Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

dynamic l2l peers with non dynamic peers

Hello all,

Can't see to fight my way out of this configuration.  We have a router that is configured with IPSec Dynamic L2L peers and Remote access (pretty much using this configuration: LINK ).  I'm not use to the keyring / Profile configuration.  But trying to add a tunnel without a profile, maybe "non-dynamic" peer?

Here is the configuration:

crypto keyring spokes 
  pre-shared-key address 0.0.0.0 0.0.0.0 key PSK1
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key L2L-PSK2 address 76.113.24.103
crypto isakmp keepalive 10 10
crypto isakmp nat keepalive 10
!
crypto isakmp client configuration group VPN-Users
 key PSK1
 pool ippool
 acl 171
!
crypto isakmp profile VPNclient
   match identity group VPN-Users
   client authentication list default
   isakmp authorization list groupauthor
   client configuration address respond
crypto isakmp profile L2L
   keyring spokes
   match identity address 0.0.0.0 

   
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set transform-1 esp-3des esp-md5-hmac 
crypto ipsec transform-set testset esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac 
!
crypto dynamic-map DynIPSecMap01 2
 set transform-set ESP-3DES-MD5 
 set isakmp-profile VPNclient
crypto dynamic-map DynIPSecMap01 5
 description tunnel_to_EEUU
 set transform-set testset 
 match address 110
!
!
crypto map IPSecMap01 10 ipsec-isakmp 
 description REMO_ST_VPN
 set peer 76.113.24.103
 set transform-set ESP-AES-SHA 
 match address REMO_ST_VPN
crypto map IPSecMap01 10000 ipsec-isakmp dynamic DynIPSecMap01 


interface Serial0/0/0:0
 ip address 178.31.76.1 255.255.255.252
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 crypto map IPSecMap01
 
ip access-list extended REMO_ST_VPN
 permit ip 172.18.38.0 0.0.0.255 172.16.202.0 0.0.0.255
!
access-list 10 permit 65.122.15.2
access-list 110 permit ip 172.18.35.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 110 permit ip 172.18.38.0 0.0.0.255 10.1.2.0 0.0.0.255

 

We are failing on Phase 1 because the PSK's are not matching.  And getting this error:

ISAKMP:(3134):Key not found in keyrings of profile , aborting exchange

Can someone point me in the right direction?  

Thanks for your time and support,

Nick

 

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Try creating a new crypto

Try creating a new crypto isakmp profile to match the IP off the L2L peer.  Then create a new crypto keyring for this peer instead of using the 'crypto isakmp key' command. 

4 REPLIES
New Member

Try creating a new crypto

Try creating a new crypto isakmp profile to match the IP off the L2L peer.  Then create a new crypto keyring for this peer instead of using the 'crypto isakmp key' command. 

New Member

crypto keyring L2L2  pre

crypto keyring L2L2
  pre-shared-key address 76.113.24.103 key L2LPSK

crypto isakmp profile L2L2
   keyring L2L2
   self-identity address
   match identity address 76.113.24.103

New Member

Thanks guys, but I had fixed

Thanks guys, but I had fixed the problem before your replies.  Just haven't had time to update my post.  LA-Engineer was very close and might work.  But I tried a configuration very close to his above, and was not working for me.  But again maybe I was doing something wrong.

What I read somewhere (I've tried to find where but no luck) was that ISAKMP Profiles are match to the closest match.  Can someone confirm or deny this?  As I can not find where I read that.  Anyway what worked for me was a config very close to LA-Eng's config:

crypto isakmp profile L2L_SiteBA
   keyring default
   match identity address 76.113.24.103 255.255.255.255 

and kept:

crypto isakmp key CandyIsGood address 76.113.24.103

 

This worked perfectly for me.  

Thanks,

Nick

Silver

Hi Nick,For L2L VPN preshared

Hi Nick,

For L2L VPN preshared key you have defined both keyring as well as crypto isakmp key with specific remote peer ip address.

crypto isakmp key L2L-PSK2 address 76.113.24.103

crypto keyring spokes 
  pre-shared-key address 0.0.0.0 0.0.0.0 key PSK1

crypto isakmp profile L2L
   keyring spokes
   match identity address 0.0.0.0

 

Although you have called keyring in the isakmp profile for any remote site ip address, but it seems it is asking for pre-shared key with more specific peer. Remove specific config using

no crypto isakmp key L2L-PSK2 address 76.113.24.103

 

HTH
 

"Please do rate helpful posts"

68
Views
5
Helpful
4
Replies