Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Converting crypto map to unnumbered VTI

I'm trying to convert a crypto map VPN to a ip unnumbered VTI. The crypto map has been working for months. The VTI... no so much. Here are the applicable config entries.

### original config

!

crypto isakmp policy 30

encr 3des

authentication pre-share

group 2

!

crypto isakmp key xxxxxxxx address 10.1.1.10

!

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

!

crypto map CRYPTO 50 ipsec-isakmp

set peer 10.1.1.10

set transform-set 3DES-SHA

set pfs group2

match address VPN1

!

ip access-list extended VPN1

permit ip host 172.16.16.10 host 10.5.5.1

permit ip host 172.16.16.10 host 10.5.5.4

I only removed the crypto map and added the following.

### New Config

crypto ipsec profile V1

set security-association lifetime seconds 28800

set transform-set 3DES-SHA

set pfs group2

!

interface Tunnel0

ip unnumbered FastEthernet0/0

ip nat outside

ip virtual-reassembly

tunnel source 172.16.8.1

tunnel destination 10.1.1.10

tunnel mode ipsec ipv4

tunnel protection ipsec profile V1

I keep getting this ISAKMP error now.

ISAKMP:(0:54:HW:2):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 10.1.1.10)

Any help would be greatly appreciated. Also... I have no idea what is running on the other end (it's a partner network), but I suspect it's a crypto map on IOS.

Thank you!

  • Other Security Subjects
319
Views
0
Helpful
0
Replies
This widget could not be displayed.