04-13-2006 08:34 AM - edited 02-21-2020 02:22 PM
hi
we have 30 wan sites that we have configured for ipsec. the configuration is all the same with 3des-sha-pfs2-isakmp. we have come across an unknown problem.after enabling some of the Tunnels, we found out that only one works and the rest are disconected. the interesting thing is that for example today I removed a single tunnel from the config and the problem was solved temporary but then again the same thing happened. the error I recieve is strange, it mentons that the peer profile cannot be found or the peer itself is unknown.
Can any one help me out on this ?
thanks
Solved! Go to Solution.
04-15-2006 01:13 AM
Ok i got the problem with your configuration. You need to have a different access-list for each location which will be specific to that particular location. In your case all traffic will match the first crypto instance and hence will not work for other locations.
04-14-2006 03:49 AM
Will need more information on the network. Is it hub-spoke model or meshed IPSec and is it dynamic IPSec on the hub ? Is it possible to show the config from hub and spoke
04-14-2006 05:05 AM
Hi
thanks for the reply- The network is hub and spoke. I have attached the configs of the central 3745 and one remote 1760 router. the branch config is all the same. I have also included a debug trace. there is also one interesting error I found and it was that the peer x.x.x.x is not valid this was in the debug crypto isakmp. as I mentioned before the first time we did this config on some routers with no problems and when we came to do the rest the next day no other routers could be added the central router gave us the exact debug trace for all routers.
any idea? thanks in advance
04-14-2006 12:29 PM
Hello,
Can you post a scrubbed version of you configuration.
Patrick
04-15-2006 01:13 AM
Ok i got the problem with your configuration. You need to have a different access-list for each location which will be specific to that particular location. In your case all traffic will match the first crypto instance and hence will not work for other locations.
04-15-2006 03:11 AM
hi
I have tested this before with no luck. a single wan location with a diffrenbt acl was configured before. but the rest were on the same acl. this morning this router failed this morning. the only time this problem is solved seems to be when a router is removed. this problem is strange. I have configured this configuration on another location with similar setup exept that they had ip addresses configured per interface. since the configuration no problem was ever seen.
Thanks a million
04-15-2006 01:52 AM
04-15-2006 06:27 AM
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key xxx address 0.x.x.x.0.0.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set VPN esp-3des esp-sha-hmac
!
crypto map Remote1 10 ipsec-isakmp
set peer 172.20.55.1
set transform-set VPN
set pfs group2
match address VPN1
!
crypto map Remote2 10 ipsec-isakmp
set peer 172.20.54.1
set transform-set VPN
set pfs group2
match address VPN2
ip access-list extended VPN1
permit ip 10.0.0.0 0.255.255.255 172.20.21.0 0.0.0.255
ip access-list extended VPN2
permit ip 10.0.0.0 0.255.255.255 172.20.22.0 0.0.0.255
Can you try this ? Different access-list based on the LAN IPs. I would also using the loopback as the source instead of the fastethernet. You will need a different ACL per location. Also configure crypto isakmp keepalive 10 at all locations.
HTH
04-19-2006 03:54 AM
Thanks every one
I changed the config.
No problem was seen since the change. I will wait another couple of days to see what happens
Thanks again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide