Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Security
- VPN
- Re: Site to site VPN not working
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
811
Views
5
Helpful
2
Replies
Site to site VPN not working
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2020 09:15 AM - edited 07-24-2020 09:16 AM
Hello,
I would like to set up a site to site VPN between 2 Cisco 881 :
version 15.5 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname RemoteLab ! boot-start-marker boot-end-marker ! ! enable secret 5 ! aaa new-model ! ! aaa authentication login userVPN local aaa authorization network groupVPN local ! aaa session-id common ethernet lmi ce memory-size iomem 10 clock timezone PST 2 0 ! ip dhcp excluded-address 10.0.10.1 10.0.10.10 ! ip dhcp pool VLAN100 network 10.0.10.0 255.255.255.0 default-router 10.0.10.1 dns-server 1.1.1.1 domain-name remotelab.lab ! ! ! ip domain name remote.lab ip cef no ipv6 cef ! ! multilink bundle-name authenticated license udi pid CISCO881-SEC-K9 sn ! ! username labo privilege 15 secret 8 ! ! ! ! ! ! ! crypto isakmp policy 10 encr aes 256 hash sha256 authentication pre-share group 14 lifetime 3600 ! crypto isakmp policy 20 authentication pre-share crypto isakmp key LabRemote123 address AB.CD.160.216 crypto isakmp keepalive 60 crypto isakmp xauth timeout 5 ! crypto isakmp client configuration group groupVPN key xxx pool VPNPOOL ! ! crypto ipsec transform-set setVPN esp-aes esp-sha256-hmac mode tunnel crypto ipsec transform-set P2PSET esp-aes esp-sha-hmac mode transport ! ! ! crypto dynamic-map dynamicVPN 10 set transform-set setVPN reverse-route ! ! crypto map staticMap client authentication list userVPN crypto map staticMap isakmp authorization list groupVPN crypto map staticMap client configuration address respond crypto map staticMap 10 ipsec-isakmp dynamic dynamicVPN crypto map staticMap 20 ipsec-isakmp set peer AB.CD.160.216 set transform-set P2PSET match address 150 ! ! ! ! ! interface FastEthernet0 switchport access vlan 10 no ip address ! interface FastEthernet1 switchport access vlan 20 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface FastEthernet4 no ip address ip nat outside ip virtual-reassembly in duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1 ! interface Vlan1 no ip address ! interface Vlan10 ip address 10.0.10.1 255.255.255.0 no ip redirects ip nat inside ip virtual-reassembly in ip tcp adjust-mss 1452 ! interface Vlan20 ip address 192.168.92.1 255.255.255.0 no ip redirects ip nat inside ip virtual-reassembly in ip tcp adjust-mss 1452 ! interface Dialer1 mtu 1492 ip address negotiated ip nat outside ip virtual-reassembly in encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname xxx ppp chap password 0 xxx crypto map staticMap ! ip local pool VPNPOOL 192.168.50.1 192.168.50.10 ip forward-protocol nd no ip http server no ip http secure-server ! ! ip nat inside source list 100 interface Dialer1 overload ip route 0.0.0.0 0.0.0.0 Dialer1 ip ssh version 2 ! ip access-list extended VPNACL permit icmp any any permit ip any any ! dialer-list 1 protocol ip permit ! access-list 100 deny ip 10.0.10.0 0.0.0.255 192.168.50.0 0.0.0.255 access-list 100 deny ip 10.0.10.0 0.0.0.255 192.168.30.0 0.0.0.255 access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255 access-list 100 deny ip 192.168.92.0 0.0.0.255 192.168.50.0 0.0.0.255 access-list 100 permit ip any any access-list 150 permit ip 10.0.10.0 0.0.0.255 192.168.30.0 0.0.0.255 ! ! ! control-plane ! ! vstack ! line con 0 no modem enable line aux 0 line vty 0 4 exec-timeout 0 0 transport input ssh line vty 5 15 exec-timeout 0 0 transport input ssh
version 15.5 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ethernet lmi ce memory-size iomem 10 ! ! ip dhcp excluded-address 192.168.30.1 192.168.30.10 ! ip dhcp pool VLAN30 network 192.168.30.0 255.255.255.0 default-router 192.168.30.1 dns-server 1.1.1.1 ! ! ! ip cef no ipv6 cef ! ! multilink bundle-name authenticated license udi pid CISCO881-SEC-K9 sn ! ! crypto isakmp policy 1 authentication pre-share crypto isakmp key LabRemote123 address AB.CD.99.101 crypto isakmp keepalive 60 ! ! crypto ipsec transform-set MYSET esp-aes esp-sha-hmac mode transport ! ! ! crypto map MYMAP 1 ipsec-isakmp set peer AB.CD.99.101 set transform-set MYSET match address 150 ! ! interface FastEthernet0 switchport access vlan 30 no ip address spanning-tree portfast ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface FastEthernet4 no ip address ip nat outside ip virtual-reassembly in duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1 crypto map MYMAP ! interface Vlan1 no ip address ! interface Vlan30 ip address 192.168.30.1 255.255.255.0 no ip redirects ip nat inside ip virtual-reassembly in ip tcp adjust-mss 1452 ! interface Dialer1 mtu 1492 ip address negotiated ip nat outside ip virtual-reassembly in encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname xxx ppp chap password 0 xxx ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip nat inside source list 100 interface Dialer1 overload ip route 0.0.0.0 0.0.0.0 Dialer1 ! dialer-list 1 protocol ip permit ! access-list 100 deny ip 192.168.30.0 0.0.0.255 10.0.10.0 0.0.0.255 access-list 100 permit ip any any access-list 150 permit ip 192.168.30.0 0.0.0.255 10.0.10.0 0.0.0.255
When I start a ping from RemoteLab to R1 (ping 192.168.30.1 from IP 10.0.10.1) I have this result on R1 (debug crypto isakmp) :
*Jul 24 16:26:18.171: ISAKMP-PAK: (0):received packet from AB.CD.99.101 dport 500 sport 500 Global (N) NEW SA
*Jul 24 16:26:18.171: ISAKMP: (0):Created a peer struct for AB.CD.99.101, peer port 500
*Jul 24 16:26:18.171: ISAKMP: (0):New peer created peer = 0x8A929118 peer_handle = 0x8000000E
*Jul 24 16:26:18.171: ISAKMP: (0):Locking peer struct 0x8A929118, refcount 1 for crypto_isakmp_process_block
*Jul 24 16:26:18.171: ISAKMP: (0):local port 500, remote port 500
*Jul 24 16:26:18.171: ISAKMP: (0):insert sa successfully sa = 8BE4DEF4
*Jul 24 16:26:18.171: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 24 16:26:18.171: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1
*Jul 24 16:26:18.171: ISAKMP: (0):processing SA payload. message ID = 0
*Jul 24 16:26:18.171: ISAKMP: (0):processing vendor id payload
*Jul 24 16:26:18.171: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
*Jul 24 16:26:18.171: ISAKMP: (0):vendor ID is NAT-T RFC 3947
*Jul 24 16:26:18.171: ISAKMP: (0):processing vendor id payload
*Jul 24 16:26:18.171: ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
*Jul 24 16:26:18.171: ISAKMP: (0):vendor ID is NAT-T v7
*Jul 24 16:26:18.171: ISAKMP: (0):processing vendor id payload
*Jul 24 16:26:18.171: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
*Jul 24 16:26:18.171: ISAKMP: (0):vendor ID is NAT-T v3
*Jul 24 16:26:18.171: ISAKMP: (0):processing vendor id payload
*Jul 24 16:26:18.171: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
*Jul 24 16:26:18.171: ISAKMP: (0):vendor ID is NAT-T v2
*Jul 24 16:26:18.171: ISAKMP: (0):found peer pre-shared key matching AB.CD.99.101
*Jul 24 16:26:18.171: ISAKMP: (0):local preshared key found
*Jul 24 16:26:18.171: ISAKMP: (0):Scanning profiles for xauth ...
