02-04-2011 12:48 PM - edited 02-21-2020 05:08 PM
Hi guys,
I have a weird problem on a IOS router.
I need to implement IPSec L2L VPN.
Because of security requirements every site need an own pre-shared key. The sites have dynamic IP's and that is
why I am using dyndns.
crypto isakmp key KEY hostname XXXXXXXXXXX.dyndns.org
crypto map CMAP_1 1 ipsec-isakmp
set peer XXXXXXXXX.dyndns.org dynamic
First it works great, but after the IP address change it is not working anymore.
On debug I found out that it resolves the new IP but IPSec is trying to connect to the previous IP.
I tried this on two different IOS, 15.0 and 12.4
This the debug output:
Mar 1 01:02:39.735: IPSEC: Peer Link70's addr (70.1.1.3) is stale, triggering DNS
*Mar 1 01:02:39.735: IPSEC: Peer has the (DNS cached) address 70.1.1.3. New IP
*Mar 1 01:02:41.731: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 1.1.1.2, remote= 70.1.1.200, OLD IP
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 10.254.70.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 240s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Mar 1 01:02:41.739: ISAKMP:(0): SA request profile is (NULL)
*Mar 1 01:02:41.739: ISAKMP: Created a peer struct for 70.1.1.200, peer port 500
*Mar 1 01:02:41.739: ISAKMP: New peer created peer = 0x673FB268 peer_handle = 0x80000008
*Mar 1 01:02:41.739: ISAKMP: Locking peer struct 0x673FB268, refcount 1 for isakmp_initiator
*Mar 1 01:02:41.743: ISAKMP: local port 500, remote port 500
*Mar 1 01:02:41.743: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 01:02:41.743: insert sa successfully sa = 650AE400
*Mar 1 01:02:41.747: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Mar 1 01:02:41.747: ISAKMP:(0):No pre-shared key with 70.1.1.200! PROBLEM!!!
*Mar 1 01:02:41.747: ISAKMP:(0): No Cert or pre-shared address key. PROBLEM!!!
*Mar 1 01:02:41.747: ISAKMP:(0): construct_initial_message: Can not start Main mode
*Mar 1 01:02:41.751: ISAKMP: Unlocking peer struct 0x673FB268 for isadb_unlock_peer_delete_sa(), count 0
*Mar 1 01:02:41.751: ISAKMP: Deleting peer node by peer_reap for 70.1.1.200: 673FB268
*Mar 1 01:02:41.751: ISAKMP:(0):purging SA., sa=650AE400, delme=650AE400
*Mar 1 01:02:41.755: ISAKMP:(0):purging node -267512777
*Mar 1 01:02:41.755: ISAKMP: Error while processing SA request: Failed to initialize SA
*Mar 1 01:02:41.755: ISAKMP: Error while processing KMI message 0, error 2.
*Mar 1 01:02:41.759: IPSEC(key_engine): got a queue event with 1 KMI message(s)....
Success rate is 0 percent (0/5)
I build up a lab to find a solution for this.
On the other side is an Linksys VPN router, I tried with an IOS router on both sites too, but got same results.
I tried with DPD, ISAKMP profiles... no help.
Solved! Go to Solution.
02-06-2011 01:35 PM
Hi Smailmilak83,
Configuring a static crypto map with a specific peer creates an sa for the peer. Now the dns lookup ll happen only the first time it tries to connect, after which it's just gonna be the rekey. So it would ideally use the peer value in the sa and not the config nor does a dns lookup. So it's wise to use a dynamic crypto map.
Please try using a dynamic crypto map instead of a static one. Although there are certain limitations such as crypto being initiated only from the other end, we can workaround it by keeping the tunnel live.
Hope that helps.
Sent from Cisco Technical Support iPhone App
--Please rate the solutions.
02-06-2011 01:35 PM
Hi Smailmilak83,
Configuring a static crypto map with a specific peer creates an sa for the peer. Now the dns lookup ll happen only the first time it tries to connect, after which it's just gonna be the rekey. So it would ideally use the peer value in the sa and not the config nor does a dns lookup. So it's wise to use a dynamic crypto map.
Please try using a dynamic crypto map instead of a static one. Although there are certain limitations such as crypto being initiated only from the other end, we can workaround it by keeping the tunnel live.
Hope that helps.
Sent from Cisco Technical Support iPhone App
--Please rate the solutions.
02-07-2011 07:23 AM
Hi,
I managed to solve this one.
Adding the default command under the crypto map helped me.
set peer HOSTNAME dynamic default
Your idea is great too. I have not tried it but I am sure that it would work.
Do you know how to get lesser downtime when the remote peer gets a new IP? What timer should I tune?
IPSec SA lifetime, idle-timer...?
Right now I am using IPSec SA lifetime with 240 seconds. There will be maybe 200 locations. I hope that this is not to much
for a 1841 router.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide