Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5956
Views
0
Helpful
1
Replies

IPSEC no-xauth

mladentsvetkov
Level 1
Level 1

‎09-30-2008 10:26 PM - edited ‎02-21-2020 03:58 PM

Hi Guys,

I have issues with renegotiating SA after loss of communication between IPSEC peers.

I am using preshared keys, but the "no-xauth" option is not present on both peers.

Is it possible that the missing the "no-xauth" option could be the cause of the problem with the SAs?

IOS is 12.4(9)T7. I think this could be the problem, because of bug CSCsj52483 (although it says that it is fixed in 12.4(18.3)T):

************************

IPSEC: ISAKMP SA negotiation not successful with cryptomap configured

Symptom:

ISAKMP SA negotiation not successful with cryptomap configured

Conditions:

1. config crypto maps doing Xauth.

2. peer1's pre-shared key should be defined with no-xauth keyword

and peer2 having a pre-shared key without the special tag.

3. peer1 initiates IKE and SAs should come up. Also

parse thru the ike debugs and make sure XAUTH exchanges did not happen

At 3rd step IKe and SAs are not coming up when initaites the session from peer1.

Workaround:

None

************************

Thanks in advance,

Mladen

p.s.: I couldn't find which IOS is "12.4(18.3)T"

Labels:
0 Helpful
1 Reply 1

ovt
Level 4
Level 4

‎10-02-2008 08:23 AM

If you have configured EasyVPN Server on the same device that has Site-to-Site tunnels, then you need no-xauth. Otherwise it really doesn't matter.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents