Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSEC no-xauth

Hi Guys,

I have issues with renegotiating SA after loss of communication between IPSEC peers.

I am using preshared keys, but the "no-xauth" option is not present on both peers.

Is it possible that the missing the "no-xauth" option could be the cause of the problem with the SAs?

IOS is 12.4(9)T7. I think this could be the problem, because of bug CSCsj52483 (although it says that it is fixed in 12.4(18.3)T):

************************

IPSEC: ISAKMP SA negotiation not successful with cryptomap configured

Symptom:

ISAKMP SA negotiation not successful with cryptomap configured

Conditions:

1. config crypto maps doing Xauth.

2. peer1's pre-shared key should be defined with no-xauth keyword

and peer2 having a pre-shared key without the special tag.

3. peer1 initiates IKE and SAs should come up. Also

parse thru the ike debugs and make sure XAUTH exchanges did not happen

At 3rd step IKe and SAs are not coming up when initaites the session from peer1.

Workaround:

None

************************

Thanks in advance,

Mladen

p.s.: I couldn't find which IOS is "12.4(18.3)T"

1 REPLY
ovt Bronze
Bronze

Re: IPSEC no-xauth

If you have configured EasyVPN Server on the same device that has Site-to-Site tunnels, then you need no-xauth. Otherwise it really doesn't matter.

3463
Views
0
Helpful
1
Replies