Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
807
Views
0
Helpful
0
Replies

VRF-aware IPSEC - Multiple Dynamic Peers

ar
Level 1
Level 1

‎02-19-2012 06:11 AM - edited ‎02-21-2020 05:53 PM

Hi.
I am simulating a vrf-aware IPSEC VPN Concentrator with  multiple dynamic peers on GNS.

I have two client profiles on the 7200 concentrator.

I can have both clients working.

But I noticed when doing a restart of all the session,

one of the client will stop working.

I'm getting an error of:

*Feb 18 20:58:27.811: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 172.16.1.2 failed its sanity check or is malformed

Which I believe means preshare keys do not match. But i am very sure they are accurate and match.

I have to re-create the whole profile so it will work again (keyring, dynamic profile, dynamic-map).

I am not sure if this is just a GNS problem or config itself.

Below is my config for the 7200 VPN concentrator.

I hope someone can share their ideas on how to this properly.

Objective: Multiple Dynamic vrf-aware IPSEC Peers

thanks

Client 1 is ABC

Clilent 2 is XYZ

ip vrf A
rd 1:1
route-target export 1:1
route-target import 1:1
!
ip vrf B
rd 2:2
route-target export 2:2
route-target import 2:2
!
!
!
crypto keyring VRF-B
  pre-shared-key  address 0.0.0.0 0.0.0.0 key XYZ
crypto keyring VRF-A
  pre-shared-key address 0.0.0.0 0.0.0.0 key ABC
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto isakmp profile XYZ
   vrf B
   keyring VRF-B
   match identity address 0.0.0.0

crypto isakmp profile ABC
   vrf A
   keyring VRF-A
   match identity address 0.0.0.0
!
!
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
!
crypto dynamic-map ABC 10
set transform-set vpn
set isakmp-profile ABC
match address ABC-remote
!
crypto dynamic-map XYZ 10
set transform-set vpn
set isakmp-profile XYZ
match address XYZ-remote
!
!
crypto map VPN 11 ipsec-isakmp dynamic XYZ
crypto map VPN 12 ipsec-isakmp dynamic ABC

ip access-list extended  ABC-remote
permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

ip access-list extended XYZ-remote
permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255


ip route vrf A 10.0.0.0 255.0.0.0 172.16.1.2 global
ip route vrf B 10.2.0.0 255.255.0.0 172.16.1.3 global


interface FastEthernet1/0
description WAN-to-Internet

ip address 172.16.1.1 255.255.255.0
duplex full
speed 100
crypto map VPN

interface Loopback10
ip vrf forwarding A
ip address 10.1.1.1 255.255.255.0
!
interface Loopback20
ip vrf forwarding B
ip address 10.1.1.1 255.255.255.0

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents