Router w/ Dynamic L2L Tunnel and VPN Clients

Answered Question
Feb 3rd, 2009

I have a 7200 router currently configured w/ vpn clients. I am attempting to add a dynamic l2l tunnel to it. When I do, I am no longer able to connect using the vpn client. I following the configuration in the following url.

http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

As soon as I add...

crypto dynamic-map dynmap 5

set isakmp-profile VPNclient

the vpn client no longer works. Don't have access to the config right now as I took it all out. Anyone have this working properly?

I have this problem too.
0 votes
Correct Answer by Ivan Martinon about 7 years 11 months ago

OK, mhhh I think it is an issue with the config, give it a shot to one of the L2L that is bouncing, set it to profile and keyring, what is the result.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Ivan Martinon Tue, 02/03/2009 - 09:18

This configuration should work, we will need to take a look at your config to see what you might be missing, maybe a keyring setup?

acomiskey Tue, 02/03/2009 - 10:23

I will post up the configuration I am using as soon as I can. Thanks for looking.

celiocarreto Wed, 02/04/2009 - 03:25

Hi,

here is a configuration example:

local-inside: 192.168.1.0/24

vpn-pool: 192.168.3.0/24

remote-site-IP: 192.168.100.0/24

aaa authentication login userauth local

aaa authorization network groupauth local

username clientuser password 0 XXXXX

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key YYYYY address 0.0.0.0 0.0.0.0 <- password for dynamic site-to-site

crypto isakmp client configuration group vpnclient

key ZZZZZZZ

pool vpn-pool

acl 120

crypto isakmp profile VPNclient

description vpnclient

match identity group vpnclient

client authentication list userauth

isakmp authorization list groupauth

client configuration address respond

crypto ipsec transform-set myvpn esp-3des esp-sha-hmac

crypto dynamic-map mymap3 5 <- CLient VPN

set transform-set myvpn

set isakmp-profile VPNclient

match address 110 <- match VPN-Pool

crypto dynamic-map mymap3 10 <- site-VPN

set transform-set myvpn2

match address 140 <- match internal Site-IP

crypto map mymap 20 ipsec-isakmp dynamic mymap3

ip local pool vpn-pool 192.168.3.1 192.168.3.254

access-list 110 permit ip any 192.168.3.0 0.0.0.255

access-list 120 remark split-tunnel for vpn-clients

access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 130 remark no-nat-accesslist

access-list 130 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 130 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 130 permit ip 192.168.1.0 0.0.0.255 any

ip nat inside source list 130 interface Dialer0 overload

access-list 140 remark site-IPs

access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

Regards, Celio

Ivan Martinon Wed, 02/04/2009 - 07:42

The reason this does not work is because you have the default key setup:

crypto isakmp key YYYYY address 0.0.0.0 0.0.0.0 <- password for dynamic site-to-site

This key has to be defined in a keyring rather than this here otherwise clients will not connect. Follow the link you pasted and check that they use keyrings for clients and for dynamic clients

celiocarreto Wed, 02/04/2009 - 07:50

Hi Imartino,

this configuration is currently working. But every remote-site has the same password :-)

Regards, Celio

Ivan Martinon Wed, 02/04/2009 - 07:53

regardless of every remote having the same password, you need to put this dynamic key into a keyring if this is not done then your clients will not work

acomiskey Fri, 02/13/2009 - 06:16

Back to my original issue here..

I was able to get this working, but now seem to be having issues with my other L2L tunnels dropping out every so often and not coming back up. Anyone ever seen this error before?

Found ADDRESS key in keyring spokes

Feb 13 09:07:00: ISAKMP (0:578): Oops. Used some key with the peer and

Feb 13 09:07:00: when she revealed identity we don't find

Feb 13 09:07:00: hers in the relevant keyring. Thwarting her.

This is what I got when I tried to initiate one of my static L2L tunnels. This tunnel should have nothing to do with the keyring.

acomiskey Fri, 02/13/2009 - 07:56

I can post some...will post back in a little while. thanks.

Ivan Martinon Fri, 02/13/2009 - 08:24

I thought this too some time ago, try to get your static lan to lan to use profiles as well with keyrings too, that should fix it

acomiskey Fri, 02/13/2009 - 08:30

Yuck, I was afraid you would say that. There are a lot more vpn's than what I posted. Would adding a "match address" statement somewhere for the dynamic l2l tunnel help at all?

Ivan Martinon Fri, 02/13/2009 - 08:34

Unfortunately nope, the problem with dynamic setup and vpn clients comes when the identity is to be negotiated/identified, since both dynamic tunnels and vpn clients would use the "default key" (isakmp key ... 0.0.0.0) then the router would need to know a way to identify each kind of connection vpn clients dynamics hence the use of the isakmp profiles, so as you can see it is a problem with isakmp negotiation rather than ipesc phase 2 negotiation.

acomiskey Fri, 02/13/2009 - 09:06

So the static tunnels I have are landing on the dynamic map 0.0.0.0 before hitting the static ones?

crypto dynamic-map DYNmap 30

set transform-set 3des

set pfs group2

set isakmp-profile L2L

crypto map lim 115 ipsec-isakmp

set peer x.x.x.x

set transform-set 3des

match address 115

reverse-route

Ivan Martinon Fri, 02/13/2009 - 09:15

It seems they are not even landing on any tunnel since there is no keyring with what to identify them it does not go further, unless your outputs show something else, show crypto isakmp sa

acomiskey Fri, 02/13/2009 - 09:39

The tunnels are coming up, but they seem to be bouncing up and down.

dst src state conn-id slot

x.x.x.1 192.168.10.1 QM_IDLE 548 0

x.x.x.2 192.168.10.1 QM_IDLE 603 0

x.x.x.3 192.168.10.1 MM_NO_STATE 638 0 (deleted)

x.x.x.4 192.168.10.1 QM_IDLE 629 0

x.x.x.5 192.168.10.1 QM_IDLE 599 0

192.168.10.1 x.x.x.6 QM_IDLE 610 0 L2L

192.168.10.1 x.x.x.7 QM_IDLE 627 0 VPNclient

192.168.10.1 x.x.x.8 QM_IDLE 636 0 VPNclient

x.156.x.157 x.x.x.9 QM_IDLE 639 0

x.71.x.52 x.x.x.10 MM_NO_STATE 637 0 (deleted)

x.201.x.43 x.x.x.11 QM_IDLE 622 0

Correct Answer
Ivan Martinon Fri, 02/13/2009 - 09:45

OK, mhhh I think it is an issue with the config, give it a shot to one of the L2L that is bouncing, set it to profile and keyring, what is the result.

Hello guys

I have a similar problem with Dynamic peers, static peers and VPN clients.

I'm using isakmp profiles and keyrings for dynamic peers and vpn clients but not for that static tunnel.

What happens is that when I try to establish the dynamic tunnel the router asks for XAUTH, which was suppose to be bypassed if I'm not wrong... vpn clients and static tunnel works fine.

Could anyone give me a hint?

Thanks.

Guilherme

satheesh118 Thu, 02/19/2009 - 18:56

hai,can u please hlep me to create site to site tunnel vpn...

if possible can u please share the doc too.

Ivan Martinon Fri, 02/20/2009 - 08:25

Hey, basically you need to create another profile for your static vpn tunnels with a keyring too, follow the doc at the very top of this post just adapt it to your setup.

Actions

This Discussion