09-20-2010 05:59 PM - edited 02-21-2020 04:51 PM
Hi,
This is part of my site to site config, which is working fine.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 20
BUT when I applied client config into the above, the remote client access cannot work
crypto isakmp client configuration group Client-Group
key cisco123
dns 165.21.83.88
pool POOL_1
acl 101
BUT if I remove 'no-xauth' in my site to site isakmp, then my client can work but my site to site VPN cannot work. Please advise, what is wrong??OR how can i resolve this?
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
Thank you
Solved! Go to Solution.
09-23-2010 06:19 AM
VTI will never work since you have dynamic ip address.
Please follow the sample configuration provided earlier for dynamic to static IPSec VPN:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml
09-20-2010 06:09 PM
For site-to-site VPN, I am assuming that you have a static peer ip address.
Hence you would need to configure the following:
crypto isakmp key cisco address
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
Hope that helps.
09-20-2010 06:16 PM
I think I know what to do. Let me try out 1st
Thank you
09-20-2010 06:22 PM
You mean it's dynamic to static site-to-site VPN tunnel?
Can you please share your crypto map configuration?
09-20-2010 06:27 PM
Hi,
its dynamic to dynamic site to site VPN.
Anyway, I got an idea now after your advise above. Now will try out 1st.
Thank you so much.
09-20-2010 09:06 PM
Hi halijenn,
I tried using hostname to my crypto key but seem like hostname is not working for my site to site.
Crypto isakmp key cisco hostname example.dyn.com no-xauth
Am I doing correct on using the hostname method above?
Will using hostname will solve my problem?
Thankyou
09-20-2010 10:36 PM
No, you can't use hostname unfortunately.
09-20-2010 10:59 PM
Hi halijenn
Anyway to overcome the problem?
09-21-2010 04:38 AM
You can use the "crypto keyring" option instead of "crypto isakmp key" to configure the pre-shared key.
Here is the sample configuration for your reference:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml
Hope that helps.
09-21-2010 08:43 PM
Cool!
Will try it out and let you know again. Thank you.
Cheers!
09-22-2010 11:00 PM
Hi Halijenn,
After using Command Keyring, Client is working but the Site to Site Router is not working. When I 'show crypto isakmp sa", I can see connection BUT when I show Crypto Ipsec sa, there is nothing.
From the config below, can you see any problem?
SITE A configuration:
crypto keyring ToSite
pre-shared-key address 0.0.0.0 0.0.0.0 key Cisco123
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 20
!
crypto isakmp client configuration group Client-Group
key Cisco
dns 165.21.83.88
pool POOL_1
acl 101
crypto isakmp profile Vi
match identity group Client-Group
isakmp authorization list default
client configuration address respond
virtual-template 1
crypto isakmp profile Site-Crypto
keyring ToSite
match identity address 0.0.0.0
!
crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile Crypto
set transform-set AES256
set isakmp-profile Site-Crypto
!
crypto ipsec profile Vi
set transform-set AES256
set isakmp-profile Vi
interface Tunnel100
ip address 10.10.10.1 255.255.255.0
ip virtual-reassembly
zone-member security VPN
ip tcp adjust-mss 1400
tunnel source Dialer0
tunnel destination 110.XX.XX.XXX
tunnel mode ipsec ipv4
tunnel protection ipsec profile Crypto
For your information, Site B have 2 VTI Tunnel configured. Tunnel from Site B to C is working but Tunnel from Site B to A is not working. Will Site B having 2 VTI Tunnel caused the problem?
Thank you
09-23-2010 05:32 AM
Sorry, but why are you configuring GRE over IPSec?
Dynamic site-to-site IPSec is not GRE over IPSec, and by configuring tunnel interface, that's creating GRE tunnel.
Please kindly use dynamic-map to set the isakmp profile, and crypto map to set the dynamic map, and finally assign crypto map to the outside interface as per the sample configuration.
09-23-2010 05:52 AM
Good day to you Halijenn,
Sorry I'm only have a less than 3 months experience with Cisco. Thus do not have deep understanding on the different between GRE & VTI over Ipsec. But i was using the example below for my configuration and it is using tunnel but it called Virtual Tunnel Interface (VTI) and not GRE.
https://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.html
I thought they are similar but VTI is easier to configure and does not need to use ACL.
Please correct me if my understanding is wrong.
Thank you
09-23-2010 05:59 AM
From your configuration, your tunnel interface destination is a static ip address, however, you mentioned earlier that your remote peer has dynamic ip address. So is 110.XX.XX.XXX a static ip address, or it's dynamically assign ip address on the remote end?
If it's static, then the easiest is your first crypto isakmp key configuration with that 110.XX.XX.XXX static ip address (with no-xauth keyword). Nothing else needs to be changed apart from that.
Can you share your crypto map configuration?
09-23-2010 06:06 AM
Hi,
110.XX.XX.XXX a dynamic ip address. (In command mode, I entered the hostname and also performing DDNS updating)
Can advise why my site to site does not work with the crypto keyring command?
I will attached the config fastest by tomorrow.
Thank you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: