->DSL-box-->Internet<---Hub server

Now question ... according to me to configure Tunnel mode I have to enable GRE is it correct..???

Thanks a lot for your comments

attrgautam · ‎03-02-2006

Yes correct you will have to do GRE or L2TP to use transport mode. The Crypto ACL will have to permit traffic between the peers only.