cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
338
Views
0
Helpful
4
Replies

Client and Peer-to-peer

admin_2
Level 3
Level 3

Hi

I have a client and peer-to-peer VPN configuration, but the peer-to-peer does not get past phase 2 (client works). Peer is a Netscreen which I have no access to.

Any helpful comments would be gratefully received!

crypto ipsec transform-set strong-des esp-3des esp-md5-hmac

crypto ipsec transform-set weak-sha esp-3des esp-sha-hmac

crypto dynamic-map RUTH 10 set transform-set strong-des

crypto map partner-map 20 ipsec-isakmp

crypto map partner-map 20 match address HR

crypto map partner-map 20 set peer ***.***.***.***

crypto map partner-map 20 set transform-set weak-sha

crypto map partner-map 30 ipsec-isakmp dynamic RUTH

crypto map partner-map client authentication RADIUS

crypto map partner-map interface outside

crypto map partner-map interface DMZ1

isakmp enable outside

isakmp enable DMZ1

isakmp key ******** address ***.***.***.*** netmask 255.255.255.255

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup VPNGROUP1 address-pool VPNPOOL1

vpngroup VPNGROUP1 dns-server ***.***.***.***

vpngroup VPNGROUP1 wins-server ***.***.***.***

vpngroup VPNGROUP1 default-domain ****.co.uk

vpngroup VPNGROUP1 idle-time 1800

vpngroup VPNGROUP1 password ********

4 Replies 4

llascare
Level 1
Level 1

Make sure access list HR "mirrors" the networks configured on the Netscreen. Here's the link for the config example:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801c4445.shtml

csonnen
Level 1
Level 1

Ruth,

did this work without the vpn client configured on the router? I do have the same Problem between 3 1710 routers, the vpn worked fine until I set up one of them for vpn-client access. after that this router could no longer connect to the others, because he was awaiting a a dynamic ip request from the (non-dynamic) router on the other side.

I have not figured this out yet and a posting here led to no solution...

Christoph

Christoph: make sure the dynamic crypto map has the highest numerical value so it ha the lowest priority. this way, things that attempt to negotiate with it will try the other crypto maps first (which should negotiate the site to site tunnels), and dynamic clients will fail, and then successfully negotiate the dyn map with the lower priority

Well, thanks for the reply, that is what i did from the beginning.

If you like to you can see the whole config including debug logs here:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.ee8e779

If I remove the "crypto map my-cr-map client configuration address respond" command from the config everything works fine (exept for the VPN-client, naturally).

Any sugestions?

Thanks in advance!

Christoph

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: