Re: IPSEC configuration from 1 to 2 different sites

mathewh · ‎08-03-2006

Hello

Apologies as this origional thread was posted on the wrong board.

I currently have an IPSEC link between two sites up and running. However there are now calls to add an additional site. Therefore there will

be one central VPN router provideing two encrypted IPSEC links. The following configurqation works fine and again is up and running (just between two sites).This configuration wise is as follows (on the central router):-

crypto isakmp policy 1

authentication pre-share

crypto isakmp key works address 213.213.213.213

!

crypto ipsec transform-set test esp-3des esp-md5-hmac

!

crypto map encry 10 ipsec-isakmp

description VPN to estvpn2

set peer 213.213.213.213

set transform-set test

match address access1

!

However when i try and add additional peers in as follows:-

crypto isakmp policy 1

authentication pre-share

crypto isakmp key works address 213.213.213.213

crypto isakmp key works address 11.11.11.6

!

crypto map encry local-address fastethernet 0/1

!

crypto ipsec transform-set test esp-3des esp-md5-hmac

!

crypto map encry 10 ipsec-isakmp

set peer 213.213.213.213

set transform-set test

match address access1

!

crypto map encry 20 ipsec-isakmp

set peer 11.11.11.6

set transform-set test

match address access2

!

This brings the existing link down with the following error messege:-

Interface: FastEthernet0/1

Session status: UP-IDLE

Peer: 213.215.37.133 port 500

IKE SA: local 333.333.333.333/500 remote 213.213.213.213/500 Active

IKE SA: local 333.333.333.333/500 remote 213.213.213.213/500 Inactive

IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 10.1.143.0/255.255.255.0

Active SAs: 0, origin: crypto map

Anyone with suggestions would be greatly appreciated!

akin_lopez · ‎08-03-2006

Hi,

I think you should leave out the command

crypto map encry local-address fastethernet 0/1

Just make sure the you have the right crypto command on the outside facing interface.

i.e

interface fast x/x

crypto map encry

and this should be ok. the ealier command is used to identify the interface you want to present to your peer. (this is normally used when you apply crypto map to more than one interface)

check out the example on the link below:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hsec_r/sec_c3h.htm#wp1175863

Wilson Samuel · ‎08-03-2006

Hi,

I guess you can take out this command crypto map encry local-address fastethernet 0/1 and apply the Crypto Map directly on the interface (Outside) and I believe it will sort the out the matter.

Regards,

Wilson SAmuel

attrgautam · ‎08-03-2006

I would be more interested in what exactly sh crypto ipsec sa and sh crypto isakmp sa shows in both sides of the new side. Also as posted earlier, dont force the crypto source if both connections are through 2 different links

mathewh · ‎08-04-2006

Many thanks

I bounced the interface a few times and it worked. I still did take out the unneccessary command and as you all say it works :) The one thing i am a little worried about is a constant error messege in the logs:-

*Aug 4 06:15:16.823: %SYS-2-CHUNKBADMAGIC: Bad magic number in chunk header, ch

unk 0 data 446D2944 chunkmagic 0 chunk_freemagic 4405A330

-Process= "", ipl= 4, pid= 83

-Traceback= 0x40ABDEE8 0x400BC510 0x402FF6B4 0x400431B4 0x400437BC 0x400103A8 0x

4001173C

Possible an IOS bug? I ant find any further info.

Ty again

m.sir · ‎08-04-2006

I check this message in Error Message Decoder and here is output:

1. %SYS-2-CHUNKBADMAGIC: Bad magic number in chunk header, chunk [hex] data [hex] chunkmagic [hex] chunk_freemagic [hex]

A software error has occurred.

Recommended Action: Copy the error message exactly as it appears on the console or in the system log, contact your Cisco technical support representative, and provide the representative with the gathered information.

Related documents- No specific documents apply to this error message

It looks like sw error and I think they advice you IOS upgrade

M.