08-03-2006 01:16 AM - edited 02-21-2020 02:33 PM
Hello
Apologies as this origional thread was posted on the wrong board.
I currently have an IPSEC link between two sites up and running. However there are now calls to add an additional site. Therefore there will
be one central VPN router provideing two encrypted IPSEC links. The following configurqation works fine and again is up and running (just between two sites).This configuration wise is as follows (on the central router):-
crypto isakmp policy 1
authentication pre-share
crypto isakmp key works address 213.213.213.213
!
!
crypto ipsec transform-set test esp-3des esp-md5-hmac
!
crypto map encry 10 ipsec-isakmp
description VPN to estvpn2
set peer 213.213.213.213
set transform-set test
match address access1
!
!
However when i try and add additional peers in as follows:-
crypto isakmp policy 1
authentication pre-share
crypto isakmp key works address 213.213.213.213
crypto isakmp key works address 11.11.11.6
!
!
crypto map encry local-address fastethernet 0/1
!
!
crypto ipsec transform-set test esp-3des esp-md5-hmac
!
!
crypto map encry 10 ipsec-isakmp
set peer 213.213.213.213
set transform-set test
match address access1
!
!
crypto map encry 20 ipsec-isakmp
set peer 11.11.11.6
set transform-set test
match address access2
!
This brings the existing link down with the following error messege:-
Interface: FastEthernet0/1
Session status: UP-IDLE
Peer: 213.215.37.133 port 500
IKE SA: local 333.333.333.333/500 remote 213.213.213.213/500 Active
IKE SA: local 333.333.333.333/500 remote 213.213.213.213/500 Inactive
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 10.1.143.0/255.255.255.0
Active SAs: 0, origin: crypto map
Anyone with suggestions would be greatly appreciated!
08-03-2006 04:42 AM
Hi,
I think you should leave out the command
crypto map encry local-address fastethernet 0/1
Just make sure the you have the right crypto command on the outside facing interface.
i.e
interface fast x/x
crypto map encry
and this should be ok. the ealier command is used to identify the interface you want to present to your peer. (this is normally used when you apply crypto map to more than one interface)
check out the example on the link below:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hsec_r/sec_c3h.htm#wp1175863
08-03-2006 05:41 AM
Hi,
I guess you can take out this command crypto map encry local-address fastethernet 0/1 and apply the Crypto Map directly on the interface (Outside) and I believe it will sort the out the matter.
Regards,
Wilson SAmuel
08-03-2006 09:25 PM
I would be more interested in what exactly sh crypto ipsec sa and sh crypto isakmp sa shows in both sides of the new side. Also as posted earlier, dont force the crypto source if both connections are through 2 different links
08-04-2006 12:22 AM
Many thanks
I bounced the interface a few times and it worked. I still did take out the unneccessary command and as you all say it works :) The one thing i am a little worried about is a constant error messege in the logs:-
*Aug 4 06:15:16.823: %SYS-2-CHUNKBADMAGIC: Bad magic number in chunk header, ch
unk 0 data 446D2944 chunkmagic 0 chunk_freemagic 4405A330
-Process= "
-Traceback= 0x40ABDEE8 0x400BC510 0x402FF6B4 0x400431B4 0x400437BC 0x400103A8 0x
4001173C
Possible an IOS bug? I ant find any further info.
Ty again
08-04-2006 04:16 AM
I check this message in Error Message Decoder and here is output:
1. %SYS-2-CHUNKBADMAGIC: Bad magic number in chunk header, chunk [hex] data [hex] chunkmagic [hex] chunk_freemagic [hex]
A software error has occurred.
Recommended Action: Copy the error message exactly as it appears on the console or in the system log, contact your Cisco technical support representative, and provide the representative with the gathered information.
Related documents- No specific documents apply to this error message
It looks like sw error and I think they advice you IOS upgrade
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide