Solved: site to site ipsec vpn with noncisco routers

Giga Tsverava · ‎09-21-2014

hello,

i am trying to connect cisco 2911 router with noncisco routers (HP, TPlink) using site-to-site ipsec vpn with crypto-maps.

the problem is that vpn traffic shows "#send errors" if command "crypto isakmp identity dn" is used (we are using it for certificate based authentication for cisco vpn clients). when i delete the command, vpn works fine with noncisco devices.

please can you advice if there is any option on cisco ios to solve the problem.

thanks

giga

ajiddima · ‎09-22-2014

okay,

try using isakmp profile, something like below:

crypto isakmp profile test
match identity address 1.1.1.1 255.255.255.255

now under crypto map call the isakmp profile as below:

crypto map test 1 ipsec-isakmp test

-Altaf

View solution in original post

ajiddima · ‎09-22-2014

Hi,

Can you try using this command instead of the above:

crypto isakmp identity auto

Giga Tsverava · ‎09-22-2014

Hi,

thank for reply

unfortunately ios doesn't have AUTO command, it has only ADDRESS, DN and HOSTNAME .

giga

ajiddima · ‎09-22-2014

okay,

try using isakmp profile, something like below:

crypto isakmp profile test
match identity address 1.1.1.1 255.255.255.255

now under crypto map call the isakmp profile as below:

crypto map test 1 ipsec-isakmp test

-Altaf

Giga Tsverava · ‎09-22-2014

thanks Altaf, you gave me right way for problem solution.

this configuration of crypto isakmp profile works fine for me:

crypto isakmp profile test
keyring test
self-identity address
match identity address x.x.x.x 255.255.255.255

giga