×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

L2L and DMVPN on one device

Unanswered Question
Mar 4th, 2012
User Badges:

Hi.

My topology is as below:

topl.jpg


What I'm trying to configure is site-to-site VPN R5-R1  and site-to-site VPN R3-R1. The main problem is that interface f0/0 of R5 has dynamiclly assigned IP address and it is being changed once a day (is just lab topology so just for now I assigned static IP of int f0/0 of R5) . R3 has static public IP.

The idea was to use isakmp profiles, so my configuration was like this (attached just R1, R3 and R5 using standard site-to-site vpn configuration)


R1:

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

ip subnet-zero

!

!

ip cef

!

!

crypto keyring KEY_R3

  pre-shared-key address 200.1.1.3 key 6 ciscor3

crypto keyring KEY_R5

  pre-shared-key address 0.0.0.0 0.0.0.0 key 6 ciscor5

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp profile PROFIL_R3

   keyring KEY_R3

   match identity address 200.1.1.3 255.255.255.255

crypto isakmp profile PROFIL_R5

   keyring KEY_R5

   match identity address 0.0.0.0

!

!

crypto ipsec transform-set setr3 esp-3des esp-sha-hmac

crypto ipsec transform-set setr5 esp-3des esp-sha-hmac

!

crypto dynamic-map DYN_MAPA 10

set transform-set setr3

set isakmp-profile PROFIL_R3

crypto dynamic-map DYN_MAPA 100

set transform-set setr5

set isakmp-profile PROFIL_R5

!

!

crypto map MAPA 65535 ipsec-isakmp dynamic DYN_MAPA

!

!

!

!

interface Loopback0

ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/0

ip address 100.1.1.1 255.255.255.0

duplex auto

speed auto

crypto map MAPA

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 100.1.1.2

!

no ip http server

no ip http secure-server

!

!

!

ip access-list extended do_r3

permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

!

!

!

!

control-plane

!

!

!

!

!

!

gatekeeper

shutdown

!

!

line con 0

logging synchronous

stopbits 1

line aux 0

stopbits 1

line vty 0 4

!

!

end


Configuration attached above works just fine ! But only because I configure isakmp profile PROFIL_R3 as first. When I changed my configuration like this:


crypto isakmp profile PROFIL_R5

   keyring KEY_R5

   match identity address 0.0.0.0


crypto isakmp profile PROFIL_R3

   keyring KEY_R3

   match identity address 200.1.1.3 255.255.255.255


Router R3 cannot establish connection to R1. Debug said that R3 matches PROFIL_R5 (that true, because PROFIL_R5 has identity match add 0.0.0.0) and its key doesn't match.

While reading article about ISAKMP Profiles :

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd8034bd59.html


i found this sentence:

"To uniquely map to an ISAKMP profile, no two  ISAKMP profiles should match the same identity. If the peer identity is  matched in two ISAKMP profiles, the configuration is invalid."


And  in my topology R3 matches to both profiles ! So i can not find a solution to this problem. Changing sequence of Profile configuration is not an answer, because when I would need to add another site-to-site VPN I would need to delete PROFIL_R5, add new profile and then add PROFIL_R5 again.

In article above i didn't find an information how router checks multiple profiles (first match ? best match? last match?). Can anybody gives me a clue how to set up my topology correctly ?

Thanks in advance.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion