Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dynamic Site-to-Site & Remote Access on Same Router

I have recently come across some interesting IPsec behavior when modifying one of our Hub routers in our current VPN topology. When adding dynamic entries for sites that are now acquiring dynamic addresses(changing from time to time), I used ISAKMP Profiles that referenced keyrings for both the Dynamic L2L and the Remote Access entries. After which, any globally defined pre-shared keys being used for previously configured static sites seemed to be overlooked as the router was performing peer authentication and those sites could never fully develop a Phase 1 connection. I had to use ISAKMP Profiles with nested keyrings for each of these sties to enable them to pass Main Mode. I was just curious if anyone else has experienced something similar.

New Member

Re: Dynamic Site-to-Site & Remote Access on Same Router

I had something similiar: static IP L2L and Easy VPN client configuration. The Easy VPN client's could not complete main mode until I used ISAKMP profiles in addition to the "crypto isakmp client configuration group BLABLABLA" configuration entries.

Very strange and this was using 12.3 and 12.4 IOS trains.