dynamic map IPSEC issue

Unanswered Question
Jul 13th, 2009
User Badges:

Hello All,

I have a 2801 which is currenlt serving my IPSEC VPN client. This has a dynamic map setup, where the tunnel initialisation happen from the user connecting. I use raduis to authenticate and authorise the users. Now I am planning use the same 2801 at central to connect another 2801 at a hub and have an IPSEC tunnel between them.

* Now if i use preshare key for the hub and the central office, I have to type the key for the hub on the central router for this we will use the crypto isakmp key **** command. But will this affect the other VPN users using raduis. Do I have to modify the aaa commands to check local first and then the radius will this work?

please help



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

Hi Prakadeesh,

Acutually you can simply add a static crypto map entry above the dynamic map

take this for instance;

crypto map secure 100 ipsec-isakmp

set peer a.b.c.d

set transform-set ESP-AES-128-SHA

match address central-to-remote

crypto map secure 65535 ipsec-isakmp dynamic dynamicmap1

Notice the dynamic map is usually always placed at the END (last sequence) of the same crypto map as static remote peers?

Also regarding your key- once user authentication is configured on the router (XAUTH) it is necessary to EXEMPT the crypto isakmp key's of the static peers from the XAUTH process. Here is a sample of that-

crypto isakmp key DBbankm$%^! address no-xauth

Simply create your branch/static ipsec peer's crypto isakmp keys with the "no-xauth" argument.

Please post safe versions of your configurations (show tech will do this)

and we'll help you with anything else!


prakadeesh Tue, 07/14/2009 - 00:38
User Badges:

Thanks Joe,

As of now I have created an loopback Ip and attached a separate crypto map to it and I am testing. I can see the following issues.

* one i ping the central router from the peer the IPSEC gets established. I can see a QM_IDLE is the show isakmp sa command.

* I can ping the remote from central, but I can ping the central from remote, I get a message that rec`d packet not IPSEC. I was able to ping both sides before the crypto map.

Please help



prakadeesh Wed, 07/15/2009 - 07:41
User Badges:

Hi Joe,

Still facing the same issue. i have got the Ipsec tunnel up between central and remote but I cant ping the central from the remote. I get a failure that the IP packet that the remote got was not encryptd :(. i have attahced some configs and results please have a look at them and please let me know whats going wrong. The remote router is a test router and its actually connected to the same lan as the central because its just a test setup.


prakadeesh Thu, 07/16/2009 - 00:40
User Badges:

Just to add to it. The tunnel runs between the 195.195.X.X to 195.195.Y.Y. Now when i ping 195.195.Y.Y from the remote the remote gets an packet not IPSEC encrypted error. I used the show crypto engin connec active command on both the routers. I can see that the central router is only decrypting the packet from the remote but it is not encrypting the packet. The show crypto ipsec sa shows that both the endpoints are usnig the same encryp algorithm. what am I missing here. One end point the 195.195.Y.Y which is not encrypting is a /24 on a interface is that an issue. please help I am totally lost here.



prakadeesh Thu, 07/16/2009 - 05:02
User Badges:

during my testing i put the endpoints on the same vlan IP range and the encrypt/decrypt happens properly. Please help what could be wrong? Any suggestions please.


This Discussion