04-20-2009 01:54 AM
Hi Lads and Gents,
My problem is that I setup a pair of 1800 routers as VPN terminators in DMZ of Firewall.
When public address is statically forwarded to one of them everything works fine.
When I setup a HSRP pair on this interface and statically assign public address with cluster VIP - it doesn't work.
I.e. - the behaviour is following: the VPN Client passes all the phases (seen in the status bar of the Client's window) but at the end - after
"Securing connection ... " (don't remember very precisely) - the message of "Not connected" appears and that's all.
In debug I see message "IPSEC(validate_transform_proposal): invalid local address 172.16.152.77" repeaded very often (debug on demand);
Some facts:
-> IOS 12.4(3d)
-> VPN Client 4.8.02.0010
-> The running-config is following:
------------------------
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname c3-dmz
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
aaa new-model
!
!
aaa authentication login sdm_vpn_xauth_ml_1 group radius
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
ip domain name xxxxxx.com
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp xauth timeout 15
!
crypto isakmp client configuration group testgroup
key password
dns 192.168.1.101 192.168.1.105
pool testpool
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0/0
ip address 172.16.152.78 255.255.255.0
speed 100
full-duplex
no cdp enable
no mop enabled
standby name hsrp-dmz
standby 1 ip 172.16.152.77
standby 1 authentication Qwe1Asd2
crypto map SDM_CMAP_1 redundancy hsrp-dmz
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
no cdp enable
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface Vlan1
no ip address
shutdown
!
ip local pool testpool 10.1.112.10 10.1.112.254
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.152.254
!
ip http server
no ip http secure-server
!
!
radius-server host 192.168.1.135 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxx
radius-server timeout 30
!
control-plane
!
!
!
no process cpu extended
no process cpu autoprofile hog
end
------------------------
In case any other information is needed I will post then.
With Kind Regards,
Tomi
04-20-2009 06:43 AM
Hi Tomi,
As far as I know, HSRP and IPSEC will only work for Site to Site connections, not with IPSEC RA solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide