Converting crypto map to unnumbered VTI

Unanswered Question
Nov 7th, 2007
User Badges:

I'm trying to convert a crypto map VPN to a ip unnumbered VTI. The crypto map has been working for months. The VTI... no so much. Here are the applicable config entries.


### original config

!

crypto isakmp policy 30

encr 3des

authentication pre-share

group 2

!

crypto isakmp key xxxxxxxx address 10.1.1.10

!

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

!

crypto map CRYPTO 50 ipsec-isakmp

set peer 10.1.1.10

set transform-set 3DES-SHA

set pfs group2

match address VPN1

!

ip access-list extended VPN1

permit ip host 172.16.16.10 host 10.5.5.1

permit ip host 172.16.16.10 host 10.5.5.4


I only removed the crypto map and added the following.


### New Config

crypto ipsec profile V1

set security-association lifetime seconds 28800

set transform-set 3DES-SHA

set pfs group2

!

interface Tunnel0

ip unnumbered FastEthernet0/0

ip nat outside

ip virtual-reassembly

tunnel source 172.16.8.1

tunnel destination 10.1.1.10

tunnel mode ipsec ipv4

tunnel protection ipsec profile V1


I keep getting this ISAKMP error now.


ISAKMP:(0:54:HW:2):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 10.1.1.10)


Any help would be greatly appreciated. Also... I have no idea what is running on the other end (it's a partner network), but I suspect it's a crypto map on IOS.


Thank you!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion