Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec Router Dynamic LAN-to-LAN Peer and VPN Clients

Does anyone can help me with this...????

I using a 2821 router as VPN server for mobile users and LAN2LAN sites

I using the next link configuration type

At this moment the mobile users are able to connect to the VPN server, but not the remote sites which are using Dynamic IP's (DSL)and NAT from the provider. I using a cisco 831 routers as terminal equipments.

The debug log shows a message like this

"""019088: *Feb 23 18:26:24.668 PCTime: ISAKMP: reserved not zero on ID payload!

019089: *Feb 23 18:26:24.668 PCTime: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from f

ailed its sanity check or is malformed""""

I attaching the log message as well the used configs.

Best regards



Re: IPSec Router Dynamic LAN-to-LAN Peer and VPN Clients

Iam kind of confused on this. Why do you want to NAT the traffic going to the hub through IPSec ? And I suggest doing Tunnel mode instead of Transport mode and natting it. What you have done looks kind of scary to me ;-)

Why iam saying this is that IPSec transport mode requires you to define traffic between the Crypto peers in the Crypto ACL and not the internal LAN. Let me know if you need any more info.

New Member

Re: IPSec Router Dynamic LAN-to-LAN Peer and VPN Clients

There is a third box (from DSL provider) which is making NAT. If a remove the NAT from Cisco 831 I loss the comunication truh the HUB.


cisco 831-->DSL-box-->Internet<---Hub server

Now question ... according to me to configure Tunnel mode I have to enable GRE is it correct..???

Thanks a lot for your comments


Re: IPSec Router Dynamic LAN-to-LAN Peer and VPN Clients

Yes correct you will have to do GRE or L2TP to use transport mode. The Crypto ACL will have to permit traffic between the peers only.