This is the first time for me to work with Cisco Router.
The below mentioned is my configuration where
Cisco Srv is Cisco 7200 Series Router
XYZ is one VPN Server running on Linux.
RAC is the Remote Access VPN Client
| RAC |-----> | XYZ | ===== | Cisco Srv |
I managed to get RAC configuration from Cisco Product Summary guide.
For the dynamic site-to-site i went through the document to figure out
I have combined these configuration into one and applied them on the Cisco Srv.
I can individually create a tunnel between Cisco Srv and RAC also between Cisco Srv and XYZ with this configuration mentioned below.
But when the tunnel between Cisco Srv and XYZ is established, i can't create a tunnel with RAC from Cisco Srv.
The RAC to Cisco Srv tunnel is broken when the XYZ to Cisco Srv tunnel is established.
But i could see the iskamp packets are received by the cisco srv. But it is not acknowledging that.
Please let me know where i went wrong.
Thanks in advance.
The configuration for the Cisco Srv:
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
aaa authorization network hw-client-groupname local
aaa session-id common
enable password cisco
memory-size iomem 16
clock timezone - 0 6
no ip source-route
ip domain-name cisco.com
ip audit notify log
ip audit po max-events 100
crypto isakmp policy 1
crypto isakmp client configuration address-pool local dynpool
crypto isakmp client configuration group hw-client-groupname
dns 18.104.22.168 22.214.171.124
wins 126.96.36.199 188.8.131.52
crypto isakm profile VPNclient
description VPN clients profile
match identity group hw-client-groupname
isakmp authorization list hw-client-groupname
client configuration address respond
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
crypto dynamic-map vpnclient 1
set transform-set transform-1
set isakmp-profile VPNclient
crypto isakmp policy 10
encr aes 256
crypto isakmp key somestrongkey address 0.0.0.0 0.0.0.0
crypto ipsec transform-set ts esp-aes 256 esp-sha-hmac
ip access-list extended vpn
deny ip 192.168.1.22 255.255.255.255 184.108.40.206 255.255.255.0
permit ip 192.168.1.22 255.255.255.225 any
crypto dynamic-map vpndynamic 10
set transform-set ts
match address vpn
crypto map dynmap 1 ipsec-isakmp dynamic vpnclient
crypto map dynmap 10 ipsec-isakmp dynamic vpndynamic
ip addr 192.168.1.22 255.255.255.0
crypto map dynmap
no cdp enable
description connected to HQ LAN
ip address 220.127.116.11 255.255.255.0
no cdp enable
ip local pool dynpool 18.104.22.168 22.214.171.124
ip route 126.96.36.199 255.255.255.0 192.168.1.2
no ip http server
ip pim bidir-enable
no cdp run
line con 0
line aux 0
line vty 0 4
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...