Router w/ Dynamic L2L Tunnel and VPN Clients

Answered Question
Feb 3rd, 2009
User Badges:
  • Green, 3000 points or more

I have a 7200 router currently configured w/ vpn clients. I am attempting to add a dynamic l2l tunnel to it. When I do, I am no longer able to connect using the vpn client. I following the configuration in the following url.

As soon as I add...

crypto dynamic-map dynmap 5

set isakmp-profile VPNclient

the vpn client no longer works. Don't have access to the config right now as I took it all out. Anyone have this working properly?

Correct Answer by Ivan Martinon about 8 years 3 months ago

OK, mhhh I think it is an issue with the config, give it a shot to one of the L2L that is bouncing, set it to profile and keyring, what is the result.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Ivan Martinon Tue, 02/03/2009 - 09:18
User Badges:
  • Cisco Employee,

This configuration should work, we will need to take a look at your config to see what you might be missing, maybe a keyring setup?

acomiskey Tue, 02/03/2009 - 10:23
User Badges:
  • Green, 3000 points or more

I will post up the configuration I am using as soon as I can. Thanks for looking.

celiocarreto Wed, 02/04/2009 - 03:25
User Badges:


here is a configuration example:




aaa authentication login userauth local

aaa authorization network groupauth local

username clientuser password 0 XXXXX

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key YYYYY address <- password for dynamic site-to-site

crypto isakmp client configuration group vpnclient


pool vpn-pool

acl 120

crypto isakmp profile VPNclient

description vpnclient

match identity group vpnclient

client authentication list userauth

isakmp authorization list groupauth

client configuration address respond

crypto ipsec transform-set myvpn esp-3des esp-sha-hmac

crypto dynamic-map mymap3 5 <- CLient VPN

set transform-set myvpn

set isakmp-profile VPNclient

match address 110 <- match VPN-Pool

crypto dynamic-map mymap3 10 <- site-VPN

set transform-set myvpn2

match address 140 <- match internal Site-IP

crypto map mymap 20 ipsec-isakmp dynamic mymap3

ip local pool vpn-pool

access-list 110 permit ip any

access-list 120 remark split-tunnel for vpn-clients

access-list 120 permit ip

access-list 130 remark no-nat-accesslist

access-list 130 deny ip

access-list 130 deny ip

access-list 130 permit ip any

ip nat inside source list 130 interface Dialer0 overload

access-list 140 remark site-IPs

access-list 140 permit ip

Regards, Celio

Ivan Martinon Wed, 02/04/2009 - 07:42
User Badges:
  • Cisco Employee,

The reason this does not work is because you have the default key setup:

crypto isakmp key YYYYY address <- password for dynamic site-to-site

This key has to be defined in a keyring rather than this here otherwise clients will not connect. Follow the link you pasted and check that they use keyrings for clients and for dynamic clients

celiocarreto Wed, 02/04/2009 - 07:50
User Badges:

Hi Imartino,

this configuration is currently working. But every remote-site has the same password :-)

Regards, Celio

Ivan Martinon Wed, 02/04/2009 - 07:53
User Badges:
  • Cisco Employee,

regardless of every remote having the same password, you need to put this dynamic key into a keyring if this is not done then your clients will not work

acomiskey Fri, 02/13/2009 - 06:16
User Badges:
  • Green, 3000 points or more

Back to my original issue here..

I was able to get this working, but now seem to be having issues with my other L2L tunnels dropping out every so often and not coming back up. Anyone ever seen this error before?

Found ADDRESS key in keyring spokes

Feb 13 09:07:00: ISAKMP (0:578): Oops. Used some key with the peer and

Feb 13 09:07:00: when she revealed identity we don't find

Feb 13 09:07:00: hers in the relevant keyring. Thwarting her.

This is what I got when I tried to initiate one of my static L2L tunnels. This tunnel should have nothing to do with the keyring.

acomiskey Fri, 02/13/2009 - 07:56
User Badges:
  • Green, 3000 points or more

I can post some...will post back in a little while. thanks.

acomiskey Fri, 02/13/2009 - 08:03
User Badges:
  • Green, 3000 points or more

Here is what should be relevant, let me know if you need more.

Ivan Martinon Fri, 02/13/2009 - 08:24
User Badges:
  • Cisco Employee,

I thought this too some time ago, try to get your static lan to lan to use profiles as well with keyrings too, that should fix it

acomiskey Fri, 02/13/2009 - 08:30
User Badges:
  • Green, 3000 points or more

Yuck, I was afraid you would say that. There are a lot more vpn's than what I posted. Would adding a "match address" statement somewhere for the dynamic l2l tunnel help at all?

Ivan Martinon Fri, 02/13/2009 - 08:34
User Badges:
  • Cisco Employee,

Unfortunately nope, the problem with dynamic setup and vpn clients comes when the identity is to be negotiated/identified, since both dynamic tunnels and vpn clients would use the "default key" (isakmp key ... then the router would need to know a way to identify each kind of connection vpn clients dynamics hence the use of the isakmp profiles, so as you can see it is a problem with isakmp negotiation rather than ipesc phase 2 negotiation.

acomiskey Fri, 02/13/2009 - 09:06
User Badges:
  • Green, 3000 points or more

So the static tunnels I have are landing on the dynamic map before hitting the static ones?

crypto dynamic-map DYNmap 30

set transform-set 3des

set pfs group2

set isakmp-profile L2L

crypto map lim 115 ipsec-isakmp

set peer x.x.x.x

set transform-set 3des

match address 115


Ivan Martinon Fri, 02/13/2009 - 09:15
User Badges:
  • Cisco Employee,

It seems they are not even landing on any tunnel since there is no keyring with what to identify them it does not go further, unless your outputs show something else, show crypto isakmp sa

acomiskey Fri, 02/13/2009 - 09:39
User Badges:
  • Green, 3000 points or more

The tunnels are coming up, but they seem to be bouncing up and down.

dst src state conn-id slot

x.x.x.1 QM_IDLE 548 0

x.x.x.2 QM_IDLE 603 0

x.x.x.3 MM_NO_STATE 638 0 (deleted)

x.x.x.4 QM_IDLE 629 0

x.x.x.5 QM_IDLE 599 0 x.x.x.6 QM_IDLE 610 0 L2L x.x.x.7 QM_IDLE 627 0 VPNclient x.x.x.8 QM_IDLE 636 0 VPNclient

x.156.x.157 x.x.x.9 QM_IDLE 639 0

x.71.x.52 x.x.x.10 MM_NO_STATE 637 0 (deleted)

x.201.x.43 x.x.x.11 QM_IDLE 622 0

Correct Answer
Ivan Martinon Fri, 02/13/2009 - 09:45
User Badges:
  • Cisco Employee,

OK, mhhh I think it is an issue with the config, give it a shot to one of the L2L that is bouncing, set it to profile and keyring, what is the result.

Hello guys

I have a similar problem with Dynamic peers, static peers and VPN clients.

I'm using isakmp profiles and keyrings for dynamic peers and vpn clients but not for that static tunnel.

What happens is that when I try to establish the dynamic tunnel the router asks for XAUTH, which was suppose to be bypassed if I'm not wrong... vpn clients and static tunnel works fine.

Could anyone give me a hint?



acomiskey Fri, 02/20/2009 - 08:19
User Badges:
  • Green, 3000 points or more

So far so good. Thanks for the help.

satheesh118 Thu, 02/19/2009 - 18:56
User Badges:

hai,can u please hlep me to create site to site tunnel vpn...

if possible can u please share the doc too.

Ivan Martinon Fri, 02/20/2009 - 08:25
User Badges:
  • Cisco Employee,

Hey, basically you need to create another profile for your static vpn tunnels with a keyring too, follow the doc at the very top of this post just adapt it to your setup.


This Discussion