[c-nsp] VRF-Aware IPSEC multiple Dynamic Peers

ar ar_djp at yahoo.com
Sat Feb 18 08:20:32 EST 2012 

  I am simulating a vrf-aware IPSEC VPN Concentrator with  multiple dynamic peers on GNS.

I have two client profiles on the 7200 concentrator.
I can have both clients working.
But I noticed when doing a restart of all the session,
one of the client will stop working.
I'm getting an error of:
*Feb 18 20:58:27.811: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 172.16.1.2 failed its sanity check or is malformed


which means preshare keys do not match. But i am very sure they are accurate and match.

I have to re-create the whole profile so it will work again (keyring, dynamic profile, dynamic-map).
I am not sure if this is just a GNS problem or config itself.


Below is my config for the 7200 VPN concentrator.
I hope someone can share their ideas.
thanks

Client 1 is ABC
Clilent 2 is XYZ





ip vrf A
 rd 1:1
 route-target export 1:1
 route-target import 1:1
!
ip vrf B
 rd 2:2
 route-target export 2:2
 route-target import 2:2
!
!
!
crypto keyring VRF-B
  pre-shared-key address 0.0.0.0 0.0.0.0 key XYZ
crypto keyring VRF-A
  pre-shared-key address 0.0.0.0 0.0.0.0 key ABC
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2

crypto isakmp profile XYZ
   vrf B
   keyring VRF-B
   match identity address 0.0.0.0

crypto isakmp profile ABC
   vrf A
   keyring VRF-A
   match identity address 0.0.0.0
!
!
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
!
crypto dynamic-map ABC 10
 set transform-set vpn
 set isakmp-profile ABC
 match address ABC-remote
!
crypto dynamic-map XYZ 10
 set transform-set vpn
 set isakmp-profile XYZ
 match address XYZ-remote
!
!
crypto map VPN 11 ipsec-isakmp dynamic XYZ
crypto map VPN 12 ipsec-isakmp dynamic ABC



ip access-list extended ABC-remote
 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

ip access-list extended XYZ-remote
 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255


ip route vrf A 10.0.0.0 255.0.0.0 172.16.1.2 global
ip route vrf B 10.2.0.0 255.255.0.0 172.16.1.3 global


interface FastEthernet1/0
description WAN-to-Internet 

ip address 172.16.1.1 255.255.255.0
 duplex full
 speed 100
 crypto map VPN


interface Loopback10
 ip vrf forwarding A
 ip address 10.1.1.1 255.255.255.0
!
interface Loopback20
 ip vrf forwarding B
 ip address 10.1.1.1 255.255.255.0

More information about the cisco-nsp mailing list