*Jul 24 16:26:18.171: ISAKMP: (0):Checking ISAKMP transform 1 against priority 1 policy
*Jul 24 16:26:18.171: ISAKMP: (0): encryption AES-CBC
*Jul 24 16:26:18.171: ISAKMP: (0): keylength of 256
*Jul 24 16:26:18.171: ISAKMP: (0): hash SHA256
*Jul 24 16:26:18.171: ISAKMP: (0): default group 14
*Jul 24 16:26:18.171: ISAKMP: (0): auth pre-share
*Jul 24 16:26:18.171: ISAKMP: (0): life type in seconds
*Jul 24 16:26:18.171: ISAKMP: (0): life duration (basic) of 3600
*Jul 24 16:26:18.171: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
*Jul 24 16:26:18.171: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
*Jul 24 16:26:18.171: ISAKMP: (0):Checking ISAKMP transform 2 against priority 1 policy
*Jul 24 16:26:18.171: ISAKMP: (0): encryption DES-CBC
*Jul 24 16:26:18.171: ISAKMP: (0): hash SHA
*Jul 24 16:26:18.171: ISAKMP: (0): default group 1
*Jul 24 16:26:18.171: ISAKMP: (0): auth pre-share
*Jul 24 16:26:18.171: ISAKMP: (0): life type in seconds
*Jul 24 16:26:18.171: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jul 24 16:26:18.171: ISAKMP: (0):atts are acceptable. Next payload is 0
*Jul 24 16:26:18.171: ISAKMP: (0):Acceptable atts:actual life: 86400
*Jul 24 16:26:18.171: ISAKMP: (0):Acceptable atts:life: 0
*Jul 24 16:26:18.171: ISAKMP: (0):Fill atts in sa vpi_length:4
*Jul 24 16:26:18.171: ISAKMP: (0):Fill atts in sa life_in_seconds:86400
*Jul 24 16:26:18.171: ISAKMP: (0):Returning Actual lifetime: 86400
*Jul 24 16:26:18.171: ISAKMP: (0):Started lifetime timer: 86400.
*Jul 24 16:26:18.175: ISAKMP: (0):processing vendor id payload
*Jul 24 16:26:18.175: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
*Jul 24 16:26:18.175: ISAKMP: (0):vendor ID is NAT-T RFC 3947
*Jul 24 16:26:18.175: ISAKMP: (0):processing vendor id payload
*Jul 24 16:26:18.175: ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
*Jul 24 16:26:18.175: ISAKMP: (0):vendor ID is NAT-T v7
*Jul 24 16:26:18.175: ISAKMP: (0):processing vendor id payload
*Jul 24 16:26:18.175: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
*Jul 24 16:26:18.175: ISAKMP: (0):vendor ID is NAT-T v3
*Jul 24 16:26:18.175: ISAKMP: (0):processing vendor id payload
*Jul 24 16:26:18.175: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
*Jul 24 16:26:18.175: ISAKMP: (0):vendor ID is NAT-T v2
*Jul 24 16:26:18.175: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 24 16:26:18.175: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Jul 24 16:26:18.175: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Jul 24 16:26:18.175: ISAKMP-PAK: (0):sending packet to AB.CD.99.101 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Jul 24 16:26:18.175: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Jul 24 16:26:18.175: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 24 16:26:18.175: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Jul 24 16:26:18.207: ISAKMP-PAK: (0):received packet from AB.CD.99.101 dport 500 sport 500 Global (R) MM_SA_SETUP
*Jul 24 16:26:18.207: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 24 16:26:18.207: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Jul 24 16:26:18.207: ISAKMP: (0):processing KE payload. message ID = 0
*Jul 24 16:26:18.227: ISAKMP: (0):processing NONCE payload. message ID = 0
*Jul 24 16:26:18.227: ISAKMP: (0):found peer pre-shared key matching AB.CD.99.101
*Jul 24 16:26:18.227: ISAKMP: (2011):processing vendor id payload
*Jul 24 16:26:18.227: ISAKMP: (2011):vendor ID is DPD
*Jul 24 16:26:18.227: ISAKMP: (2011):processing vendor id payload
*Jul 24 16:26:18.227: ISAKMP: (2011):speaking to another IOS box!
