Yes, makes sense.
What about enabling ISAKMP DPD?
Use 'crypto isakmp keepalive...' then the client must reinitialize
connection when IP address changes.
Regards,
--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
blog: www.ccie1.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2012/1/3 amin <amin_at_axizo.com>
> Something has been changed after I remove then reconfigure everything.
> The remote router is behind a 3G router that do NAT for the remote site,
> ****
>
> The vpn is established for a while then discounted for another while, I
> feel the 3G router change its real IP, but the remote router don�t know
> this change so it keeps believe of the same SPI, and the server can�t work
> with the same SPI if the IP changed for the remote, see the bellow out put
> on the server side, i.e. what command I need to avoid the rapid change in
> the remote site ip address, specially the remote don�t know that the IP has
> changed because it is behind a NATing device!!****
>
> ** **
>
> *Jan 3 19:12:19.439: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=217.66.227.245, prot=50,
> spi=0x471383AB(1192461227), srcaddr=188.64.204.78****
>
> *Jan 3 19:12:19.439: ISAKMP: ignoring request to send delete notify (no
> ISAKMP sa) src 217.66.227.245 dst 188.64.204.78 for SPI 0x471383AB****
>
> *Jan 3 19:12:28.135: ISAKMP: ignoring request to send delete notify (no
> ISAKMP sa) src 217.66.227.245 dst 188.64.204.78 for SPI 0x471383AB****
>
> *Jan 3 19:12:37.827: ISAKMP: ignoring request to send delete notify (no
> ISAKMP sa) src 217.66.227.245 dst 188.64.204.78 for SPI 0x471383AB****
>
> *Jan 3 19:12:57.475: ISAKMP: ignoring request to send delete notify (no
> ISAKMP sa) src 217.66.227.245 dst 188.64.204.78 for SPI 0x471383AB****
>
> ** **
>
> ** **
>
> ** **
>
> *From:* Piotr Matusiak [mailto:pitt2k_at_gmail.com]
> *Sent:* Tuesday, January 03, 2012 10:59 PM
> *To:* amin
> *Cc:* Sadiq Yakasai; ccielab_at_groupstudy.com
>
> *Subject:* Re: proxy identities not supported****
>
> ** **
>
> Paste output of 'deb cry isa' on both sides during connection.****
>
> ****
>
> Regards,
> --
> Piotr Matusiak
> CCIE #19860 (R&S, Security), CCSI #33705
> Technical Instructor
> website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
> blog: www.ccie1.com
>
> �If you can't explain it simply, you don't understand it well enough� -
> Albert Einstein
>
> ****
>
> 2012/1/3 amin <amin_at_axizo.com>****
>
> server side
>
>
>
> version 12.4
>
> service timestamps debug datetime msec
>
> service timestamps log datetime msec
>
> no service password-encryption
>
> !
>
> hostname test
>
> !
>
> boot-start-marker
>
> boot-end-marker
>
> !
>
> logging message-counter syslog
>
> !
>
> aaa new-model
>
> !****
>
>
> !
>
> aaa authentication login default local****
>
> aaa authentication login sdm_vpn_xauth_ml_1 local
>
> aaa authorization exec default local
>
> aaa authorization network sdm_vpn_group_ml_1 local
>
> aaa authorization network sdm_vpn_group_ml_2 local
>
> !
>
> !
>
> aaa session-id common
>
> !
>
> !
>
> dot11 syslog
>
> ip source-route
>
> !
>
> !
>
> ip dhcp excluded-address 192.168.0.1 192.168.0.80
>
> !
>
> ip dhcp pool POOL
>
> network 192.168.0.0 255.255.255.128
>
> dns-server 192.168.0.20 8.8.8.8
>
> default-router 192.168.0.1
>
> !
>
> !
>
> ip cef
>
> !
>
> multilink bundle-name authenticated
>
> !
>
> !
>
> !
>
> username test privilege 15 password test
>
> username test privilege 15 user-maxlinks 255 test
>
> !
>
> !
>
> crypto isakmp policy 1
>
> encr 3des
>
> authentication pre-share
>
> group 2
>
> crypto isakmp key test address 0.0.0.0 0.0.0.0
>
> !****
>
>
> crypto isakmp client configuration group test
>
> key test
>
> pool SDM_POOL_1
>
> acl 101
>
> save-password
>
> max-users 5000
>
> crypto isakmp profile sdm-ike-profile-1
>
> match identity group test
>
> client authentication list sdm_vpn_xauth_ml_1
>
> isakmp authorization list sdm_vpn_group_ml_2
>
> client configuration address respond
>
> virtual-template 1****
>
> !
>
> !
>
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
>
> mode transport****
>
>
> crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
>
> !****
>
> crypto ipsec profile SDM_Profile1
>
> set transform-set ESP-3DES-SHA****
>
>
> !
>
> crypto ipsec profile SDM_Profile2
>
> set transform-set ESP-3DES-SHA1
>
> set isakmp-profile sdm-ike-profile-1****
>
> !
>
> !
>
> archive
>
> log config
>
> hidekeys****
>
>
> !
>
> !
>
> !
>
> !
>
> !****
>
> interface Tunnel1
>
> bandwidth 1000
>
> ip address 172.31.0.1 255.255.255.0
>
> no ip redirects
>
> ip mtu 1400
>
> no ip next-hop-self eigrp 1
>
> ip nat inside
>
> ip nhrp authentication DMVPN_NW
>
> ip nhrp map multicast dynamic
>
> ip nhrp network-id 100000
>
> ip nhrp holdtime 360
>
> ip virtual-reassembly
>
> ip tcp adjust-mss 1360
>
> no ip split-horizon eigrp 1
>
> delay 1000
>
> keepalive 3 3
>
> tunnel source FastEthernet0/0
>
> tunnel mode gre multipoint
>
> tunnel key 100000
>
> tunnel protection ipsec profile SDM_Profile1
>
> !
>
> interface FastEthernet0/0
>
> ip address 192.168.0.201 255.255.255.128
>
> ip nat inside
>
> ip virtual-reassembly
>
> duplex auto
>
> speed auto
>
> !
>
> interface FastEthernet0/1
>
> ip address 10.0.0.138 255.255.255.0 secondary
>
> ip address 192.168.0.1 255.255.255.128
>
> ip nat inside
>
> ip virtual-reassembly
>
> duplex auto
>
> speed auto
>
> !
>
> interface ATM0/0/0
>
> no ip address
>
> no atm ilmi-keepalive
>
> pvc 8/35
>
> pppoe-client dial-pool-number 1****
>
>
> !
>
> !
>
> interface Virtual-Template1 type tunnel****
>
> ip unnumbered Dialer1
>
> tunnel mode ipsec ipv4
>
> tunnel protection ipsec profile SDM_Profile2
>
> !****
>
> interface Dialer1
>
> bandwidth 1000
>
> ip address negotiated
>
> ip mtu 1452
>
> ip nat outside
>
> ip virtual-reassembly
>
> encapsulation ppp
>
> dialer pool 1
>
> ppp authentication pap callin
>
> ppp pap sent-username 022955051_at_hadara password 0 022955051
>
> !
>
> router eigrp 1
>
> redistribute static metric 1 1 1 1 1
>
> network 172.31.0.0 0.0.0.255
>
> network 192.168.0.0 0.0.0.127
>
> no auto-summary****
>
>
> !
>
> ip local pool SDM_POOL_1 10.1.2.1 10.1.2.100****
>
> ip forward-protocol nd
>
> ip route 0.0.0.0 0.0.0.0 Dialer1 2
>
> ip route 192.168.1.128 255.255.255.128 192.168.0.200
>
> ip route 192.168.2.128 255.255.255.128 192.168.0.200
>
> ip route 192.168.3.128 255.255.255.128 192.168.0.200
>
> ip route 192.168.4.128 255.255.255.128 192.168.0.200
>
> ip route 192.168.5.128 255.255.255.128 192.168.0.200
>
> ip route 192.168.6.128 255.255.255.128 192.168.0.200
>
> ip route 192.168.7.128 255.255.255.128 192.168.0.200
>
> ip route 192.168.8.128 255.255.255.128 192.168.0.200
>
> ip http server
>
> ip http authentication local
>
> no ip http secure-server
>
> !
>
> !
>
> ip nat inside source list 100 interface Dialer1 overload
>
> !
>
> access-list 100 permit ip 192.168.0.0 0.0.255.255 any
>
> access-list 100 permit ip 10.0.0.0 0.0.255.255 any
>
> access-list 101 remark SDM_ACL Category=4
>
> access-list 101 permit ip 192.168.0.0 0.0.255.255 any
>
> access-list 101 permit ip 10.0.0.0 0.255.255.255 any****
>
>
> !
>
> !
>
> !
>
> !
>
> !****
>
> control-plane
>
> !
>
> !
>
> line con 0
>
> line aux 0
>
> line vty 0 4
>
> !
>
> scheduler allocate 20000 1000
>
> end
>
>
>
>
>
> Client side
>
>
>
> service config
>
> service timestamps debug datetime msec
>
> service timestamps log datetime msec
>
> no service password-encryption
>
> !
>
> hostname Aanata
>
> !
>
> boot-start-marker
>
> boot-end-marker
>
> !
>
> !
>
> no logging buffered
>
> no logging console
>
> enable secret test
>
> !
>
> no aaa new-model
>
> !
>
> dot11 syslog
>
> ip source-route****
>
>
> !
>
> !
>
> !
>
> !
>
> !****
>
> ip cef
>
> !
>
> multilink bundle-name authenticated
>
> !
>
> crypto pki token default removal timeout 0
>
> !
>
> !
>
> !
>
> !
>
> license udi pid CISCO1841 sn FCZ113438W2
>
> username test privilege 15 password test
>
> !
>
> redundancy****
>
>
> !
>
> !
>
> !
>
> !
>
> !****
>
> !
>
> !
>
> !****
>
>
> crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1
>
> connect auto
>
> group test key test
>
> mode network-extension
>
> peer 217.66.227.245****
>
> username test password test****
>
>
> xauth userid mode local
>
> !
>
> !
>
> !
>
> !
>
> !
>
> !
>
> interface FastEthernet0/0
>
> ip address 172.17.50.50 255.255.0.0****
>
> ip nat outside
>
> ip virtual-reassembly in
>
> duplex auto
>
> speed auto****
>
>
> crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1
>
> !
>
> interface FastEthernet0/1
>
> ip address 172.16.2.1 255.255.255.0****
>
> ip nat inside
>
> ip virtual-reassembly in
>
> duplex auto
>
> speed auto****
>
>
> crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1 inside
>
> !
>
> interface Virtual-Template1 type tunnel
>
> no ip address
>
> tunnel mode ipsec ipv4****
>
> !
>
> ip forward-protocol nd
>
> ip http server
>
> ip http authentication local
>
> no ip http secure-server
>
> !
>
> !
>
> ip nat inside source list 1 interface FastEthernet0/0 overload
>
> ip route 0.0.0.0 0.0.0.0 172.16.1.1
>
> ip route 0.0.0.0 0.0.0.0 172.17.0.1
>
> !
>
> access-list 1 permit 172.16.2.0 0.0.0.255****
>
>
> !
>
> !
>
> !
>
> !
>
> !****
>
> control-plane
>
> !
>
> !
>
> !
>
> line con 0
>
> line aux 0
>
> line vty 0 4
>
> no login
>
> transport input all
>
> !
>
> scheduler allocate 20000 1000
>
> end
>
>
>
> From: Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
> Sent: Tuesday, January 03, 2012 12:46 PM
> To: amin
> Cc: ccielab_at_groupstudy.com
> Subject: Re: proxy identities not supported****
>
>
>
>
> Hi Amin,
>
> Can you please debug the VPN connection attempt and attach?
>
> show running-config on both ends would also be informative.
>
> Thanks,
> Sadiq
>
> On Tue, Jan 3, 2012 at 10:34 AM, amin <amin_at_axizo.com> wrote:
>
> Hi experts,
>
>
>
> I am configuring easy VPN between two cisco router, on the server always I
> got this error message "proxy identities not supported", cisco website says
> that the two access list need to be mirror on each side, but in my case is
> easy vpn, which mean no access list configuraiton on the client side.
>
> Any hits about this issue?
>
>
>
> Regards,
>
> Amin
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>
>
> --
> CCIEx2 (R&S|Sec) #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
> ****
>
> ** **
Blogs and organic groups at http://www.ccie.net
Received on Tue Jan 03 2012 - 22:25:07 ART