Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
393
Views
0
Helpful
1
Replies

L2L VPN3000 with Cisco 2811

Riccardo Veraldi
Level 1
Level 1

‎02-23-2011 10:09 AM

Hello,

I am trying to setup a L2L IPSec VPN between cisco VPN3020 concentrator and Cisco 2811

something is not working and I don't understand why.

I describe my situation in detail

my router has 2 interfaces

External interface Fa 0/1 ip 193.P.Q.R

Internal interface Fa 0/0 141.G.H.254

Lan on internal interface is 141.G.H.0/24

remote VPN concentrator has 2 interfaces

Public interface 131.A.B.C

Private interface 131.A.I.E

I have to set up L2L so that host 141.G.H.10 can talk to host 131.A.H.D whici is behind the VPN concentrator

my router config:

crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key * address 131.A.B.C
!
crypto ipsec transform-set presid-set esp-3des esp-md5-hmac
!
crypto map presid-map 5 ipsec-isakmp
set peer 131.A.B.C
set transform-set presid-set
match address presid
!
interface FastEthernet0/1
ip address 193.P.Q.R 255.255.255.252
duplex full
speed 100
crypto map presid-map
!
interface FastEthernet0/0
ip address 141.G.H.254 255.255.255.0
duplex auto
speed auto
!       

ip access-list extended presid
permit ip host 141.G.H.10 host 131.A.H.D

ip route 0.0.0.0 0.0.0.0 193.P.Q.S

Then I configured VPN3020 accordingly creating a lan to lan profile with the proper IKE proposals ecc ecc

when interesting traffic is matched by VPN acl (presid) I see this messages in the VPN concentrator logs:

57101 02/23/2011 15:49:05.310 SEV=4 IKE/119 RPT=4033 193.P.Q.R
Group [193.P.Q.R]
PHASE 1 COMPLETED

57102 02/23/2011 15:49:05.310 SEV=4 AUTH/22 RPT=3935 193.P.Q.R
User [193.P.Q.R] Group [193.P.Q.R] connected, Session Type: IPSec/LAN-
to-LAN

57104 02/23/2011 15:49:05.310 SEV=4 AUTH/84 RPT=11
LAN-to-LAN tunnel to headend device 193.P.Q.R connected

57110 02/23/2011 15:49:54.820 SEV=4 IKE/123 RPT=1093 193.P.Q.R
Group [193.P.Q.R]
IKE lost contact with remote peer, deleting connection (keepalive type: DPD)

57112 02/23/2011 15:49:54.820 SEV=5 IKE/194 RPT=3778 193.P.Q.R
Group [193.P.Q.R]
Sending IKE Delete With Reason message: Connectivity to Client Lost.

57114 02/23/2011 15:49:54.820 SEV=4 AUTH/23 RPT=14 193.P.Q.R
User [193.P.Q.R] Group [193.P.Q.R] disconnected: duration: 0:00:49

57115 02/23/2011 15:49:54.820 SEV=4 AUTH/85 RPT=11
LAN-to-LAN tunnel to headend device 193.P.Q.R disconnected: duration: 0:00:
49

and from router side I See this with show crypto isakmp sa

131.A.B.C   193.P.Q.R  CONF_XAUTH           5    0 ACTIVE

but the status got stuck in CONF_XAUTH state and then disconnects

what could the problem be ?

thank you

Riccardo

Labels:
0 Helpful
1 Reply 1

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎02-23-2011 10:13 AM

Riccardo,

I think that the tunnel is trying to negotiate XAUTH.

Can you change this command:

no crypto isakmp key * address 131.A.B.C

crypto isakmp key * address 131.A.B.C no-xauth

In this way, the router won't negotiate XAUTH for the Site-to-Site but can continue using XAUTH for clients.


Hope it helps.


Federico.

0 Helpful
Customers Also Viewed These Support Documents