Re: the site to site vpn problems on router 3925

teymur azimov · ‎03-16-2013

Hi dears

i configurate two tunnels(site to site vpn) and easy vpn (remote vpn)on cisco router 3925.

Tunnels and remote access vpn are working normal but i have one issue.

when the one of the tunnel is down , the tunnel is not up automatically.

i do some test. i erasy remote vpn crypto map and do some test.

clear crypto isakmp sa. the tunnels down then the tunnels are up automaticaly.

i think that tunnel vpn conflict remote access vpn but what is a problem.

vpn part of configuration.

crypto isakmp policy 1 ----------------tunnels

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2 -----------------remote vpn

encr aes

authentication pre-share

group 2

!

crypto isakmp key xxxxx address y.y.y.y

crypto isakmp key xxxx address x.x.x.x

crypto isakmp nat keepalive 300

crypto isakmp client configuration group vpncikil

key c1sc0A123!

dns 10.103.70.20 10.103.70.21

domain vtbaze.local

pool ippool

acl 102

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set Router_Ipsec esp-3des esp-sha-hmac -------tunnel

mode tunnel

crypto ipsec transform-set myset esp-aes esp-sha-hmac ---- remote vpn

mode tunnel

crypto map Center client authentication list userauthentication

crypto map Center isakmp authorization list groupauthor

crypto map Center client configuration address respond

crypto map Center 2 ipsec-isakmp

set peer x.x.x.x

set security-association idle-time 86400

set transform-set Router_Ipsec

set pfs group2

match address xiyar

crypto map Center 3 ipsec-isakmp

set peer y.y.y.y

set security-association idle-time 86400

set transform-set Router_Ipsec

set pfs group2

match address sada

crypto map Center 65535 ipsec-isakmp dynamic dynmap

ip access-list standard RA_VPN_Redistribute

permit 192.168.10.0 0.0.0.255

router eigrp 90

network 10.103.74.1 0.0.0.0

network 172.30.30.1 0.0.0.0

redistribute static metric 10000 1 255 1 1500 route-map RA_VPN_Redistribute

!

apply Center to outsdie interface.

garyprice · ‎03-18-2013

I believe you are using the default group policy for ipsec which defines properties for ssl and ipsec (ipsec includes both rVPN and LAN2LAN)
Define a policy for the L2L and used that with the tunnel
Use the default with the rVPN

Sent from Cisco Technical Support iPhone App

teymur azimov · ‎03-19-2013

Hi. thank you to help me.

i confuse someting.

this is my policy configuration.

site to site vpn

crypto isakmp policy 1

encr 3des

authentication pre-share

hash sha

group 2

remote vpn

crypto isakmp policy 2

encr aes

authentication pre-share

hash sha

group 2

please modify the policy configuration.(as you say above).

thanks.

teymur azimov · ‎03-19-2013

remote vpn default policy

i delete crypto isakmp policy 2 and write crypto isakmp default policy for remote vpn.

and not modify site to site vpn.

crypto isakmp policy 1

encr 3des

authentication pre-share

hash sha

group 2

is this correct?

thanks

teymur azimov · ‎03-20-2013

Hi garyprice. can you help me?

teymur azimov · ‎03-21-2013

HI.

you wrote that :Use the default with the rVPN.

what is command of the default policy for remote vpn?

is this command?

crypto isakmp default policy

if yes what is trasform-set of remote vpn?

thanks for your help.