Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Green

Router w/ Dynamic L2L Tunnel and VPN Clients

I have a 7200 router currently configured w/ vpn clients. I am attempting to add a dynamic l2l tunnel to it. When I do, I am no longer able to connect using the vpn client. I following the configuration in the following url.

http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

As soon as I add...

crypto dynamic-map dynmap 5

set isakmp-profile VPNclient

the vpn client no longer works. Don't have access to the config right now as I took it all out. Anyone have this working properly?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Router w/ Dynamic L2L Tunnel and VPN Clients

OK, mhhh I think it is an issue with the config, give it a shot to one of the L2L that is bouncing, set it to profile and keyring, what is the result.

22 REPLIES

Re: Router w/ Dynamic L2L Tunnel and VPN Clients

This configuration should work, we will need to take a look at your config to see what you might be missing, maybe a keyring setup?

Green

Re: Router w/ Dynamic L2L Tunnel and VPN Clients

I will post up the configuration I am using as soon as I can. Thanks for looking.

New Member

Re: Router w/ Dynamic L2L Tunnel and VPN Clients

Hi,

here is a configuration example:

local-inside: 192.168.1.0/24

vpn-pool: 192.168.3.0/24

remote-site-IP: 192.168.100.0/24

aaa authentication login userauth local

aaa authorization network groupauth local

username clientuser password 0 XXXXX

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key YYYYY address 0.0.0.0 0.0.0.0 <- password for dynamic site-to-site

crypto isakmp client configuration group vpnclient

key ZZZZZZZ

pool vpn-pool

acl 120

crypto isakmp profile VPNclient

description vpnclient

match identity group vpnclient

client authentication list userauth

isakmp authorization list groupauth

client configuration address respond

crypto ipsec transform-set myvpn esp-3des esp-sha-hmac

crypto dynamic-map mymap3 5 <- CLient VPN

set transform-set myvpn

set isakmp-profile VPNclient

match address 110 <- match VPN-Pool

crypto dynamic-map mymap3 10 <- site-VPN

set transform-set myvpn2

match address 140 <- match internal Site-IP

crypto map mymap 20 ipsec-isakmp dynamic mymap3

ip local pool vpn-pool 192.168.3.1 192.168.3.254

access-list 110 permit ip any 192.168.3.0 0.0.0.255

access-list 120 remark split-tunnel for vpn-clients

access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 130 remark no-nat-accesslist

access-list 130 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 130 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 130 permit ip 192.168.1.0 0.0.0.255 any

ip nat inside source list 130 interface Dialer0 overload

access-list 140 remark site-IPs

access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

Regards, Celio

Re: Router w/ Dynamic L2L Tunnel and VPN Clients

The reason this does not work is because you have the default key setup:

crypto isakmp key YYYYY address 0.0.0.0 0.0.0.0 <- password for dynamic site-to-site

This key has to be defined in a keyring rather than this here otherwise clients will not connect. Follow the link you pasted and check that they use keyrings for clients and for dynamic clients

New Member

Re: Router w/ Dynamic L2L Tunnel and VPN Clients

Hi Imartino,

this configuration is currently working. But every remote-site has the same password :-)

Regards, Celio

Re: Router w/ Dynamic L2L Tunnel and VPN Clients

regardless of every remote having the same password, you need to put this dynamic key into a keyring if this is not done then your clients will not work

Green

Re: Router w/ Dynamic L2L Tunnel and VPN Clients

Back to my original issue here..

I was able to get this working, but now seem to be having issues with my other L2L tunnels dropping out every so often and not coming back up. Anyone ever seen this error before?

Found ADDRESS key in keyring spokes

Feb 13 09:07:00: ISAKMP (0:578): Oops. Used some key with the peer and

Feb 13 09:07:00: when she revealed identity we don't find

Feb 13 09:07:00: hers in the relevant keyring. Thwarting her.

This is what I got when I tried to initiate one of my static L2L tunnels. This tunnel should have nothing to do with the keyring.

Re: Router w/ Dynamic L2L Tunnel and VPN Clients

Can you post your configuration here?

Green

Re: Router w/ Dynamic L2L Tunnel and VPN Clients

I can post some...will post back in a little while. thanks.

