Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
419
Views
0
Helpful
1
Replies

Router IOS HSRP cluster as VPN terminator deesn't work

CSCO10990307
Level 1
Level 1

‎04-20-2009 01:54 AM

Hi Lads and Gents,

My problem is that I setup a pair of 1800 routers as VPN terminators in DMZ of Firewall.

When public address is statically forwarded to one of them everything works fine.

When I setup a HSRP pair on this interface and statically assign public address with cluster VIP - it doesn't work.

I.e. - the behaviour is following: the VPN Client passes all the phases (seen in the status bar of the Client's window) but at the end - after

"Securing connection ... " (don't remember very precisely) - the message of "Not connected" appears and that's all.

In debug I see message "IPSEC(validate_transform_proposal): invalid local address 172.16.152.77" repeaded very often (debug on demand);

Some facts:

-> IOS 12.4(3d)

-> VPN Client 4.8.02.0010

-> The running-config is following:

------------------------

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname c3-dmz

!

boot-start-marker

boot-end-marker

!

no logging buffered

!

aaa new-model

!

!

aaa authentication login sdm_vpn_xauth_ml_1 group radius

aaa authorization network sdm_vpn_group_ml_1 local

!

aaa session-id common

!

resource policy

!

clock timezone PCTime 0

clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

!

!

!

ip domain name xxxxxx.com

!

!

!

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp xauth timeout 15

!

crypto isakmp client configuration group testgroup

key password

dns 192.168.1.101 192.168.1.105

pool testpool

netmask 255.255.255.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA

reverse-route

!

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

!

!

interface FastEthernet0/0

ip address 172.16.152.78 255.255.255.0

speed 100

full-duplex

no cdp enable

no mop enabled

standby name hsrp-dmz

standby 1 ip 172.16.152.77

standby 1 authentication Qwe1Asd2

crypto map SDM_CMAP_1 redundancy hsrp-dmz

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

no cdp enable

!

interface ATM0/0/0

no ip address

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

interface Vlan1

no ip address

shutdown

!

ip local pool testpool 10.1.112.10 10.1.112.254

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.152.254

!

ip http server

no ip http secure-server

!

!

radius-server host 192.168.1.135 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxx

radius-server timeout 30

!

control-plane

!

!

!

no process cpu extended

no process cpu autoprofile hog

end

------------------------

In case any other information is needed I will post then.

With Kind Regards,

Tomi

Labels:
0 Helpful
1 Reply 1

Ivan Martinon
Level 7
Level 7

‎04-20-2009 06:43 AM

Hi Tomi,

As far as I know, HSRP and IPSEC will only work for Site to Site connections, not with IPSEC RA solution.

0 Helpful
Customers Also Viewed These Support Documents