02-23-2011 10:09 AM
Hello,
I am trying to setup a L2L IPSec VPN between cisco VPN3020 concentrator and Cisco 2811
something is not working and I don't understand why.
I describe my situation in detail
my router has 2 interfaces
External interface Fa 0/1 ip 193.P.Q.R
Internal interface Fa 0/0 141.G.H.254
Lan on internal interface is 141.G.H.0/24
remote VPN concentrator has 2 interfaces
Public interface 131.A.B.C
Private interface 131.A.I.E
I have to set up L2L so that host 141.G.H.10 can talk to host 131.A.H.D whici is behind the VPN concentrator
my router config:
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key * address 131.A.B.C
!
crypto ipsec transform-set presid-set esp-3des esp-md5-hmac
!
crypto map presid-map 5 ipsec-isakmp
set peer 131.A.B.C
set transform-set presid-set
match address presid
!
interface FastEthernet0/1
ip address 193.P.Q.R 255.255.255.252
duplex full
speed 100
crypto map presid-map
!
interface FastEthernet0/0
ip address 141.G.H.254 255.255.255.0
duplex auto
speed auto
!
ip access-list extended presid
permit ip host 141.G.H.10 host 131.A.H.D
ip route 0.0.0.0 0.0.0.0 193.P.Q.S
Then I configured VPN3020 accordingly creating a lan to lan profile with the proper IKE proposals ecc ecc
when interesting traffic is matched by VPN acl (presid) I see this messages in the VPN concentrator logs:
57101 02/23/2011 15:49:05.310 SEV=4 IKE/119 RPT=4033 193.P.Q.R
Group [193.P.Q.R]
PHASE 1 COMPLETED
57102 02/23/2011 15:49:05.310 SEV=4 AUTH/22 RPT=3935 193.P.Q.R
User [193.P.Q.R] Group [193.P.Q.R] connected, Session Type: IPSec/LAN-
to-LAN
57104 02/23/2011 15:49:05.310 SEV=4 AUTH/84 RPT=11
LAN-to-LAN tunnel to headend device 193.P.Q.R connected
57110 02/23/2011 15:49:54.820 SEV=4 IKE/123 RPT=1093 193.P.Q.R
Group [193.P.Q.R]
IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
57112 02/23/2011 15:49:54.820 SEV=5 IKE/194 RPT=3778 193.P.Q.R
Group [193.P.Q.R]
Sending IKE Delete With Reason message: Connectivity to Client Lost.
57114 02/23/2011 15:49:54.820 SEV=4 AUTH/23 RPT=14 193.P.Q.R
User [193.P.Q.R] Group [193.P.Q.R] disconnected: duration: 0:00:49
57115 02/23/2011 15:49:54.820 SEV=4 AUTH/85 RPT=11
LAN-to-LAN tunnel to headend device 193.P.Q.R disconnected: duration: 0:00:
49
and from router side I See this with show crypto isakmp sa
131.A.B.C 193.P.Q.R CONF_XAUTH 5 0 ACTIVE
but the status got stuck in CONF_XAUTH state and then disconnects
what could the problem be ?
thank you
Riccardo
02-23-2011 10:13 AM
Riccardo,
I think that the tunnel is trying to negotiate XAUTH.
Can you change this command:
no crypto isakmp key * address 131.A.B.C
crypto isakmp key * address 131.A.B.C no-xauth
In this way, the router won't negotiate XAUTH for the Site-to-Site but can continue using XAUTH for clients.
Hope it helps.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide