From: Chamara Peris (dimsyboy@gmail.com)
Date: Fri Oct 26 2007 - 21:38:47 ART
Hi Richard,
I can't add pre-shared-key under the crypto root. IOS is not accepting it.
Without adding match identity statment it gives a error under the isakmp
proficel. This is what i have done so far.
Static END:
crypto keyring sats
pre-shared-key hostname xxxx1.ath.cx key 12345678
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key staticlink address 60.33.33.33
crypto isakmp invalid-spi-recovery
crypto isakmp profile HH
! This profile is incomplete (no match identity statement)
keyring sats
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 11
set transform-set myset
set isakmp-profile HH
match address 137
!
!
crypto map xyz 2 ipsec-isakmp
set peer 60.33.33.33
set transform-set myset
match address 136
crypto map xyz 10 ipsec-isakmp dynamic dynmap
Dynamic END:
crypto isakmp peer address 124.111.112.181
set aggressive-mode password 12345678
set aggressive-mode client-endpoint user-fqdn xxxx1.ath.cx
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map xyz 2 ipsec-isakmp
set peer 124.111.112.181
set transform-set myset
match address 137
On 10/27/07, Richard Dumoulin <Richard.Dumoulin@vanco.fr> wrote:
>
> On the side with the static IP you configure:
>
>
>
> pre-shared-key hostname X@X key XXXX
>
> !
>
> crypto dynamic-map dyn-map 10
>
> set transform-set vpn
>
> reverse-route
>
> !
>
> crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
>
> !
>
> Int fast 0/0
>
> Crypto map vpn-map
>
>
>
>
>
> On the router with dynamic IP
>
>
>
> crypto isakmp peer address <here you put the static IP>
>
> set aggressive-mode password XXXX
>
> set aggressive-mode client-endpoint user-fqdn X@X
>
> !
>
> crypto ipsec transform-set vpn esp-3des esp-sha-hmac
>
> !
>
> crypto map vpn-map 10 ipsec-isakmp
>
> set peer <here you put the static IP>
>
> match address vpn-acl
>
> !
>
> Int fa 0/0
>
> Cry map vpn-map
>
> !
>
> Ip access ext vpn-acl
>
> Permit ip <what ever traffic you want to encrypt>
>
>
>
>
>
> On the debug you will see that only 3 messages are exchanges instead of 6
> in ISAKMP
>
>
>
> -- Richard
> ------------------------------
>
> *De :* Richard Dumoulin
> *Envoyi :* Saturday, October 27, 2007 1:11 AM
> *@ :* 'Chamara Peris'
> *Cc :* 'Farrukh Haroon'; 'Tarun Pahuja'; 'WorkerBee'; 'Cisco
> certification'
> *Objet :* RE: Strange VPN issue
>
>
>
> On the side with static IP you configure the following :
>
>
>
>
> ------------------------------
>
> *De :* Chamara Peris [mailto:dimsyboy@gmail.com]
> *Envoyi :* Saturday, October 27, 2007 12:42 AM
> *@ :* Richard Dumoulin
> *Cc :* Farrukh Haroon; Tarun Pahuja; WorkerBee; Cisco certification
> *Objet :* Re: Strange VPN issue
>
>
>
> Hi Richard,
>
>
>
> Could you be able to provide me example.
>
>
>
> Thanks Heaps,
>
>
>
> CP
>
>
>
> On 10/27/07, *Richard Dumoulin* <Richard.Dumoulin@vanco.fr> wrote:
>
> Hi Chamara, did you try aggressive mode instead? This is usually the way
> to go when having a dynamic IP on one end
>
>
> -- Richard
>
> -----Message d'origine-----
> De: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> Envoyi: Friday, October 26, 2007 11:21 PM
> @: Farrukh Haroon
> Cc: Tarun Pahuja; WorkerBee; Cisco certification
> Objet: Re: Strange VPN issue
>
> Hi Farrukh,
>
> I've tried the both ways (with host and without host) as you suggested.
> But
> still the same issue.
>
> Cheers,
> Chamara
>
>
> On 10/27/07, Farrukh Haroon <farrukhharoon@gmail.com> wrote:
> >
> > Chamara, can you try one of the following:
> >
> > match identity host test123.vpn.com
> > (without the 'domain' keyword),
> > _or_
> > match identity host domain vpn.com < http://test123.vpn.com/>
> >
> > The command reference is quite ambiguous about the proper use.
> >
> > Regards
> >
> > Farrukh
> >
> > On 10/25/07, Chamara Peris < dimsyboy@gmail.com> wrote:
> > >
> > > Hi Tarun,
> > >
> > > Using different DNS servers. How ever router can resolve the domain
> > > without
> > > a issue. Debug attached from the HUB router.
> > >
> > >
> > > Oct 25 07:26:36.300: ISAKMP (0:0): received packet from
> > > 222.111.111.172dport 500 sport 500 Global (N) NEW SA
> > > Oct 25 07:26:36.304: ISAKMP: Created a peer struct for 222.111.111.172
> ,
> > > peer
> > > port 500
> > > Oct 25 07:26:36.304: ISAKMP: New peer created peer = 0x82E88B4C
> > > peer_handle
> > > = 0x80000004
> > > Oct 25 07:26:36.304: ISAKMP: Locking peer struct 0x82E88B4C, refcount
> 1
> > > for
> > > crypto_isakmp_process_block
> > > Oct 25 07:26:36.304: ISAKMP: local port 500, remote port 500
> > > Oct 25 07:26:36.304: insert sa successfully sa = 82F383B4
> > > Oct 25 07:26:36.304: ISAKMP:(0):Input = IKE_MESG_FROM_PEER,
> IKE_MM_EXCH
> > > Oct 25 07:26:36.304: ISAKMP:(0):Old State = IKE_READY New State =
> > > IKE_R_MM1
> > >
> > > Oct 25 07:26:36.304: ISAKMP:(0): processing SA payload. message ID = 0
> > > Oct 25 07:26:36.304: ISAKMP:(0): processing vendor id payload
> > > Oct 25 07:26: 36.304: ISAKMP:(0): vendor ID seems Unity/DPD but major
> 245
> > > mismatch
> > > Oct 25 07:26:36.304: ISAKMP (0:0): vendor ID is NAT-T v7
> > > Oct 25 07:26: 36.304: ISAKMP:(0): processing vendor id payload
> > > Oct 25 07:26:36.304: ISAKMP:(0): vendor ID seems Unity/DPD but major
> 157
> > > mismatch
> > > Oct 25 07:26:36.304: ISAKMP:(0): vendor ID is NAT-T v3
> > > Oct 25 07:26:36.304: ISAKMP:(0): processing vendor id payload
> > > Oct 25 07:26:36.308: ISAKMP:(0): vendor ID seems Unity/DPD but major
> 123
> > > mismatch
> > > Oct 25 07:26:36.308: ISAKMP:(0): vendor ID is NAT-T v2
> > > Oct 25 07:26:36.308: ISAKMP:(0):found peer pre-shared key matching
> > > 222.111.111.172
> > > Oct 25 07:26:36.308: ISAKMP:(0): local preshared key found
> > > Oct 25 07:26:36.308: ISAKMP : Scanning profiles for xauth ... HH
> > > Oct 25 07:26: 36.308: ISAKMP:(0):Checking ISAKMP transform 1 against
> > > priority
> > > 1 policy
> > > Oct 25 07:26:36.308: ISAKMP: encryption 3DES-CBC
> > > Oct 25 07:26:36.308: ISAKMP: hash SHA
> > > Oct 25 07:26:36.308: ISAKMP: default group 2
> > > Oct 25 07:26:36.308: ISAKMP: auth pre-share
> > > Oct 25 07:26:36.308: ISAKMP: life type in seconds
> > > Oct 25 07:26:36.308 : ISAKMP: life duration (VPI) of 0x0 0x1
> 0x51
> > > 0x80
> > > Oct 25 07:26:36.308: ISAKMP:(0):atts are acceptable. Next payload is 3
> > > Oct 25 07:26: 36.308: ISAKMP:(0): processing vendor id payload
> > > Oct 25 07:26:36.308: ISAKMP:(0): vendor ID seems Unity/DPD but major
> 245
> > > mismatch
> > > Oct 25 07:26:36.308: ISAKMP (0:0): vendor ID is NAT-T v7
> > > Oct 25 07:26:36.308: ISAKMP:(0): processing vendor id payload
> > > Oct 25 07:26:36.308: ISAKMP:(0): vendor ID seems Unity/DPD but major
> 157
> > > mismatch
> > > Oct 25 07:26:36.308: ISAKMP:(0): vendor ID is NAT-T v3
> > > Oct 25 07:26:36.308: ISAKMP:(0): processing vendor id payload
> > > Oct 25 07:26: 36.312: ISAKMP:(0): vendor ID seems Unity/DPD but major
> > > 123
> > > mismatch
> > > Oct 25 07:26:36.312: ISAKMP:(0): vendor ID is NAT-T v2
> > > Oct 25 07:26:36.312 : ISAKMP:(0):Input = IKE_MESG_INTERNAL,
> > > IKE_PROCESS_MAIN_MODE
> > > Oct 25 07:26: 36.312: ISAKMP:(0):Old State = IKE_R_MM1 New State =
> > > IKE_R_MM1
> > >
> > > Oct 25 07:26:36.312 : ISAKMP:(0): constructed NAT-T vendor-07 ID
> > > Oct 25 07:26:36.312: ISAKMP:(0): sending packet to
> 222.111.111.172my_port
> > > 500 peer_port 500 (R) MM_SA_SETUP
> > > Oct 25 07:26:36.312: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
> > > IKE_PROCESS_COMPLETE
> > > Oct 25 07:26:36.312: ISAKMP:(0):Old State = IKE_R_MM1 New State =
> > > IKE_R_MM2
> > >
> > > Oct 25 07:26:36.688: ISAKMP (0:0): received packet from
> > > 222.111.111.172dport 500 sport 500 Global (R) MM_SA_SETUP
> > > Oct 25 07:26:36.692: ISAKMP:(0):Input = IKE_MESG_FROM_PEER,
> IKE_MM_EXCH
> > > Oct 25 07:26:36.692 : ISAKMP:(0):Old State = IKE_R_MM2 New State =
> > > IKE_R_MM3
> > >
> > > Oct 25 07:26:36.692: ISAKMP:(0): processing KE payload. message ID = 0
> > > Oct 25 07:26:36.732: ISAKMP:(0): processing NONCE payload. message ID
> =
> > > 0
> > > Oct 25 07:26: 36.736: ISAKMP:(0):found peer pre-shared key matching
> > > 222.111.111.172
> > > Oct 25 07:26:36.736: ISAKMP:(2003): processing vendor id payload
> > > Oct 25 07:26:36.736: ISAKMP:(2003): vendor ID is Unity
> > > Oct 25 07:26:36.736: ISAKMP:(2003): processing vendor id payload
> > > Oct 25 07:26:36.736: ISAKMP:(2003): vendor ID is DPD
> > > Oct 25 07:26: 36.736: ISAKMP:(2003): processing vendor id payload
> > > Oct 25 07:26:36.736: ISAKMP:(2003): speaking to another IOS box!
> > > Oct 25 07:26:36.736: ISAKMP:(2003):Input = IKE_MESG_INTERNAL,
> > > IKE_PROCESS_MAIN_MODE
> > > Oct 25 07:26:36.736: ISAKMP:(2003):Old State = IKE_R_MM3 New State =
> > > IKE_R_MM3
> > >
> > > Oct 25 07:26:36.740: ISAKMP:(2003): sending packet to
> > > 222.111.111.172my_port 500 peer_port 500 (R) MM_KEY_EXCH
> > > Oct 25 07:26:36.740: ISAKMP:(2003):Input = IKE_MESG_INTERNAL,
> > > IKE_PROCESS_COMPLETE
> > > Oct 25 07:26:36.740: ISAKMP:(2003):Old State = IKE_R_MM3 New State =
> > > IKE_R_MM4
> > >
> > > Oct 25 07:26:37.168: ISAKMP (0:2003): received packet from
> > > 222.111.111.172dport 500 sport 500 Global (R) MM_KEY_EXCH
> > > Oct 25 07:26:37.168: ISAKMP:(2003):Input = IKE_MESG_FROM_PEER,
> > > IKE_MM_EXCH
> > > Oct 25 07:26:37.168: ISAKMP:(2003):Old State = IKE_R_MM4 New State =
> > > IKE_R_MM5
> > >
> > > Oct 25 07:26:37.168: ISAKMP:(2003): processing ID payload. message ID
> =
> > > 0
> > > Oct 25 07:26:37.168: ISAKMP (0:2003): ID payload
> > > next-payload : 8
> > > type : 1
> > > address : 222.111.111.172
> > > protocol : 17
> > > port : 500
> > > length : 12
> > > Oct 25 07:26:37.168: ISAKMP:(0):: peer matches *none* of the profiles
> > > Oct 25 07:26:37.168: ISAKMP:(2003): processing HASH payload. message
> ID
> > > = 0
> > > Oct 25 07:26:37.168: ISAKMP:received payload type 17
> > > Oct 25 07:26:37.168: ISAKMP:(2003): processing NOTIFY INITIAL_CONTACT
> > > protocol 1
> > > spi 0, message ID = 0, sa = 82F383B4
> > > Oct 25 07:26:37.168: ISAKMP:(2003):SA authentication status:
> > > authenticated
> > > Oct 25 07:26:37.168 : ISAKMP:(2003):SA has been authenticated with
> > > 222.111.111.172
> > > Oct 25 07:26:37.172: ISAKMP:(2003):SA authentication status:
> > > authenticated
> > > Oct 25 07:26:37.172: ISAKMP:(2003): Process initial contact,
> > > bring down existing phase 1 and 2 SA's with local 124.111.211.181remote
> > > 222.111.111.172 remote port 500
> > > Oct 25 07:26:37.172: ISAKMP: Trying to insert a peer
> > > 124.111.211.181/222.111.111.172/500/, and inserted successfully
> > > 82E88B4C.
> > > Oct 25 07:26:37.172: ISAKMP:(2003):Input = IKE_MESG_INTERNAL,
> > > IKE_PROCESS_MAIN_MODE
> > > Oct 25 07:26:37.172: ISAKMP:(2003):Old State = IKE_R_MM5 New State =
> > > IKE_R_MM5
> > >
> > > Oct 25 07:26:37.172: IPSEC(key_engine): got a queue event with 1 KMI
> > > message(s)
> > > Oct 25 07:26:37.172: ISAKMP:(2003):SA is doing pre-shared key
> > > authentication
> > > using id type ID_IPV4_ADDR
> > > Oct 25 07:26: 37.172: ISAKMP (0:2003): ID payload
> > > next-payload : 8
> > > type : 1
> > > address : 124.111.211.181
> > > protocol : 17
> > > port : 500
> > > length : 12
> > > Oct 25 07:26:37.172: ISAKMP:(2003):Total payload length: 12
> > > Oct 25 07:26: 37.176: ISAKMP:(2003): sending packet to
> > > 222.111.111.172my_port 500 peer_port 500 (R) MM_KEY_EXCH
> > > Oct 25 07:26: 37.176: ISAKMP:(2003):Input = IKE_MESG_INTERNAL,
> > > IKE_PROCESS_COMPLETE
> > > Oct 25 07:26:37.176: ISAKMP:(2003):Old State = IKE_R_MM5 New State =
> > > IKE_P1_COMPLETE
> > >
> > > Oct 25 07:26:37.176: ISAKMP:(2003):Input = IKE_MESG_INTERNAL,
> > > IKE_PHASE1_COMPLETE
> > > Oct 25 07:26:37.176: ISAKMP:(2003):Old State = IKE_P1_COMPLETE New
> > > State =
> > > IKE_P1_COMPLETE
> > >
> > > Oct 25 07:26:37.552: ISAKMP (0:2003): received packet from
> > > 222.111.111.172dport 500 sport 500 Global (R) QM_IDLE
> > > Oct 25 07:26:37.552: ISAKMP: set new node -1997029058 to QM_IDLE
> > > Oct 25 07:26:37.552: ISAKMP:(2003): processing HASH payload. message
> ID
> > > =
> > > -1997029058
> > > Oct 25 07:26:37.552: ISAKMP:(2003): processing SA payload. message ID
> =
> > > -1997029058
> > > Oct 25 07:26:37.552: ISAKMP:(2003):Checking IPSec proposal 1
> > > Oct 25 07:26: 37.552: ISAKMP: transform 1, ESP_3DES
> > > Oct 25 07:26:37.552: ISAKMP: attributes in transform:
> > > Oct 25 07:26:37.552: ISAKMP: encaps is 1 (Tunnel)
> > > Oct 25 07:26:37.552: ISAKMP: SA life type in seconds
> > > Oct 25 07:26:37.552: ISAKMP: SA life duration (basic) of 3600
> > > Oct 25 07:26:37.552: ISAKMP: SA life type in kilobytes
> > > Oct 25 07:26:37.552: ISAKMP: SA life duration (VPI) of 0x0 0x46
> > > 0x50
> > > 0x0
> > > Oct 25 07:26:37.552: ISAKMP: authenticator is HMAC-SHA
> > > Oct 25 07:26:37.552: ISAKMP:(2003):atts are acceptable.
> > > Oct 25 07:26:37.556: IPSEC(validate_proposal_request): proposal part
> #1
> > > Oct 25 07:26: 37.556: IPSEC(validate_proposal_request): proposal part
> > > #1,
> > > (key eng. msg.) INBOUND local= 124.111.211.181, remote=
> > > 222.111.111.172,
> > > local_proxy= 192.168.60.0/255.255.255.0/0/0 (type=4),
> > > remote_proxy= 192.168.61.0/255.255.255.0/0/0 (type=4),
> > > protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
> > > lifedur= 0s and 0kb,
> > > spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
> > > Oct 25 07:26:37.556: Crypto mapdb : proxy_match
> > > src addr : 192.168.60.0
> > > dst addr : 192.168.61.0
> > > protocol : 0
> > > src port : 0
> > > dst port : 0
> > > Oct 25 07:26:37.556: map_db_check_isakmp_profile profile did not match
> > > Oct 25 07:26: 37.556: Crypto mapdb : proxy_match
> > > src addr : 192.168.60.0
> > > dst addr : 192.168.61.0
> > > protocol : 0
> > > src port : 0
> > > dst port : 0
> > > Oct 25 07:26:37.556: map_db_check_isakmp_profile profile did not match
> > > Oct 25 07:26:37.556: map_db_find_best did not find matching map
> > > Oct 25 07:26:37.556: IPSEC(crypto_ipsec_process_proposal): proxy
> > > identities
> > > not supported
> > > Oct 25 07:26:37.556: ISAKMP:(2003): IPSec policy invalidated proposal
> > > with
> > > error 32
> > > Oct 25 07:26:37.556: ISAKMP:(2003): phase 2 SA policy not acceptable!
> > > (local
> > > 124.111.211.181 remote 222.111.111.172)
> > > Oct 25 07:26:37.556: ISAKMP: set new node 1861558090 to QM_IDLE
> > > Oct 25 07:26:37.560: ISAKMP:(2003):Sending NOTIFY PROPOSAL_NOT_CHOSEN
> > > protocol 3
> > > spi 2208230480, message ID = 1861558090
> > > Oct 25 07:26:37.560: ISAKMP:(2003): sending packet to
> > > 222.111.111.172my_port 500 peer_port 500 (R) QM_IDLE
> > > Oct 25 07:26:37.560: ISAKMP:(2003):purging node 1861558090
> > > Oct 25 07:26: 37.560: ISAKMP:(2003):deleting node -1997029058 error
> TRUE
> > > reason "QM rejected"
> > > Oct 25 07:26:37.560: ISAKMP:(2003):Node -1997029058, Input =
> > > IKE_MESG_FROM_PEER, IKE_QM_EXCH
> > > Oct 25 07:26: 37.560: ISAKMP:(2003):Old State = IKE_QM_READY New
> State
> > > =
> > > IKE_QM_READY
> > >
> > >
> > >
> > > On 10/25/07, Tarun Pahuja < pahujat@gmail.com> wrote:
> > > >
> > > > Chamara,
> > > > Are the working and non working routers using the
> same
> > > DNS
> > > > servers or different DNS servers? You can specify multiple criteria
> > > for
> > > > matching.
> > > >
> > > >
> > > >
http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd8034bd
59.shtml
>
> > >
> > > >
> > > > Do me a favor, revert back your configuration to use Match identity
> > > host
> > > > domain , try to initiate the tunnel and capture the debug and send
> it
> > > to me,
> > > > Seems like the FQDN is not getting resolved correctly.
> > > >
> > > > Thanks,
> > > > Tarun
> > > >
> > > >
> > > > On 10/23/07, Chamara Peris < dimsyboy@gmail.com > wrote:
> > > >
> > > > > same IOS version on working setup and non working setup :(
> > > > >
> > > > > On 10/24/07, WorkerBee < ciscobee@gmail.com> wrote:
> > > > > >
> > > > > > Before you check on the IOS version, if you change the type
> domain
> > > to
> > > > > > address , does it work? Changing to address type is to make sure
>
> > > no
> > > > > > configuration or firewall issue.
> > > > > >
> > > > > > On 10/24/07, WorkerBee < ciscobee@gmail.com> wrote:
> > > > > > > Maybe is IOS version? Check the version against the working
> > > setup.
> > > > > > >
> > > > > > > On 10/24/07, Chamara Peris < dimsyboy@gmail.com> wrote:
> > > > > > > > Hi All,
> > > > > > > >
> > > > > > > > Any ideas on this issue?
> > > > > > > >
> > > > > > > >
> > > > > > > > On 10/23/07, Chamara Peris < dimsyboy@gmail.com> wrote:
> > > > > > > > >
> > > > > > > > > I have ip domain-lookup enabled and hub router & spoke
> > > both can
> > > > > > ping the
> > > > > > > > > test123.vpn.com (it resolves it).
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On 10/23/07, WorkerBee < ciscobee@gmail.com> wrote:
> > > > > > > > > >
> > > > > > > > > > Do you have 'ip domain-lookup' enable?
> > > > > > > > > >
> > > > > > > > > > Try to do a ping test123.vpn.com and see if the router
> can
> > > > > resolve
> > > > > > the
> > > > > > > > > > domain
> > > > > > > > > > name correctly.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On 10/23/07, Chamara Peris < dimsyboy@gmail.com> wrote:
> > > > > > > > > > > Hi Group,
> > > > > > > > > > >
> > > > > > > > > > > I am experiencing a very strange VPN issue. I have
> two
> > > > > sites
> > > > > > connect
> > > > > > > > > > via
> > > > > > > > > > > VPN. Hub site has a static IP and spoke site is
> dynamic.
> > > > > Please
> > > > > > refer
> > > > > > > > > > to
> > > > > > > > > > > configs of each site below.
> > > > > > > > > > >
> > > > > > > > > > > HUB:
> > > > > > > > > > >
> > > > > > > > > > > crypto keyring sats
> > > > > > > > > > > pre-shared-key address 0.0.0.0 0.0.0.0 key
> testing123
> > > > > > > > > > > !
> > > > > > > > > > > crypto isakmp policy 1
> > > > > > > > > > > encr 3des
> > > > > > > > > > > authentication pre-share
> > > > > > > > > > > group 2
> > > > > > > > > > >
> > > > > > > > > > > crypto isakmp invalid-spi-recovery
> > > > > > > > > > > crypto isakmp profile HH
> > > > > > > > > > > keyring sats
> > > > > > > > > > > match identity host domain test123.vpn.com
> > > > > > > > > > >
> > > > > > > > > > > !
> > > > > > > > > > > crypto ipsec transform-set myset esp-3des esp-sha-hmac
> > > > > > > > > > > !
