Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ar
New Member

VRF-aware IPSEC - Multiple Dynamic Peers

Hi.
I am simulating a vrf-aware IPSEC VPN Concentrator with  multiple dynamic peers on GNS.

I have two client profiles on the 7200 concentrator.

I can have both clients working.

But I noticed when doing a restart of all the session,

one of the client will stop working.

I'm getting an error of:

*Feb 18 20:58:27.811: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 172.16.1.2 failed its sanity check or is malformed

Which I believe means preshare keys do not match. But i am very sure they are accurate and match.

I have to re-create the whole profile so it will work again (keyring, dynamic profile, dynamic-map).

I am not sure if this is just a GNS problem or config itself.

Below is my config for the 7200 VPN concentrator.

I hope someone can share their ideas on how to this properly.

Objective: Multiple Dynamic vrf-aware IPSEC Peers

thanks

Client 1 is ABC

Clilent 2 is XYZ

ip vrf A
rd 1:1
route-target export 1:1
route-target import 1:1
!
ip vrf B
rd 2:2
route-target export 2:2
route-target import 2:2
!
!
!
crypto keyring VRF-B
  pre-shared-key  address 0.0.0.0 0.0.0.0 key XYZ
crypto keyring VRF-A
  pre-shared-key address 0.0.0.0 0.0.0.0 key ABC
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto isakmp profile XYZ
   vrf B
   keyring VRF-B
   match identity address 0.0.0.0

crypto isakmp profile ABC
   vrf A
   keyring VRF-A
   match identity address 0.0.0.0
!
!
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
!
crypto dynamic-map ABC 10
set transform-set vpn
set isakmp-profile ABC
match address ABC-remote
!
crypto dynamic-map XYZ 10
set transform-set vpn
set isakmp-profile XYZ
match address XYZ-remote
!
!
crypto map VPN 11 ipsec-isakmp dynamic XYZ
crypto map VPN 12 ipsec-isakmp dynamic ABC

ip access-list extended  ABC-remote
permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

ip access-list extended XYZ-remote
permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255


ip route vrf A 10.0.0.0 255.0.0.0 172.16.1.2 global
ip route vrf B 10.2.0.0 255.255.0.0 172.16.1.3 global


interface FastEthernet1/0
description WAN-to-Internet

ip address 172.16.1.1 255.255.255.0
duplex full
speed 100
crypto map VPN

interface Loopback10
ip vrf forwarding A
ip address 10.1.1.1 255.255.255.0
!
interface Loopback20
ip vrf forwarding B
ip address 10.1.1.1 255.255.255.0

560
Views
0
Helpful
0
Replies