Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

How can I get IPSEC to work dynamically on a hub and spoke network

I have 112 Cisco 2610 router and two Cisco 7206 router.

All the Cisco 2610 connect to the two 7206 routers through a frame relay.

All the Cisco 2610 are also required to communicate to each other via the Cisco 7206

I am required to encrypt every data traffic going through the frame relay.

And I cannot get the configuration below to work dynamically.

But when I remove all “crypto dynamic-map …..” and also replace this “crypto isakmp key 30364050 address 0.0.0.0 “ with “crypto isakmp key 30364050 address 130.3.6.2 or a specific interface address of the remote peer it will work. See below the error that I get

Please help me. I want dynamic-map design to work because of the need for HUB to SPOKE and SPOKE-to-SPOKE communication. It will too much work to encrypt all the router manually.

Cisco 7206 router

crypto isakmp enable

crypto isakmp identity address

crypto isakmp policy 1

encryption des

hash md5

authentication pre-share

group 1

lifetime 86400

crypto isakmp key 30364050 address 0.0.0.0

crypto ipsec transform-set dataset ah-md5-hmac esp-des esp-md5-hmac

crypto map its2data 1 ipsec-isakmp

match address 116

set peer 130.3.6.2

set transform-set dataset

crypto dynamic-map its2dyn 10

set transform-set dataset

match address 116

crypto map its2data 2 ipsec-isakmp dynamic its2dyn

access-list 116 permit ip 130.1.2.0 0.0.0.255 130.0.0.0 0.255.255.255

interface s3/3.52

crypto map its2data

***********************************************8****

Cisco 2610 router

crypto isakmp enable

crypto isakmp identity address

crypto isakmp policy 1

encryption des

hash md5

authentication pre-share

group 1

lifetime 86400

crypto isakmp key 30364050 address 0.0.0.0

crypto ipsec transform-set dataset ah-md5-hmac esp-des esp-md5-hmac

crypto map its2data 1 ipsec-isakmp

match address 116

set peer 130.3.6.1

set transform-set dataset

crypto dynamic-map its2dyn 10

set transform-set dataset

match address 116

crypto map its2data 2 ipsec-isakmp dynamic its2dyn

access-list 116 permit ip 130.1.2.0 0.0.0.255 130.0.0.0 0.255.255.255

interface s0/0.30

crypto map its2data

******* error message *******

ov 8 13:35:46.934 EST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSE

C packet.

(ip) dest_addr= 130.1.2.1, src_addr= 130.1.6.16, prot= 1

Nov 8 13:36:46.934 EST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSE

C packet.

(ip) dest_addr= 130.1.2.1, src_addr= 130.1.6.16, prot= 1

Nov 8 13:37:46.938 EST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSE

C packet.

(ip) dest_addr= 130.1.2.1, src_addr= 130.1.6.16, prot= 1

Nov 8 13:38:46.938 EST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSE

C packet.

(ip) dest_addr= 130.1.2.1, src_addr= 130.1.6.16, prot= 1

Nov 8 13:39:46.938 EST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSE

C packet.

(ip) dest_addr= 130.1.2.1, src_addr= 130.1.6.16, prot= 1

Nov 8 13:40:46.938 EST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSE

C packet.

(ip) dest_addr= 130.1.2.1, src_addr= 130.1.6.16, prot= 1

Nov 8 13:41:46.938 EST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSE

C packet.

2 REPLIES

Re: How can I get IPSEC to work dynamically on a hub and spoke n

Here is a sample config that should work:

!

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key cisco123 address 0.0.0.0

!

crypto ipsec transform-set hub esp-des esp-md5-hmac

!

crypto dynamic-map spoke 10

set transform-set hub

match address 116

!

crypto map test 10 ipsec-isakmp dynamic spoke

(don't place anything under this crypto map, place info under dynamic map)

!

interface Serial0

crypto map test

!

access-list 116 permit ip 130.0.0.0 0.255.255.255 130.0.0.0 0.255.255.255

(make them general at first at see if works, if does then make it specific and see if works)

Also take a look at this link (if want to use Tunnel End-point Discovery): http://www.cisco.com/warp/public/707/tedpreshare.html

Hope it helps.

Steve

Community Member

Re: How can I get IPSEC to work dynamically on a hub and spoke n

Dear Steve,

I have tried you sample configuration exactly as you wrote it.

and also used different access-list and none worked.

I also tried the Configuring IPSec Tunnel End-Point Discovery sample and it did not work

I noticed that the ios for the Configuring IPSec Tunnel End-Point Discovery sample is 12.07 and the ios in my routers are 12.09. Could that be the problem. I can not figure out any other problem. Because I tried adding discover on my "crypto map test 10 ipsec-isakmp dynamic spoke " as the configuration showed but was not able.

Thanks for any more help

Godswill

162
Views
3
Helpful
2
Replies
CreatePlease to create content