Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
757
Views
0
Helpful
10
Replies

Dynamic 501 to 515 COnfiguration issues

slongewa
Level 1
Level 1

‎03-05-2009 12:07 PM

I'm having configuration issues with a VPN connection that I'm trying to setup and I hope someone can help me out. I'm trying to establish a dynamic VPN connection from a remote 501 to a local 515. The 515 already has one tunnel setup but doesn't seem to want to setup the tunnel to the 501. I'm really new to VPN configuration so any assistance that anyone can offer would be greatly appreciated!

Thanks,

Steve

Here is the crypto configuration off of the 501:

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 101

crypto map newmap 10 set peer x.x.x.x

crypto map newmap 10 set transform-set myset

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

And from the 515:

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 5 ipsec-isakmp

crypto map mymap 5 match address 102

crypto map mymap 5 set peer x.x.x.x

crypto map mymap 5 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication partnerauth

crypto map mymap interface outside

crypto map colorado 10 ipsec-isakmp

crypto map colorado 10 set peer x.x.x.x

crypto map colorado 10 set peer y.y.y.y

crypto map colorado 10 set transform-set myset

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp key ******** address y.y.y.y netmask 255.255.255.255

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp nat-traversal 20

isakmp policy 5 authentication pre-share

isakmp policy 5 encryption aes-256

isakmp policy 5 hash sha

isakmp policy 5 group 2

isakmp policy 5 lifetime 86400

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Labels:
0 Helpful
10 Replies 10

eddie.mitchell
Level 3
Level 3

‎03-05-2009 01:11 PM

Why are you attempting to create a dynamic VPN? It sounds like you need a simple L2L VPN. Am I missing something?

0 Helpful

slongewa
Level 1
Level 1
In response to eddie.mitchell

‎03-05-2009 01:12 PM

By Dynamic, I meant that we don't know the IP address of the remote site. Sorry for the confusion.

Steve

0 Helpful

eddie.mitchell
Level 3
Level 3
In response to slongewa

‎03-05-2009 01:24 PM

Steve,

Have you referenced the following configuration example? I think this is what you're attempting to do:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

-Eddie

0 Helpful

slongewa
Level 1
Level 1
In response to eddie.mitchell

‎03-05-2009 01:28 PM

Yes, thanks, that's the guide I've been trying to go off of.

0 Helpful

eddie.mitchell
Level 3
Level 3
In response to slongewa

‎03-05-2009 01:40 PM

I don't see 'sysopt connection permit-ipsec' and the 'isakmp identity address' in the 501 config. Is it present? Also, what do your crypto ACL's look like?

0 Helpful

slongewa
Level 1
Level 1
In response to eddie.mitchell

‎03-05-2009 01:44 PM

They are there I didn't include them in the output for some reason. I can see the negotation process start, but I get an IKMP_NO_ERR_NO_TRANS message as soon as the key negotation starts. I'm not familiar with this message, so I'm not sure why the key negotation is failing.

0 Helpful

eddie.mitchell
Level 3
Level 3
In response to slongewa

‎03-05-2009 01:53 PM

Steve,

Can you set your isakmp debug to a higher level and see if there are any other messages being generated? I don't think this message by itself is an indication of a specific problem. Please reference the following VPN debugging notes:

http://www.boerderie.com/VPNdebugging.html

-Eddie

0 Helpful

slongewa
Level 1
Level 1
In response to eddie.mitchell

‎03-05-2009 02:16 PM

Great site! Thanks a bunch. How do I set my ISAKMP debugging to a higher level? The only command I see is debug crypto isakmp.

Thanks,

Steve

0 Helpful

eddie.mitchell
Level 3
Level 3
In response to slongewa

‎03-05-2009 02:20 PM

debug crypto isakmp

I usually set it at 9 if I'm not seeing messages of any relevance.

Don't forget to do 'undebug all' when you're finished.

-Eddie

0 Helpful

slongewa
Level 1
Level 1
In response to eddie.mitchell

‎03-05-2009 02:37 PM

My groups were not lining up for ISAKMP - I had group 1 configured on the remote router, and group 2 configured on the primary PIX.

Steve

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents