cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1350
Views
8
Helpful
22
Replies

Router w/ Dynamic L2L Tunnel and VPN Clients

acomiskey
Level 10
Level 10

I have a 7200 router currently configured w/ vpn clients. I am attempting to add a dynamic l2l tunnel to it. When I do, I am no longer able to connect using the vpn client. I following the configuration in the following url.

http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

As soon as I add...

crypto dynamic-map dynmap 5

set isakmp-profile VPNclient

the vpn client no longer works. Don't have access to the config right now as I took it all out. Anyone have this working properly?

1 Accepted Solution

Accepted Solutions

OK, mhhh I think it is an issue with the config, give it a shot to one of the L2L that is bouncing, set it to profile and keyring, what is the result.

View solution in original post

22 Replies 22

Ivan Martinon
Level 7
Level 7

This configuration should work, we will need to take a look at your config to see what you might be missing, maybe a keyring setup?

I will post up the configuration I am using as soon as I can. Thanks for looking.

celiocarreto
Level 1
Level 1

Hi,

here is a configuration example:

local-inside: 192.168.1.0/24

vpn-pool: 192.168.3.0/24

remote-site-IP: 192.168.100.0/24

aaa authentication login userauth local

aaa authorization network groupauth local

username clientuser password 0 XXXXX

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key YYYYY address 0.0.0.0 0.0.0.0 <- password for dynamic site-to-site

crypto isakmp client configuration group vpnclient

key ZZZZZZZ

pool vpn-pool

acl 120

crypto isakmp profile VPNclient

description vpnclient

match identity group vpnclient

client authentication list userauth

isakmp authorization list groupauth

client configuration address respond

crypto ipsec transform-set myvpn esp-3des esp-sha-hmac

crypto dynamic-map mymap3 5 <- CLient VPN

set transform-set myvpn

set isakmp-profile VPNclient

match address 110 <- match VPN-Pool

crypto dynamic-map mymap3 10 <- site-VPN

set transform-set myvpn2

match address 140 <- match internal Site-IP

crypto map mymap 20 ipsec-isakmp dynamic mymap3

ip local pool vpn-pool 192.168.3.1 192.168.3.254

access-list 110 permit ip any 192.168.3.0 0.0.0.255

access-list 120 remark split-tunnel for vpn-clients

access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 130 remark no-nat-accesslist

access-list 130 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 130 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 130 permit ip 192.168.1.0 0.0.0.255 any

ip nat inside source list 130 interface Dialer0 overload

access-list 140 remark site-IPs

access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

Regards, Celio

The reason this does not work is because you have the default key setup:

crypto isakmp key YYYYY address 0.0.0.0 0.0.0.0 <- password for dynamic site-to-site

This key has to be defined in a keyring rather than this here otherwise clients will not connect. Follow the link you pasted and check that they use keyrings for clients and for dynamic clients

Hi Imartino,

this configuration is currently working. But every remote-site has the same password :-)

Regards, Celio

regardless of every remote having the same password, you need to put this dynamic key into a keyring if this is not done then your clients will not work

Back to my original issue here..

I was able to get this working, but now seem to be having issues with my other L2L tunnels dropping out every so often and not coming back up. Anyone ever seen this error before?

Found ADDRESS key in keyring spokes

Feb 13 09:07:00: ISAKMP (0:578): Oops. Used some key with the peer and

Feb 13 09:07:00: when she revealed identity we don't find

Feb 13 09:07:00: hers in the relevant keyring. Thwarting her.

This is what I got when I tried to initiate one of my static L2L tunnels. This tunnel should have nothing to do with the keyring.

Can you post your configuration here?

I can post some...will post back in a little while. thanks.

Here is what should be relevant, let me know if you need more.

I thought this too some time ago, try to get your static lan to lan to use profiles as well with keyrings too, that should fix it

Yuck, I was afraid you would say that. There are a lot more vpn's than what I posted. Would adding a "match address" statement somewhere for the dynamic l2l tunnel help at all?

Unfortunately nope, the problem with dynamic setup and vpn clients comes when the identity is to be negotiated/identified, since both dynamic tunnels and vpn clients would use the "default key" (isakmp key ... 0.0.0.0) then the router would need to know a way to identify each kind of connection vpn clients dynamics hence the use of the isakmp profiles, so as you can see it is a problem with isakmp negotiation rather than ipesc phase 2 negotiation.

So the static tunnels I have are landing on the dynamic map 0.0.0.0 before hitting the static ones?

crypto dynamic-map DYNmap 30

set transform-set 3des

set pfs group2

set isakmp-profile L2L

crypto map lim 115 ipsec-isakmp

set peer x.x.x.x

set transform-set 3des

match address 115

reverse-route

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: