02-03-2009 06:50 AM
I have a 7200 router currently configured w/ vpn clients. I am attempting to add a dynamic l2l tunnel to it. When I do, I am no longer able to connect using the vpn client. I following the configuration in the following url.
http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml
As soon as I add...
crypto dynamic-map dynmap 5
set isakmp-profile VPNclient
the vpn client no longer works. Don't have access to the config right now as I took it all out. Anyone have this working properly?
Solved! Go to Solution.
02-13-2009 09:45 AM
OK, mhhh I think it is an issue with the config, give it a shot to one of the L2L that is bouncing, set it to profile and keyring, what is the result.
02-03-2009 09:18 AM
This configuration should work, we will need to take a look at your config to see what you might be missing, maybe a keyring setup?
02-03-2009 10:23 AM
I will post up the configuration I am using as soon as I can. Thanks for looking.
02-04-2009 03:25 AM
Hi,
here is a configuration example:
local-inside: 192.168.1.0/24
vpn-pool: 192.168.3.0/24
remote-site-IP: 192.168.100.0/24
aaa authentication login userauth local
aaa authorization network groupauth local
username clientuser password 0 XXXXX
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key YYYYY address 0.0.0.0 0.0.0.0 <- password for dynamic site-to-site
crypto isakmp client configuration group vpnclient
key ZZZZZZZ
pool vpn-pool
acl 120
crypto isakmp profile VPNclient
description vpnclient
match identity group vpnclient
client authentication list userauth
isakmp authorization list groupauth
client configuration address respond
crypto ipsec transform-set myvpn esp-3des esp-sha-hmac
crypto dynamic-map mymap3 5 <- CLient VPN
set transform-set myvpn
set isakmp-profile VPNclient
match address 110 <- match VPN-Pool
crypto dynamic-map mymap3 10 <- site-VPN
set transform-set myvpn2
match address 140 <- match internal Site-IP
crypto map mymap 20 ipsec-isakmp dynamic mymap3
ip local pool vpn-pool 192.168.3.1 192.168.3.254
access-list 110 permit ip any 192.168.3.0 0.0.0.255
access-list 120 remark split-tunnel for vpn-clients
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 130 remark no-nat-accesslist
access-list 130 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 130 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 130 permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list 130 interface Dialer0 overload
access-list 140 remark site-IPs
access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
Regards, Celio
02-04-2009 07:42 AM
The reason this does not work is because you have the default key setup:
crypto isakmp key YYYYY address 0.0.0.0 0.0.0.0 <- password for dynamic site-to-site
This key has to be defined in a keyring rather than this here otherwise clients will not connect. Follow the link you pasted and check that they use keyrings for clients and for dynamic clients
02-04-2009 07:50 AM
Hi Imartino,
this configuration is currently working. But every remote-site has the same password :-)
Regards, Celio
02-04-2009 07:53 AM
regardless of every remote having the same password, you need to put this dynamic key into a keyring if this is not done then your clients will not work
02-13-2009 06:16 AM
Back to my original issue here..
I was able to get this working, but now seem to be having issues with my other L2L tunnels dropping out every so often and not coming back up. Anyone ever seen this error before?
Found ADDRESS key in keyring spokes
Feb 13 09:07:00: ISAKMP (0:578): Oops. Used some key with the peer and
Feb 13 09:07:00: when she revealed identity we don't find
Feb 13 09:07:00: hers in the relevant keyring. Thwarting her.
This is what I got when I tried to initiate one of my static L2L tunnels. This tunnel should have nothing to do with the keyring.
02-13-2009 07:54 AM
Can you post your configuration here?
02-13-2009 07:56 AM
I can post some...will post back in a little while. thanks.
02-13-2009 08:03 AM
02-13-2009 08:24 AM
I thought this too some time ago, try to get your static lan to lan to use profiles as well with keyrings too, that should fix it
02-13-2009 08:30 AM
Yuck, I was afraid you would say that. There are a lot more vpn's than what I posted. Would adding a "match address" statement somewhere for the dynamic l2l tunnel help at all?
02-13-2009 08:34 AM
Unfortunately nope, the problem with dynamic setup and vpn clients comes when the identity is to be negotiated/identified, since both dynamic tunnels and vpn clients would use the "default key" (isakmp key ... 0.0.0.0) then the router would need to know a way to identify each kind of connection vpn clients dynamics hence the use of the isakmp profiles, so as you can see it is a problem with isakmp negotiation rather than ipesc phase 2 negotiation.
02-13-2009 09:06 AM
So the static tunnels I have are landing on the dynamic map 0.0.0.0 before hitting the static ones?
crypto dynamic-map DYNmap 30
set transform-set 3des
set pfs group2
set isakmp-profile L2L
crypto map lim 115 ipsec-isakmp
set peer x.x.x.x
set transform-set 3des
match address 115
reverse-route
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide