Re: Strange VPN issue

From: Chamara Peris (dimsyboy@gmail.com)
Date: Mon Oct 22 2007 - 22:45:23 ART

• Next message: James MacDonald: "ACLS - looking for examples"
• Previous message: WorkerBee: "Re: Strange VPN issue"
• Maybe in reply to: Chamara Peris: "Strange VPN issue"
• Next in thread: Chamara Peris: "Re: Strange VPN issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I have ip domain-lookup enabled and hub router & spoke both can ping the
test123.vpn.com (it resolves it).

On 10/23/07, WorkerBee <ciscobee@gmail.com> wrote:
>
> Do you have 'ip domain-lookup' enable?
>
> Try to do a ping test123.vpn.com and see if the router can resolve the
> domain
> name correctly.
>
>
> On 10/23/07, Chamara Peris <dimsyboy@gmail.com> wrote:
> > Hi Group,
> >
> > I am experiencing a very strange VPN issue. I have two sites connect
> via
> > VPN. Hub site has a static IP and spoke site is dynamic. Please refer to
> > configs of each site below.
> >
> > HUB:
> >
> > crypto keyring sats
> > pre-shared-key address 0.0.0.0 0.0.0.0 key testing123
> > !
> > crypto isakmp policy 1
> > encr 3des
> > authentication pre-share
> > group 2
> >
> > crypto isakmp invalid-spi-recovery
> > crypto isakmp profile HH
> > keyring sats
> > match identity host domain test123.vpn.com
> >
> > !
> > crypto ipsec transform-set myset esp-3des esp-sha-hmac
> > !
> > crypto dynamic-map dynmap 11
> > set transform-set myset
> > set isakmp-profile HH
> > match address 137
> >
> > crypto map xyz 10 ipsec-isakmp dynamic dynmap
> >
> >
> > access-list 137 permit ip 192.168.60.0 0.0.0.255 192.168.61.0 0.0.0.255
> >
> >
> > SPOKE:
> >
> > crypto isakmp policy 1
> > encr 3des
> > authentication pre-share
> > group 2
> > crypto isakmp key testing123 address 111.111.111.111
> > crypto isakmp invalid-spi-recovery
> > crypto isakmp keepalive 360
> > !
> > !
> > crypto ipsec transform-set myset esp-3des esp-sha-hmac
> > !
> > crypto map xyz 2 ipsec-isakmp
> > set peer 111.111.111.111
> > set transform-set myset
> > match address 137
> >
> > access-list 137 permit ip 192.168.61.0 0.0.0.255 192.168.60.0 0.0.0.255
> >
> >
> > My problem is this setup doesn't work in this environment. However same
> > setup on another set of routers works perfectly. All the routers have
> domain
> > name setup and name servers setup.
> >
> > Only way to get this going on this set of routers is to change following
> > on HUB router.
> >
> > match identity host domain test123.vpn.com -----> match identity address
> > 0.0.0.0
> >
> > With the above change it works. But I can't understand why match
> identity
> > host domain doesn't work on this setup.
> >
> > Any ideas and help?
> >
> > Regards
> > CP
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

• Next message: James MacDonald: "ACLS - looking for examples"
• Previous message: WorkerBee: "Re: Strange VPN issue"
• Maybe in reply to: Chamara Peris: "Strange VPN issue"
• Next in thread: Chamara Peris: "Re: Strange VPN issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:17 ART