Green

Re: Router w/ Dynamic L2L Tunnel and VPN Clients

Here is what should be relevant, let me know if you need more.

Re: Router w/ Dynamic L2L Tunnel and VPN Clients

I thought this too some time ago, try to get your static lan to lan to use profiles as well with keyrings too, that should fix it

Green

Re: Router w/ Dynamic L2L Tunnel and VPN Clients

Yuck, I was afraid you would say that. There are a lot more vpn's than what I posted. Would adding a "match address" statement somewhere for the dynamic l2l tunnel help at all?

Re: Router w/ Dynamic L2L Tunnel and VPN Clients

Unfortunately nope, the problem with dynamic setup and vpn clients comes when the identity is to be negotiated/identified, since both dynamic tunnels and vpn clients would use the "default key" (isakmp key ... 0.0.0.0) then the router would need to know a way to identify each kind of connection vpn clients dynamics hence the use of the isakmp profiles, so as you can see it is a problem with isakmp negotiation rather than ipesc phase 2 negotiation.

Green

Re: Router w/ Dynamic L2L Tunnel and VPN Clients

So the static tunnels I have are landing on the dynamic map 0.0.0.0 before hitting the static ones?

crypto dynamic-map DYNmap 30

set transform-set 3des

set pfs group2

set isakmp-profile L2L

crypto map lim 115 ipsec-isakmp

set peer x.x.x.x

set transform-set 3des

match address 115

reverse-route

Re: Router w/ Dynamic L2L Tunnel and VPN Clients

It seems they are not even landing on any tunnel since there is no keyring with what to identify them it does not go further, unless your outputs show something else, show crypto isakmp sa

Green

Re: Router w/ Dynamic L2L Tunnel and VPN Clients

The tunnels are coming up, but they seem to be bouncing up and down.

dst src state conn-id slot

x.x.x.1 192.168.10.1 QM_IDLE 548 0

x.x.x.2 192.168.10.1 QM_IDLE 603 0

x.x.x.3 192.168.10.1 MM_NO_STATE 638 0 (deleted)

x.x.x.4 192.168.10.1 QM_IDLE 629 0

x.x.x.5 192.168.10.1 QM_IDLE 599 0

192.168.10.1 x.x.x.6 QM_IDLE 610 0 L2L

192.168.10.1 x.x.x.7 QM_IDLE 627 0 VPNclient

192.168.10.1 x.x.x.8 QM_IDLE 636 0 VPNclient

x.156.x.157 x.x.x.9 QM_IDLE 639 0

x.71.x.52 x.x.x.10 MM_NO_STATE 637 0 (deleted)

x.201.x.43 x.x.x.11 QM_IDLE 622 0

Re: Router w/ Dynamic L2L Tunnel and VPN Clients

OK, mhhh I think it is an issue with the config, give it a shot to one of the L2L that is bouncing, set it to profile and keyring, what is the result.

New Member

Re: Router w/ Dynamic L2L Tunnel and VPN Clients

Hello guys

I have a similar problem with Dynamic peers, static peers and VPN clients.

I'm using isakmp profiles and keyrings for dynamic peers and vpn clients but not for that static tunnel.

What happens is that when I try to establish the dynamic tunnel the router asks for XAUTH, which was suppose to be bypassed if I'm not wrong... vpn clients and static tunnel works fine.

Could anyone give me a hint?

Thanks.

Guilherme

Green

Re: Router w/ Dynamic L2L Tunnel and VPN Clients

So far so good. Thanks for the help.

New Member

Re: Router w/ Dynamic L2L Tunnel and VPN Clients

hai,can u please hlep me to create site to site tunnel vpn...

if possible can u please share the doc too.

Re: Router w/ Dynamic L2L Tunnel and VPN Clients

Hey, basically you need to create another profile for your static vpn tunnels with a keyring too, follow the doc at the very top of this post just adapt it to your setup.

New Member

Re: Router w/ Dynamic L2L Tunnel and VPN Clients

Hey,

Thanks for your reply.

I configured my dynamic VPNs using that doc, I'm going to try doing the same with static tunnels and see what happen.

Regards,

Guilherme

340
Views
8
Helpful
22
Replies