VRF-aware IPSEC - Multiple Dynamic Peers

Unanswered Question
Feb 19th, 2012
Hi.
I am simulating a vrf-aware IPSEC VPN Concentrator with  multiple dynamic peers on GNS.

I have two client profiles on the 7200 concentrator.

I can have both clients working.

But I noticed when doing a restart of all the session,

one of the client will stop working.

I'm getting an error of:

*Feb 18 20:58:27.811: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 172.16.1.2 failed its sanity check or is malformed

Which I believe means preshare keys do not match. But i am very sure they are accurate and match.

I have to re-create the whole profile so it will work again (keyring, dynamic profile, dynamic-map).

I am not sure if this is just a GNS problem or config itself.

Below is my config for the 7200 VPN concentrator.

I hope someone can share their ideas on how to this properly.

Objective: Multiple Dynamic vrf-aware IPSEC Peers

thanks

Client 1 is ABC

Clilent 2 is XYZ

ip vrf A
rd 1:1
route-target export 1:1
route-target import 1:1
!
ip vrf B
rd 2:2
route-target export 2:2
route-target import 2:2
!
!
!
crypto keyring VRF-B
  pre-shared-key  address 0.0.0.0 0.0.0.0 key XYZ
crypto keyring VRF-A
  pre-shared-key address 0.0.0.0 0.0.0.0 key ABC
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto isakmp profile XYZ
   vrf B
   keyring VRF-B
   match identity address 0.0.0.0

crypto isakmp profile ABC
   vrf A
   keyring VRF-A
   match identity address 0.0.0.0
!
!
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
!
crypto dynamic-map ABC 10
set transform-set vpn
set isakmp-profile ABC
match address ABC-remote
!
crypto dynamic-map XYZ 10
set transform-set vpn
set isakmp-profile XYZ
match address XYZ-remote
!
!
crypto map VPN 11 ipsec-isakmp dynamic XYZ
crypto map VPN 12 ipsec-isakmp dynamic ABC

ip access-list extended  ABC-remote
permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

ip access-list extended XYZ-remote
permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255


ip route vrf A 10.0.0.0 255.0.0.0 172.16.1.2 global
ip route vrf B 10.2.0.0 255.255.0.0 172.16.1.3 global


interface FastEthernet1/0
description WAN-to-Internet

ip address 172.16.1.1 255.255.255.0
duplex full
speed 100
crypto map VPN

interface Loopback10
ip vrf forwarding A
ip address 10.1.1.1 255.255.255.0
!
interface Loopback20
ip vrf forwarding B
ip address 10.1.1.1 255.255.255.0

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)

Actions

Login or Register to take actions

This Discussion

Posted February 19, 2012 at 6:11 AM
By ar
Stats:
Replies:0 Avg. Rating:
Views:494 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard