From: Chamara Peris (dimsyboy@gmail.com)
Date: Mon Oct 22 2007 - 19:49:15 ART
Hi Group,
I am experiencing a very strange VPN issue. I have two sites connect via
VPN. Hub site has a static IP and spoke site is dynamic. Please refer to
configs of each site below.
HUB:
crypto keyring sats
pre-shared-key address 0.0.0.0 0.0.0.0 key testing123
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp profile HH
keyring sats
match identity host domain test123.vpn.com
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 11
set transform-set myset
set isakmp-profile HH
match address 137
crypto map xyz 10 ipsec-isakmp dynamic dynmap
access-list 137 permit ip 192.168.60.0 0.0.0.255 192.168.61.0 0.0.0.255
SPOKE:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key testing123 address 111.111.111.111
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 360
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map xyz 2 ipsec-isakmp
set peer 111.111.111.111
set transform-set myset
match address 137
access-list 137 permit ip 192.168.61.0 0.0.0.255 192.168.60.0 0.0.0.255
My problem is this setup doesn't work in this environment. However same
setup on another set of routers works perfectly. All the routers have domain
name setup and name servers setup.
Only way to get this going on this set of routers is to change following
on HUB router.
match identity host domain test123.vpn.com -----> match identity address
0.0.0.0
With the above change it works. But I can't understand why match identity
host domain doesn't work on this setup.
Any ideas and help?
Regards
CP
This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:17 ART