VRF-aware IPSEC - Multiple Dynamic Peers

Unanswered Question
Feb 19th, 2012
Hi.
I am simulating a vrf-aware IPSEC VPN Concentrator with  multiple dynamic peers on GNS.


I have two client profiles on the 7200 concentrator.

I can have both clients working.

But I noticed when doing a restart of all the session,

one of the client will stop working.


I'm getting an error of:


*Feb 18 20:58:27.811: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 172.16.1.2 failed its sanity check or is malformed


Which I believe means preshare keys do not match. But i am very sure they are accurate and match.


I have to re-create the whole profile so it will work again (keyring, dynamic profile, dynamic-map).

I am not sure if this is just a GNS problem or config itself.


Below is my config for the 7200 VPN concentrator.

I hope someone can share their ideas on how to this properly.


Objective: Multiple Dynamic vrf-aware IPSEC Peers


thanks




Client 1 is ABC

Clilent 2 is XYZ

ip vrf A
rd 1:1
route-target export 1:1
route-target import 1:1
!
ip vrf B
rd 2:2
route-target export 2:2
route-target import 2:2
!
!
!
crypto keyring VRF-B
  pre-shared-key  address 0.0.0.0 0.0.0.0 key XYZ
crypto keyring VRF-A
  pre-shared-key address 0.0.0.0 0.0.0.0 key ABC
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2


crypto isakmp profile XYZ
   vrf B
   keyring VRF-B
   match identity address 0.0.0.0


crypto isakmp profile ABC
   vrf A
   keyring VRF-A
   match identity address 0.0.0.0
!
!
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
!
crypto dynamic-map ABC 10
set transform-set vpn
set isakmp-profile ABC
match address ABC-remote
!
crypto dynamic-map XYZ 10
set transform-set vpn
set isakmp-profile XYZ
match address XYZ-remote
!
!
crypto map VPN 11 ipsec-isakmp dynamic XYZ
crypto map VPN 12 ipsec-isakmp dynamic ABC



ip access-list extended  ABC-remote
permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255


ip access-list extended XYZ-remote
permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255



ip route vrf A 10.0.0.0 255.0.0.0 172.16.1.2 global
ip route vrf B 10.2.0.0 255.255.0.0 172.16.1.3 global



interface FastEthernet1/0
description WAN-to-Internet

ip address 172.16.1.1 255.255.255.0
duplex full
speed 100
crypto map VPN

interface Loopback10
ip vrf forwarding A
ip address 10.1.1.1 255.255.255.0
!
interface Loopback20
ip vrf forwarding B
ip address 10.1.1.1 255.255.255.0



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion