Dynamic Site-to-Site & Remote Access on Same Router
I have recently come across some interesting IPsec behavior when modifying one of our Hub routers in our current VPN topology. When adding dynamic entries for sites that are now acquiring dynamic addresses(changing from time to time), I used ISAKMP Profiles that referenced keyrings for both the Dynamic L2L and the Remote Access entries. After which, any globally defined pre-shared keys being used for previously configured static sites seemed to be overlooked as the router was performing peer authentication and those sites could never fully develop a Phase 1 connection. I had to use ISAKMP Profiles with nested keyrings for each of these sties to enable them to pass Main Mode. I was just curious if anyone else has experienced something similar.
Re: Dynamic Site-to-Site & Remote Access on Same Router
I had something similiar: static IP L2L and Easy VPN client configuration. The Easy VPN client's could not complete main mode until I used ISAKMP profiles in addition to the "crypto isakmp client configuration group BLABLABLA" configuration entries.
Very strange and this was using 12.3 and 12.4 IOS trains.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...