Dynamic 501 to 515 COnfiguration issues

Unanswered Question
Mar 5th, 2009
User Badges:

I'm having configuration issues with a VPN connection that I'm trying to setup and I hope someone can help me out. I'm trying to establish a dynamic VPN connection from a remote 501 to a local 515. The 515 already has one tunnel setup but doesn't seem to want to setup the tunnel to the 501. I'm really new to VPN configuration so any assistance that anyone can offer would be greatly appreciated!


Thanks,

Steve


Here is the crypto configuration off of the 501:


crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 101

crypto map newmap 10 set peer x.x.x.x

crypto map newmap 10 set transform-set myset

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000


And from the 515:

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 5 ipsec-isakmp

crypto map mymap 5 match address 102

crypto map mymap 5 set peer x.x.x.x

crypto map mymap 5 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication partnerauth

crypto map mymap interface outside

crypto map colorado 10 ipsec-isakmp

crypto map colorado 10 set peer x.x.x.x

crypto map colorado 10 set peer y.y.y.y

crypto map colorado 10 set transform-set myset

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp key ******** address y.y.y.y netmask 255.255.255.255

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp nat-traversal 20

isakmp policy 5 authentication pre-share

isakmp policy 5 encryption aes-256

isakmp policy 5 hash sha

isakmp policy 5 group 2

isakmp policy 5 lifetime 86400

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
eddie.mitchell@... Thu, 03/05/2009 - 13:11
User Badges:
  • Silver, 250 points or more

Why are you attempting to create a dynamic VPN? It sounds like you need a simple L2L VPN. Am I missing something?

slongewa Thu, 03/05/2009 - 13:12
User Badges:

By Dynamic, I meant that we don't know the IP address of the remote site. Sorry for the confusion.


Steve

slongewa Thu, 03/05/2009 - 13:28
User Badges:

Yes, thanks, that's the guide I've been trying to go off of.

eddie.mitchell@... Thu, 03/05/2009 - 13:40
User Badges:
  • Silver, 250 points or more

I don't see 'sysopt connection permit-ipsec' and the 'isakmp identity address' in the 501 config. Is it present? Also, what do your crypto ACL's look like?

slongewa Thu, 03/05/2009 - 13:44
User Badges:

They are there I didn't include them in the output for some reason. I can see the negotation process start, but I get an IKMP_NO_ERR_NO_TRANS message as soon as the key negotation starts. I'm not familiar with this message, so I'm not sure why the key negotation is failing.

eddie.mitchell@... Thu, 03/05/2009 - 13:53
User Badges:
  • Silver, 250 points or more

Steve,


Can you set your isakmp debug to a higher level and see if there are any other messages being generated? I don't think this message by itself is an indication of a specific problem. Please reference the following VPN debugging notes:


http://www.boerderie.com/VPNdebugging.html


-Eddie

slongewa Thu, 03/05/2009 - 14:16
User Badges:

Great site! Thanks a bunch. How do I set my ISAKMP debugging to a higher level? The only command I see is debug crypto isakmp.


Thanks,

Steve

eddie.mitchell@... Thu, 03/05/2009 - 14:20
User Badges:
  • Silver, 250 points or more

debug crypto isakmp


I usually set it at 9 if I'm not seeing messages of any relevance.


Don't forget to do 'undebug all' when you're finished.


-Eddie

slongewa Thu, 03/05/2009 - 14:37
User Badges:

My groups were not lining up for ISAKMP - I had group 1 configured on the remote router, and group 2 configured on the primary PIX.


Steve

Actions

This Discussion