Re: Strange VPN issue

From: WorkerBee (ciscobee@gmail.com)
Date: Mon Oct 22 2007 - 22:14:14 ART

• Next message: Chamara Peris: "Re: Strange VPN issue"
• Previous message: Mohamed M Moustafa: "Re: maximum-paths in bgp"
• Maybe in reply to: Chamara Peris: "Strange VPN issue"
• Next in thread: Chamara Peris: "Re: Strange VPN issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Do you have 'ip domain-lookup' enable?

Try to do a ping test123.vpn.com and see if the router can resolve the domain
name correctly.

On 10/23/07, Chamara Peris <dimsyboy@gmail.com> wrote:
> Hi Group,
>
> I am experiencing a very strange VPN issue. I have two sites connect via
> VPN. Hub site has a static IP and spoke site is dynamic. Please refer to
> configs of each site below.
>
> HUB:
>
> crypto keyring sats
> pre-shared-key address 0.0.0.0 0.0.0.0 key testing123
> !
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
>
> crypto isakmp invalid-spi-recovery
> crypto isakmp profile HH
> keyring sats
> match identity host domain test123.vpn.com
>
> !
> crypto ipsec transform-set myset esp-3des esp-sha-hmac
> !
> crypto dynamic-map dynmap 11
> set transform-set myset
> set isakmp-profile HH
> match address 137
>
> crypto map xyz 10 ipsec-isakmp dynamic dynmap
>
>
> access-list 137 permit ip 192.168.60.0 0.0.0.255 192.168.61.0 0.0.0.255
>
>
> SPOKE:
>
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
> crypto isakmp key testing123 address 111.111.111.111
> crypto isakmp invalid-spi-recovery
> crypto isakmp keepalive 360
> !
> !
> crypto ipsec transform-set myset esp-3des esp-sha-hmac
> !
> crypto map xyz 2 ipsec-isakmp
> set peer 111.111.111.111
> set transform-set myset
> match address 137
>
> access-list 137 permit ip 192.168.61.0 0.0.0.255 192.168.60.0 0.0.0.255
>
>
> My problem is this setup doesn't work in this environment. However same
> setup on another set of routers works perfectly. All the routers have domain
> name setup and name servers setup.
>
> Only way to get this going on this set of routers is to change following
> on HUB router.
>
> match identity host domain test123.vpn.com -----> match identity address
> 0.0.0.0
>
> With the above change it works. But I can't understand why match identity
> host domain doesn't work on this setup.
>
> Any ideas and help?
>
> Regards
> CP
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Chamara Peris: "Re: Strange VPN issue"
• Previous message: Mohamed M Moustafa: "Re: maximum-paths in bgp"
• Maybe in reply to: Chamara Peris: "Strange VPN issue"
• Next in thread: Chamara Peris: "Re: Strange VPN issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:17 ART