11-12-2009 06:08 AM - edited 02-21-2020 04:23 PM
Hello everyone , I have configured DMVPN Hub and EzVPN Server on Cisco 2811 at the headoffice and the branches are having 2600 routers . There are 5 Spokes at this moment for DMVPN . Users use Cisco EzVPN Client software to access HeadOffice network . However I am facing problems .
when i do sh crypto isakmp sa
I usually see errors like
MM_NO_STATE
CONF_XAUTH
And the IP address in the destination is the spokes of DMVPN . sometimes when i type in the HUB
crypto isakmp key cisco123 address 172.19.7.122 no-xauth
static entry for DMVPN spoke and type no-xauth , it works fine sometimes but sometimes not . I could not test all the spokes at this moment because the network is not in production at this point .
I think the ezvpn server and dmvpn server is having a conflict in this crypto isakmp key thing .
Attached is my DMVPN HUB + EZVPN Server configuration
11-12-2009 02:51 PM
You will want to modify your configuration to use an isakmp profile. This will allow you to apply the EasyVPN xauth config to your incoming client connections only. For example,
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group testgroup
key testgroup
pool vpn-test-pool
crypto isakmp profile vpn-test-profile
match identity group testgroup
client authentication list VPN
isakmp authorization list VPN
client configuration address respond
!
!
crypto ipsec transform-set test esp-3des esp-md5-hmac
!
crypto ipsec profile test-profile
set transform-set test
!
!
crypto dynamic-map dyn-map 1
set transform-set test
set isakmp-profile vpn-test-profile
reverse-route remote-peer 1.1.1.1
!
!
crypto map test 1 ipsec-isakmp dynamic dyn-map
11-12-2009 10:16 PM
thanks for your reply ,
can you send me this whole test configuration ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: