Re: IPSec Conflict from karim jamali on 2010-10-01 (Ccielab archives 10/2010)

From: karim jamali <karim.jamali_at_gmail.com>
Date: Fri, 1 Oct 2010 23:31:39 +0300

Hi Sameer,

I believe this is due to the authentication/authorization you have placed
for the Remote Access VPN..One way to solve this is under the LAN-to-LAN
tunnel in the crypto isakmp key no-xauth.

HTH,

On Fri, Oct 1, 2010 at 3:55 PM, sameer inam <i_sameer_at_hotmail.com> wrote:

> Hello Experts,
>
>
>
> I m facing some issue with Ipsec tunnel, I already have one established
> Ipsec
> vpn tunnel from my hub office to UK , and now I m trying to configure the
> router as VPN hub and using Cisco agent . but some reason my uk tunnel
> started
> dropped .. please see below the configuration please advice ..
>
>
>
>
>
> aaa new-model
> !
> !
> aaa authentication login userauthan local
> aaa authorization network groupauthor local
> !
> aaa session-id common
> !
> !
> ip cef
> !
> !
> !
> !
> !
> !
> crypto isakmp policy 1
> encr 3des
> hash md5
> authentication pre-share
> group 2
>
> crypto isakmp key xxxxxx address 194.xx.xx.xx
> crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0
> crypto isakmp invalid-spi-recovery
> !
> crypto isakmp client configuration group vpnclient
> key xxxxx
> pool ippool
> acl 108
> !
> !
> crypto ipsec transform-set VD esp-3des esp-sha-hmac
> crypto ipsec transform-set London esp-3des esp-md5-hmac
> crypto ipsec transform-set myset esp-3des esp-md5-hmac
> !
>
> !
> !
> crypto dynamic-map dynmap 20
> set transform-set myset
> !
> !
> crypto map VPN client authentication list userauthan
> crypto map VPN isakmp authorization list groupauthor
> crypto map VPN client configuration address respond
> crypto map VPN 10 ipsec-isakmp
> set peer 194.xx.xx.xx
> set transform-set London
> match address acl-vpn
> crypto map VPN 20 ipsec-isakmp dynamic dynmap
> !
> !
> !
>
> !
> interface FastEthernet0/0
> ip address 178.xx.xx.xx 255.255.255.xx
> ip virtual-reassembly
> duplex auto
> speed auto
> crypto map VPN
> !
> interface FastEthernet0/1
> ip address 10.0.xx.xx 255.255.255.0
> ip virtual-reassembly
> duplex auto
> speed auto
> !
> ip local pool ippool 10.0.xx.xx 10.0.xx.xx
> ip forward-protocol nd
> ip route 0.0.0.0 0.0.0.0 178.135.63.137
>
> !
> ip http server
> no ip http secure-server
> !
> ip access-list extended acl-vpn
> permit ip 10.0.x.0 0.0.0.255 192.x.x.0 0.0.0.255
> !
> access-list 108 permit ip 10.0.x.0 0.0.0.255 10.0.x.0 0.0.0.255
> !
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
KJ
Blogs and organic groups at http://www.ccie.net

Received on Fri Oct 01 2010 - 23:31:39 ART

This archive was generated by hypermail 2.2.0 : Mon Nov 01 2010 - 06:42:05 ART