*Jul 24 16:26:18.227: ISAKMP: (2011):processing vendor id payload
*Jul 24 16:26:18.227: ISAKMP: (2011):vendor ID seems Unity/DPD but major 127 mismatch
*Jul 24 16:26:18.227: ISAKMP: (2011):vendor ID is XAUTH
*Jul 24 16:26:18.227: ISAKMP: (2011):received payload type 20
*Jul 24 16:26:18.227: ISAKMP: (2011):His hash no match - this node outside NAT
*Jul 24 16:26:18.227: ISAKMP: (2011):received payload type 20
*Jul 24 16:26:18.227: ISAKMP: (2011):No NAT Found for self or peer
*Jul 24 16:26:18.227: ISAKMP: (2011):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 24 16:26:18.227: ISAKMP: (2011):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Jul 24 16:26:18.231: ISAKMP-PAK: (2011):sending packet to AB.CD.99.101 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jul 24 16:26:18.231: ISAKMP: (2011):Sending an IKE IPv4 Packet.
*Jul 24 16:26:18.231: ISAKMP: (2011):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 24 16:26:18.231: ISAKMP: (2011):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Jul 24 16:26:18.283: ISAKMP-PAK: (2011):received packet from AB.CD.99.101 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jul 24 16:26:18.283: ISAKMP: (2011):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 24 16:26:18.283: ISAKMP: (2011):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Jul 24 16:26:18.283: ISAKMP: (2011):processing ID payload. message ID = 0
*Jul 24 16:26:18.283: ISAKMP: (2011):ID payload
next-payload : 8
type : 1
*Jul 24 16:26:18.283: ISAKMP: (2011): address : AB.CD.99.101
*Jul 24 16:26:18.283: ISAKMP: (2011): protocol : 17
port : 500
length : 12
*Jul 24 16:26:18.283: ISAKMP: (0):peer matches *none* of the profiles
*Jul 24 16:26:18.283: ISAKMP: (2011):processing HASH payload. message ID = 0
*Jul 24 16:26:18.283: ISAKMP: (2011):received payload type 17
*Jul 24 16:26:18.283: ISAKMP: (2011):processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0x8BE4DEF4
*Jul 24 16:26:18.283: ISAKMP: (2011):SA authentication status:
authenticated
*Jul 24 16:26:18.283: ISAKMP: (2011):SA has been authenticated with AB.CD.99.101
*Jul 24 16:26:18.283: ISAKMP: (2011):SA authentication status:
authenticated
*Jul 24 16:26:18.283: ISAKMP: (2011):Process initial contact,
bring down existing phase 1 and 2 SA's with local AB.CD.160.216 remote AB.CD.99.101 remote port 500
*Jul 24 16:26:18.283: ISAKMP: (0):Trying to insert a peer AB.CD.160.216/AB.CD.99.101/500/,
*Jul 24 16:26:18.283: ISAKMP: (0): and inserted successfully 8A929118.
*Jul 24 16:26:18.283: ISAKMP: (2011):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 24 16:26:18.283: ISAKMP: (2011):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Jul 24 16:26:18.283: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul 24 16:26:18.283: ISAKMP: (2011):SA is doing
*Jul 24 16:26:18.283: ISAKMP: (2011):pre-shared key authentication using id type ID_IPV4_ADDR
*Jul 24 16:26:18.283: ISAKMP: (2011):ID payload
next-payload : 8
type : 1
*Jul 24 16:26:18.287: ISAKMP: (2011): address : AB.CD.160.216
*Jul 24 16:26:18.287: ISAKMP: (2011): protocol : 17
port : 500
length : 12
*Jul 24 16:26:18.287: ISAKMP: (2011):Total payload length: 12
*Jul 24 16:26:18.287: ISAKMP-PAK: (2011):sending packet to AB.CD.99.101 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jul 24 16:26:18.287: ISAKMP: (2011):Sending an IKE IPv4 Packet.
