Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Remote access to MPLS VPN - Using IPSEC dynamic crypto


I want to use IPSEC for remote access to MPLS VPN.

Each tunnel maps to a VRF.

I am simulating a vrf-aware IPSEC VPN Concentrator with  multiple dynamic peers on GNS.

I have two client profiles on the 7200 concentrator.

I can have both clients working.

But I noticed when doing a restart of all the session,

one of the client will stop working.

I'm getting an error of:

*Feb 18 20:58:27.811: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from failed its sanity check or is malformed

Which I believe means preshare keys do not match. But i am very sure they are accurate and match.

I have to re-create the whole profile so it will work again (keyring, dynamic profile, dynamic-map).

I am not sure if this is just a GNS problem or config itself.

Below is my config for the 7200 VPN concentrator.

I hope someone can share their ideas on how to this properly.

Objective: Multiple Dynamic vrf-aware IPSEC Peers


Client 1 is ABC

Clilent 2 is XYZ

ip vrf A
rd 1:1
route-target export 1:1
route-target import 1:1
ip vrf B
rd 2:2
route-target export 2:2
route-target import 2:2
crypto keyring VRF-B
  pre-shared-key  address key XYZ
crypto keyring VRF-A
  pre-shared-key address key ABC
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto isakmp profile XYZ

   vrf B

   keyring VRF-B

   match identity address

crypto isakmp profile ABC

   vrf A

   keyring VRF-A

   match identity address



crypto ipsec transform-set vpn esp-3des esp-sha-hmac


crypto dynamic-map ABC 10

set transform-set vpn

set isakmp-profile ABC

match address ABC-remote


crypto dynamic-map XYZ 10

set transform-set vpn

set isakmp-profile XYZ

match address XYZ-remote



crypto map VPN 11 ipsec-isakmp dynamic XYZ

crypto map VPN 12 ipsec-isakmp dynamic ABC

ip access-list extended  ABC-remote

permit ip

ip access-list extended XYZ-remote

permit ip

ip route vrf A global

ip route vrf B global

interface FastEthernet1/0

description WAN-to-Internet

ip address
duplex full
speed 100
crypto map VPN

interface Loopback10
ip vrf forwarding A
ip address
interface Loopback20
ip vrf forwarding B
ip address

  • MPLS
This widget could not be displayed.