03-23-2004 08:56 AM - edited 03-09-2019 06:51 AM
Hi
I have a client and peer-to-peer VPN configuration, but the peer-to-peer does not get past phase 2 (client works). Peer is a Netscreen which I have no access to.
Any helpful comments would be gratefully received!
crypto ipsec transform-set strong-des esp-3des esp-md5-hmac
crypto ipsec transform-set weak-sha esp-3des esp-sha-hmac
crypto dynamic-map RUTH 10 set transform-set strong-des
crypto map partner-map 20 ipsec-isakmp
crypto map partner-map 20 match address HR
crypto map partner-map 20 set peer ***.***.***.***
crypto map partner-map 20 set transform-set weak-sha
crypto map partner-map 30 ipsec-isakmp dynamic RUTH
crypto map partner-map client authentication RADIUS
crypto map partner-map interface outside
crypto map partner-map interface DMZ1
isakmp enable outside
isakmp enable DMZ1
isakmp key ******** address ***.***.***.*** netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup VPNGROUP1 address-pool VPNPOOL1
vpngroup VPNGROUP1 dns-server ***.***.***.***
vpngroup VPNGROUP1 wins-server ***.***.***.***
vpngroup VPNGROUP1 default-domain ****.co.uk
vpngroup VPNGROUP1 idle-time 1800
vpngroup VPNGROUP1 password ********
03-25-2004 05:46 PM
Make sure access list HR "mirrors" the networks configured on the Netscreen. Here's the link for the config example:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801c4445.shtml
03-26-2004 01:55 AM
Ruth,
did this work without the vpn client configured on the router? I do have the same Problem between 3 1710 routers, the vpn worked fine until I set up one of them for vpn-client access. after that this router could no longer connect to the others, because he was awaiting a a dynamic ip request from the (non-dynamic) router on the other side.
I have not figured this out yet and a posting here led to no solution...
Christoph
03-26-2004 04:42 AM
Christoph: make sure the dynamic crypto map has the highest numerical value so it ha the lowest priority. this way, things that attempt to negotiate with it will try the other crypto maps first (which should negotiate the site to site tunnels), and dynamic clients will fail, and then successfully negotiate the dyn map with the lower priority
03-26-2004 04:51 AM
Well, thanks for the reply, that is what i did from the beginning.
If you like to you can see the whole config including debug logs here:
If I remove the "crypto map my-cr-map client configuration address respond" command from the config everything works fine (exept for the VPN-client, naturally).
Any sugestions?
Thanks in advance!
Christoph
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: