Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Client and Peers with Dynamic ip simultaneously

Lan( static ip)-to-Lan(static ip) is fine

Lan( static ip)-to-Lan(static ip)+VPN Client is fine

Lan( static ip)-to-Lan(dynamic ip ) is fine

Lan( static ip)-to-VPN Client is fine

Lan( static ip)-to-Lan(dynamic ip )+VPN Client is not working

i think the problem is due to this commans

crypto isakmp key keyname address 0.0.0.0 0.0.0.0

or

crypto isakmp key keyname address 0.0.0.0 0.0.0.0 no-xauth

how can i distinguish a router with dynamic ip that not requires authentication from a VPN Client that requires authentication ?

P.D. I'm using local authentication

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VPN Client and Peers with Dynamic ip simultaneously

You're correct in your diagnosys of the problem, we see this every now and then and there's not a whole lot that can be done unfortunately.

About the only way is to figure out if the remote peer gets a dynamic address out of a paticular range or subnet all the time, then add an "isakmp key .... no-xauth" line with that subnet defined. For example, if the remote peer always gets an address in 4.104.225.0/24, then do:

> cry isa key address 4.104.225.0 255.255.255.0 no-xauth

Not great, but that's the only way around it.

1 REPLY
Cisco Employee

Re: VPN Client and Peers with Dynamic ip simultaneously

You're correct in your diagnosys of the problem, we see this every now and then and there's not a whole lot that can be done unfortunately.

About the only way is to figure out if the remote peer gets a dynamic address out of a paticular range or subnet all the time, then add an "isakmp key .... no-xauth" line with that subnet defined. For example, if the remote peer always gets an address in 4.104.225.0/24, then do:

> cry isa key address 4.104.225.0 255.255.255.0 no-xauth

Not great, but that's the only way around it.

102
Views
0
Helpful
1
Replies