*Jul 24 16:26:18.287: ISAKMP: (2011):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 24 16:26:18.287: ISAKMP: (2011):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Jul 24 16:26:18.287: ISAKMP: (2011):IKE_DPD is enabled, initializing timers
*Jul 24 16:26:18.287: ISAKMP: (2011):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jul 24 16:26:18.287: ISAKMP: (2011):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 24 16:26:18.319: ISAKMP-PAK: (2011):received packet from AB.CD.99.101 dport 500 sport 500 Global (R) QM_IDLE
*Jul 24 16:26:18.319: ISAKMP: (2011):set new node -1494307278 to QM_IDLE
*Jul 24 16:26:18.319: ISAKMP: (2011):processing transaction payload from AB.CD.99.101. message ID = -1494307278
*Jul 24 16:26:18.319: ISAKMP: (2011):Config payload REQUEST
*Jul 24 16:26:18.319: ISAKMP: (2011):No provision for the request
*Jul 24 16:26:18.319: ISAKMP-ERROR: (2011):Invalid config REQUEST
*Jul 24 16:26:18.319: ISAKMP-ERROR: (2011):(2011): FSM action returned error: 2
*Jul 24 16:26:18.319: ISAKMP: (2011):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
*Jul 24 16:26:18.319: ISAKMP: (2011):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 24 16:26:18.319: ISAKMP: (2011):peer does not do paranoid keepalives.
*Jul 24 16:26:18.319: ISAKMP-ERROR: (2011):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) QM_IDLE (peer AB.CD.99.101)
*Jul 24 16:26:18.319: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul 24 16:26:18.319: IPSec: Key engine got a KEY_MGR_CHECK_MORE_SAS message
*Jul 24 16:26:18.319: ISAKMP (2011): IPSec has no more SA's with this peer. Won't keepalive phase 1.
*Jul 24 16:26:18.323: ISAKMP: (2011):set new node 978968774 to QM_IDLE
*Jul 24 16:26:18.323: ISAKMP-PAK: (2011):sending packet to AB.CD.99.101 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 24 16:26:18.323: ISAKMP: (2011):Sending an IKE IPv4 Packet.
*Jul 24 16:26:18.323: ISAKMP: (2011):purging node 978968774
*Jul 24 16:26:18.323: ISAKMP: (2011):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jul 24 16:26:18.323: ISAKMP: (2011):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Jul 24 16:26:18.327: ISAKMP-ERROR: (2011):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) QM_IDLE (peer AB.CD.99.101)
*Jul 24 16:26:18.327: ISAKMP: (0):Unlocking peer struct 0x8A929118 for isadb_mark_sa_deleted(), count 0
*Jul 24 16:26:18.327: ISAKMP: (0):Deleting peer node by peer_reap for AB.CD.99.101: 8A929118
*Jul 24 16:26:18.327: ISAKMP: (2011):deleting node -1494307278 error FALSE reason "IKE deleted"
*Jul 24 16:26:18.327: ISAKMP: (2011):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 24 16:26:18.327: ISAKMP: (2011):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Jul 24 16:26:18.327: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul 24 16:26:18.355: ISAKMP-PAK: (2011):received packet from AB.CD.99.101 dport 500 sport 500 Global (R) MM_NO_STATEThe remote access VPN works fine.
I already tried a lot of things but nothing work for the site to site.
Thanks.
Labels:
- Labels:
-
VPN
2 Replies 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2020 04:02 AM
There are two things that directly catch my attention:
The crypto map sequence that references the dynamic crypto map always has to be the last line in the crypto-map:
crypto map staticMap 65000 ipsec-isakmp dynamic dynamicVPN
And the site-to-site VPN will establish a tunnel-mode SA. You should directly configure the transform-set that way.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2020 08:37 AM - edited 07-25-2020 09:54 AM
Thank you !
The config on RemoteLab is now :
crypto map staticMap 5 ipsec-isakmp set peer AB.CD.160.216 set transform-set P2PSET match address 150 crypto map staticMap 10 ipsec-isakmp dynamic dynamicVPN
An I changed the tunnel mode on both :
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac mode tunnel
But I have the same output error with debug crypto isakmp.
Edit :
I finally found the problem, the no-xauth attribute was missing :
crypto isakmp key xxx address xxx no-xauth
I also applied the crypto map to dialer 1 instead of Fa4 on R1.
Thanks for your help.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Customers Also Viewed These Support Documents