Dynamic 501 to 515 COnfiguration issues

Unanswered Question
Mar 5th, 2009

I'm having configuration issues with a VPN connection that I'm trying to setup and I hope someone can help me out. I'm trying to establish a dynamic VPN connection from a remote 501 to a local 515. The 515 already has one tunnel setup but doesn't seem to want to setup the tunnel to the 501. I'm really new to VPN configuration so any assistance that anyone can offer would be greatly appreciated!

Thanks,

Steve

Here is the crypto configuration off of the 501:

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 101

crypto map newmap 10 set peer x.x.x.x

crypto map newmap 10 set transform-set myset

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

And from the 515:

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 5 ipsec-isakmp

crypto map mymap 5 match address 102

crypto map mymap 5 set peer x.x.x.x

crypto map mymap 5 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication partnerauth

crypto map mymap interface outside

crypto map colorado 10 ipsec-isakmp

crypto map colorado 10 set peer x.x.x.x

crypto map colorado 10 set peer y.y.y.y

crypto map colorado 10 set transform-set myset

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp key ******** address y.y.y.y netmask 255.255.255.255

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp nat-traversal 20

isakmp policy 5 authentication pre-share

isakmp policy 5 encryption aes-256

isakmp policy 5 hash sha

isakmp policy 5 group 2

isakmp policy 5 lifetime 86400

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
eddie.mitchell@... Thu, 03/05/2009 - 13:11

Why are you attempting to create a dynamic VPN? It sounds like you need a simple L2L VPN. Am I missing something?

slongewa Thu, 03/05/2009 - 13:12

By Dynamic, I meant that we don't know the IP address of the remote site. Sorry for the confusion.

Steve

slongewa Thu, 03/05/2009 - 13:28

Yes, thanks, that's the guide I've been trying to go off of.

eddie.mitchell@... Thu, 03/05/2009 - 13:40

I don't see 'sysopt connection permit-ipsec' and the 'isakmp identity address' in the 501 config. Is it present? Also, what do your crypto ACL's look like?

slongewa Thu, 03/05/2009 - 13:44

They are there I didn't include them in the output for some reason. I can see the negotation process start, but I get an IKMP_NO_ERR_NO_TRANS message as soon as the key negotation starts. I'm not familiar with this message, so I'm not sure why the key negotation is failing.

slongewa Thu, 03/05/2009 - 14:16

Great site! Thanks a bunch. How do I set my ISAKMP debugging to a higher level? The only command I see is debug crypto isakmp.

Thanks,

Steve

eddie.mitchell@... Thu, 03/05/2009 - 14:20

debug crypto isakmp

I usually set it at 9 if I'm not seeing messages of any relevance.

Don't forget to do 'undebug all' when you're finished.

-Eddie

slongewa Thu, 03/05/2009 - 14:37

My groups were not lining up for ISAKMP - I had group 1 configured on the remote router, and group 2 configured on the primary PIX.

Steve

Actions

This Discussion