Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

dynamic map IPSEC issue

Hello All,

I have a 2801 which is currenlt serving my IPSEC VPN client. This has a dynamic map setup, where the tunnel initialisation happen from the user connecting. I use raduis to authenticate and authorise the users. Now I am planning use the same 2801 at central to connect another 2801 at a hub and have an IPSEC tunnel between them.

* Now if i use preshare key for the hub and the central office, I have to type the key for the hub on the central router for this we will use the crypto isakmp key **** command. But will this affect the other VPN users using raduis. Do I have to modify the aaa commands to check local first and then the radius will this work?

please help



  • VPN
joe Bronze

Re: dynamic map IPSEC issue

Hi Prakadeesh,

Acutually you can simply add a static crypto map entry above the dynamic map

take this for instance;

crypto map secure 100 ipsec-isakmp

set peer a.b.c.d

set transform-set ESP-AES-128-SHA

match address central-to-remote

crypto map secure 65535 ipsec-isakmp dynamic dynamicmap1

Notice the dynamic map is usually always placed at the END (last sequence) of the same crypto map as static remote peers?

Also regarding your key- once user authentication is configured on the router (XAUTH) it is necessary to EXEMPT the crypto isakmp key's of the static peers from the XAUTH process. Here is a sample of that-

crypto isakmp key DBbankm$%^! address no-xauth

Simply create your branch/static ipsec peer's crypto isakmp keys with the "no-xauth" argument.

Please post safe versions of your configurations (show tech will do this)

and we'll help you with anything else!


New Member

Re: dynamic map IPSEC issue

Thanks Joe,

As of now I have created an loopback Ip and attached a separate crypto map to it and I am testing. I can see the following issues.

* one i ping the central router from the peer the IPSEC gets established. I can see a QM_IDLE is the show isakmp sa command.

* I can ping the remote from central, but I can ping the central from remote, I get a message that rec`d packet not IPSEC. I was able to ping both sides before the crypto map.

Please help



joe Bronze

Re: dynamic map IPSEC issue

To do this your Loopback interface would need a public IP (in simply cases). That public IP will need to be the crypto "set peer" of the remote router.

Make sure your are not natting tunnel traffic and that both crypto maps are symmetrical. Please post configs.

New Member

Re: dynamic map IPSEC issue

Hi Joe,

Still facing the same issue. i have got the Ipsec tunnel up between central and remote but I cant ping the central from the remote. I get a failure that the IP packet that the remote got was not encryptd :(. i have attahced some configs and results please have a look at them and please let me know whats going wrong. The remote router is a test router and its actually connected to the same lan as the central because its just a test setup.


New Member

Re: dynamic map IPSEC issue

Just to add to it. The tunnel runs between the 195.195.X.X to 195.195.Y.Y. Now when i ping 195.195.Y.Y from the remote the remote gets an packet not IPSEC encrypted error. I used the show crypto engin connec active command on both the routers. I can see that the central router is only decrypting the packet from the remote but it is not encrypting the packet. The show crypto ipsec sa shows that both the endpoints are usnig the same encryp algorithm. what am I missing here. One end point the 195.195.Y.Y which is not encrypting is a /24 on a interface is that an issue. please help I am totally lost here.



New Member

Re: dynamic map IPSEC issue

during my testing i put the endpoints on the same vlan IP range and the encrypt/decrypt happens properly. Please help what could be wrong? Any suggestions please.

This widget could not be displayed.