> > > > > > > > > > > crypto dynamic-map dynmap 11
> > > > > > > > > > > set transform-set myset
> > > > > > > > > > > set isakmp-profile HH
> > > > > > > > > > > match address 137
> > > > > > > > > > >
> > > > > > > > > > > crypto map xyz 10 ipsec-isakmp dynamic dynmap
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > access-list 137 permit ip 192.168.60.0 0.0.0.255
> > > > > 192.168.61.0
> > > > > > > > > > 0.0.0.255
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > SPOKE:
> > > > > > > > > > >
> > > > > > > > > > > crypto isakmp policy 1
> > > > > > > > > > > encr 3des
> > > > > > > > > > > authentication pre-share
> > > > > > > > > > > group 2
> > > > > > > > > > > crypto isakmp key testing123 address 111.111.111.111
> > > > > > > > > > > crypto isakmp invalid-spi-recovery
> > > > > > > > > > > crypto isakmp keepalive 360
> > > > > > > > > > > !
> > > > > > > > > > > !
> > > > > > > > > > > crypto ipsec transform-set myset esp-3des esp-sha-hmac
>
> > > > > > > > > > > !
> > > > > > > > > > > crypto map xyz 2 ipsec-isakmp
> > > > > > > > > > > set peer 111.111.111.111
> > > > > > > > > > > set transform-set myset
> > > > > > > > > > > match address 137
> > > > > > > > > > >
> > > > > > > > > > > access-list 137 permit ip 192.168.61.0 0.0.0.255
> > > > > 192.168.60.0
> > > > > > > > > > 0.0.0.255
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > My problem is this setup doesn't work in this
> > > environment.
> > > > > > However
> > > > > > > > > > same
> > > > > > > > > > > setup on another set of routers works perfectly. All
> the
> > > > > routers
> > > > > > have
> > > > > > > > > > domain
> > > > > > > > > > > name setup and name servers setup.
> > > > > > > > > > >
> > > > > > > > > > > Only way to get this going on this set of routers is
> to
> > > > > change
> > > > > > > > > > following
> > > > > > > > > > > on HUB router.
> > > > > > > > > > >
> > > > > > > > > > > match identity host domain test123.vpn.com ----->
> match
> > > > > identity
> > > > > > > > > > address
> > > > > > > > > > > 0.0.0.0
> > > > > > > > > > >
> > > > > > > > > > > With the above change it works. But I can't understand
>
> > > why
> > > > > match
> > > > > > > > > > identity
> > > > > > > > > > > host domain doesn't work on this setup.
> > > > > > > > > > >
> > > > > > > > > > > Any ideas and help?
> > > > > > > > > > >
> > > > > > > > > > > Regards
> > > > > > > > > > > CP
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > >
> > > > >
> > >
> _______________________________________________________________________
> > > > > > > > > > > Subscription information may be found at:
> > > > > > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > > > >
> > > > > > > >
> > > > > >
> > > > >
> > >
> _______________________________________________________________________
> > > > > > > > Subscription information may be found at:
> > > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > >
> > >
> _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> **********************************************************************
> Any opinions expressed in the email are those of the individual and not
> necessarily the company. This email and any files transmitted with it are
> confidential and solely for the use of the intended recipient. If you are
> not the intended recipient or the person responsible for delivering it to
> the intended recipient, be advised that you have received this email in
> error and that any dissemination, distribution, copying or use is strictly
> prohibited.
>
> If you have received this email in error, or if you are concerned with the
> content of this email please e-mail to: e-security.support@vanco.info
>
> The contents of an attachment to this e-mail may contain software viruses
> which could damage your own computer system. While the sender has taken
> every reasonable precaution to minimise this risk, we cannot accept
> liability for any damage which you sustain as a result of software viruses.
> You should carry out your own virus checks before opening any attachments
to
> this e-mail.
>
> Vanco UK Ltd Registered in England No: 2296733 Registered Office: John
> Busch House, 277 London Road, Isleworth, Middlesex TW7 5AX
>
> Please consider the environment before printing this e-mail
> **********************************************************************
This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:18 ART