Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dynamic 501 to 515 COnfiguration issues

I'm having configuration issues with a VPN connection that I'm trying to setup and I hope someone can help me out. I'm trying to establish a dynamic VPN connection from a remote 501 to a local 515. The 515 already has one tunnel setup but doesn't seem to want to setup the tunnel to the 501. I'm really new to VPN configuration so any assistance that anyone can offer would be greatly appreciated!

Thanks,

Steve

Here is the crypto configuration off of the 501:

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 101

crypto map newmap 10 set peer x.x.x.x

crypto map newmap 10 set transform-set myset

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

And from the 515:

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 5 ipsec-isakmp

crypto map mymap 5 match address 102

crypto map mymap 5 set peer x.x.x.x

crypto map mymap 5 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication partnerauth

crypto map mymap interface outside

crypto map colorado 10 ipsec-isakmp

crypto map colorado 10 set peer x.x.x.x

crypto map colorado 10 set peer y.y.y.y

crypto map colorado 10 set transform-set myset

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp key ******** address y.y.y.y netmask 255.255.255.255

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp nat-traversal 20

isakmp policy 5 authentication pre-share

isakmp policy 5 encryption aes-256

isakmp policy 5 hash sha

isakmp policy 5 group 2

isakmp policy 5 lifetime 86400

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

10 REPLIES

Re: Dynamic 501 to 515 COnfiguration issues

Why are you attempting to create a dynamic VPN? It sounds like you need a simple L2L VPN. Am I missing something?

New Member

Re: Dynamic 501 to 515 COnfiguration issues

By Dynamic, I meant that we don't know the IP address of the remote site. Sorry for the confusion.

Steve

Re: Dynamic 501 to 515 COnfiguration issues

Steve,

Have you referenced the following configuration example? I think this is what you're attempting to do:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

-Eddie

New Member

Re: Dynamic 501 to 515 COnfiguration issues

Yes, thanks, that's the guide I've been trying to go off of.

Re: Dynamic 501 to 515 COnfiguration issues

I don't see 'sysopt connection permit-ipsec' and the 'isakmp identity address' in the 501 config. Is it present? Also, what do your crypto ACL's look like?

New Member

Re: Dynamic 501 to 515 COnfiguration issues

They are there I didn't include them in the output for some reason. I can see the negotation process start, but I get an IKMP_NO_ERR_NO_TRANS message as soon as the key negotation starts. I'm not familiar with this message, so I'm not sure why the key negotation is failing.

Re: Dynamic 501 to 515 COnfiguration issues

Steve,

Can you set your isakmp debug to a higher level and see if there are any other messages being generated? I don't think this message by itself is an indication of a specific problem. Please reference the following VPN debugging notes:

http://www.boerderie.com/VPNdebugging.html

-Eddie

New Member

Re: Dynamic 501 to 515 COnfiguration issues

Great site! Thanks a bunch. How do I set my ISAKMP debugging to a higher level? The only command I see is debug crypto isakmp.

Thanks,

Steve

Re: Dynamic 501 to 515 COnfiguration issues

debug crypto isakmp

I usually set it at 9 if I'm not seeing messages of any relevance.

Don't forget to do 'undebug all' when you're finished.

-Eddie

New Member

Re: Dynamic 501 to 515 COnfiguration issues

My groups were not lining up for ISAKMP - I had group 1 configured on the remote router, and group 2 configured on the primary PIX.

Steve

140
Views
0
Helpful
10
Replies