Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Config for L2L / Set Peer / Cisco VPN Client

Hello,

I have been tasked updating an existing router that:

- connects automatically to a set peer with encryption 3des/sha

- accepts connections for other 3rd party routers (ie linksys, dlink, draco) with encryption des/md5 and 3des/sah

This router must now be able to accepts connections from Cisco vpn client 4.7. I found http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008032cd24.shtml

which referances a similar example. I have not been able to get it to work correctly. Right now the VPN client connects but the other tunnels do not work correctly.

The router is running 12.3.10 with the VPN accelerator card. The ACL were copied over from the existing config.

Thanks,

Juan Navarro

juan@keil.com

3 REPLIES
Cisco Employee

Re: VPN Config for L2L / Set Peer / Cisco VPN Client

Difficult to figure out without some debug from when the spokes try to connect. Does the spoke tunnel(s) even get built but just no traffic passes? Or do they not get built at all?

First off I would create a new "crypto keyring" and separate the the two pre-shared keys for your dynamic and static peers, I'm not sure that having two pre-shared leys for different addresses within the same keyring would work correctly. The router may pick up the 0.0.0.0 keyring for the static peer which would then have the wrong pre-shared key and fail. Don't assume that because the static peer is listed first under the keyring that it'll be hit first, it doesn't always work that way.

Other than that we'd need to see some debugs and the output of the following commands to see what's going on:

debug crypto isakmp

debug crypto ipsec

show crypto isakmp sa

show crypto ipsec sa

Thanks.

New Member

Re: VPN Config for L2L / Set Peer / Cisco VPN Client

Ok, that seemed to help. I broke the "crypto keyring" into 2 preshare keys.

1-- Peer Connection 1/2 up!

The tunnel to the static peer is created but only allows one way traffic from the 192.168.50.x subnet --> 192.168.0.x subnet.

debug show:Oct 5 19:37:03.177: ISAKMP (0:2): Peer's supposed to belong to AccessToPlanoPeer profile,

Oct 5 19:37:03.177: but her identity revealed she doesn't.

Oct 5 19:37:03.177: Locking her out of the exchange.

2-- Remote lan connect from 3rd party router fails

The L2L tunnels are not able to connect.

debug shows: Oct 5 21:34:57.988: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 71.96.149.23 failed its sanity check or is malformed

3-- VPN client still works.

Thanks,

Juan

New Member

Re: VPN Config for L2L / Set Peer / Cisco VPN Client

Here is the current config

175
Views
0
Helpful
3
Replies