[c-nsp] IPSec VPN config failure
piestaga
piestaga at aster.pl
Mon Sep 4 17:43:56 EDT 2006
Hi,
I would like to ask you to look at the schema linked below:
http://zarenks.n1.pl/nsp/ipsec_problem.jpg
and read the problem description I am expiriencing.
I had tested similar config at lab environment, and no problems occured
there. For sime reasons, after implementing that solution at commercial
environment, strange behaviour occured.
The correct connection shall work in the follwing scenario.
1. VPN User using the Cisco VPN client requests the connection to its
VPN network.
Coming from the Internet network, the session goes through the
Router A, VLAN 5 and is terminated wihtin the customer VRF (which is a
part of customer VPN network) . Then the call (already as a VPN session)
is going through VLAN 10 to Customer MPLS based VPN.
Error description:
By mistake, the as a security gateway IP Address the incorrect addres
was entered (loopbac100 address was entered instrad of subinterface
where the cryptomap is applied).
In regular config the first phase of the connection (ISAKMP group
authentication) should not be authenticated . What was my surprise when
I saw the user prompt.
It occured that the connection goed from internet directly to VLAN 10
and to Loopback100.
I shutdown the subinterface of VLAN 5 at Router A side - it didn not
help anyway.
Finaly it helped when I remove the crypto from subinterface od VLAN 5 at
router B side.
When I applied the map again, incorrect behaviour accured again.
It looks like the ISAKMP is authenticated despite the fact that traffic
is not going through the crypto map.
Is there any reasonable explanation for such case ?
(Cisco 7206VXR/ NPE-G1/ 1GB RAM @ 12.3.(14)T7 )
I will appreciate any help
thanks
Zarenks
More information about the cisco-nsp
mailing list