Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
Site-to-site VPN tunnel fails to come up on the router
There might be many reasons that a VPN tunnel fails to come up on a router. However, one of the most common reasons is if a router is also configured for a VPN Client connection.
Without the ability to disable extended authentication (Xauth), a user cannot select which peer on the same crypto map should use Xauth. That is, if a user has router-to-router IPsec on the same crypto map as a VPN Client-to-Cisco-IOS IPsec, both peers are prompted for a username and password. In addition, a remote static peer (a Cisco IOS router) cannot establish an Internet Key Exchange (IKE) security association (SA) with the local Cisco IOS router. (Xauth is not an optional exchange, so if a peer does not respond to an Xauth request, the IKE SA is deleted.) Thus, the same interface cannot be used to terminate IPsec-to-VPN Clients (that need Xauth) as well as other Cisco IOS routers (that cannot respond to Xauth) unless this feature is implemented.
In order to resolve this issue, use the no-xauth keyword with the command crypto isakmp keyif router-to-router IPsec is on the same crypto map as a VPN Client-to-Cisco-IOS IPsec. This keyword prevents the router from prompting the peer for Xauth information (username and password).