Dynamic Site-to-Site & Remote Access on Same Router

Unanswered Question

I have recently come across some interesting IPsec behavior when modifying one of our Hub routers in our current VPN topology. When adding dynamic entries for sites that are now acquiring dynamic addresses(changing from time to time), I used ISAKMP Profiles that referenced keyrings for both the Dynamic L2L and the Remote Access entries. After which, any globally defined pre-shared keys being used for previously configured static sites seemed to be overlooked as the router was performing peer authentication and those sites could never fully develop a Phase 1 connection. I had to use ISAKMP Profiles with nested keyrings for each of these sties to enable them to pass Main Mode. I was just curious if anyone else has experienced something similar.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

I had something similiar: static IP L2L and Easy VPN client configuration. The Easy VPN client's could not complete main mode until I used ISAKMP profiles in addition to the "crypto isakmp client configuration group BLABLABLA" configuration entries.

Very strange and this was using 12.3 and 12.4 IOS trains.


This Discussion