Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2321
Views
10
Helpful
5
Replies

VPN Client and Dynamic isakmp keys not working

Scott Pettit
Level 9
Level 9

‎09-13-2011 03:34 AM

Hi,

I'm trying to enable DMVPN endpoints from dynamic IP addresses, e.g. adding in:

crypto isakmp key XXXXXXX address 0.0.0.0 0.0.0.0 no-xauth

The problem is when I add this line, it breaks our remote VPN Client.  Removing the line makes everything work fine again, except I can't add a DMVPN endpoint that has a dynamic IP.

Presently all DMVPN spokes have static IP addresses configured and individual keys for each (I'm trying to simply/cut down our config and use a single key for all of them plus enable staff from home on dynamic IP's).

I can't tell if this is an IOS bug, or if I need to configure something differently.

Our VPN client is configured as a dynamic map, e.g.:

crypto isakmp client configuration group vpnclient

key RAH RAH RAH

etc.

crypto isakmp profile vpnclient

   match identity group vpnclient

   client authentication list vpnuser

   isakmp authorization list vpngroup

   client configuration address respond

crypto ipsec transform-set VPNCLIENT esp-aes 256 esp-sha-hmac

crypto dynamic-map vpnclient 10

set transform-set VPNCLIENT

set pfs group2

set isakmp-profile vpnclient

crypto map vpn 65535 ipsec-isakmp dynamic vpnclient

And then attached to my WAN interface as crypto map.

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Bastien Migette
Cisco Employee
Cisco Employee

‎09-13-2011 05:41 AM

Hi Scott,

What IOS Version are you using ? I don't see any reason that this command would break Remote VPN Connectivity.

Maybe you can try

crypto isakmp key XXXXXXX address 0.0.0.0 0.0.0.0 (remove the no-xauth, as it's not needed).

Otherwise, you may share output of debug crypto isakmp to see exactly what is failing when the remote users are connecting.

Regards,

Bastien

0 Helpful

Ricky S
Level 3
Level 3

‎03-13-2013 10:46 AM

Hi there, I was wandering if you were able to figure out a solution? I am having the same issue.

0 Helpful

Javier Portuguez
Level 9
Level 9

‎03-13-2013 11:59 AM

Hi there,

You should use ISAKMP profiles:

DMVPN and Easy VPN Server with ISAKMP Profiles Configuration Example

HTH.

Portu.

Ricky S
Level 3
Level 3
In response to Javier Portuguez

‎03-13-2013 06:50 PM

Thanks I was able to fix my issue following steps on that site.

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to Ricky S

‎03-14-2013 06:22 AM

Nice to hear that.

Please rate any helpful posts and mark this post as answered.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents