Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VRF-aware IPSEC - Multiple Dynamic Peers

I am simulating a vrf-aware IPSEC VPN Concentrator with  multiple dynamic peers on GNS.

I have two client profiles on the 7200 concentrator.

I can have both clients working.

But I noticed when doing a restart of all the session,

one of the client will stop working.

I'm getting an error of:

*Feb 18 20:58:27.811: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from failed its sanity check or is malformed

Which I believe means preshare keys do not match. But i am very sure they are accurate and match.

I have to re-create the whole profile so it will work again (keyring, dynamic profile, dynamic-map).

I am not sure if this is just a GNS problem or config itself.

Below is my config for the 7200 VPN concentrator.

I hope someone can share their ideas on how to this properly.

Objective: Multiple Dynamic vrf-aware IPSEC Peers


Client 1 is ABC

Clilent 2 is XYZ

ip vrf A
rd 1:1
route-target export 1:1
route-target import 1:1
ip vrf B
rd 2:2
route-target export 2:2
route-target import 2:2
crypto keyring VRF-B
  pre-shared-key  address key XYZ
crypto keyring VRF-A
  pre-shared-key address key ABC
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto isakmp profile XYZ
   vrf B
   keyring VRF-B
   match identity address

crypto isakmp profile ABC
   vrf A
   keyring VRF-A
   match identity address
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
crypto dynamic-map ABC 10
set transform-set vpn
set isakmp-profile ABC
match address ABC-remote
crypto dynamic-map XYZ 10
set transform-set vpn
set isakmp-profile XYZ
match address XYZ-remote
crypto map VPN 11 ipsec-isakmp dynamic XYZ
crypto map VPN 12 ipsec-isakmp dynamic ABC

ip access-list extended  ABC-remote
permit ip

ip access-list extended XYZ-remote
permit ip

ip route vrf A global
ip route vrf B global

interface FastEthernet1/0
description WAN-to-Internet

ip address
duplex full
speed 100
crypto map VPN

interface Loopback10
ip vrf forwarding A
ip address
interface Loopback20
ip vrf forwarding B
ip address