[c-nsp] VRF-Aware IPSEC multiple Dynamic Peers

Matthew Melbourne matt at melbourne.org.uk
Sat Feb 18 13:25:59 EST 2012


I think the issue here may be the match clauses in the ISAKMP profiles. When
using ISAKMP profiles the match criteria must be unique across all profiles,
so that the incoming IKE session can be uniquely identified, which may
explain the behaviour you're observing. I encountered something similar with
one endpoint being unable to build L2L VPNs (using classic crypto) into
multiple different VRFs (without using additional IKE identity criteria such
as FQDN or an OU in a certificate-based environment); the ISAKMP profile
effectively binds the crypto session to a VRF.

A possible solution could be to use EzVPN Server/Client and match on Group
name in the ISAKMP Profile; this is what I do for RA VPN.

Cheers,
Matt

-----Original Message-----
Message: 7
Date: Sat, 18 Feb 2012 21:20:32 +0800 (SGT)
From: ar <ar_djp at yahoo.com>
To: cisco-nsp <cisco-nsp at puck.nether.net>
Subject: [c-nsp] VRF-Aware IPSEC multiple Dynamic Peers
Message-ID:
	<1329571232.10723.YahooMailNeo at web190402.mail.sg3.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1

? I am simulating a vrf-aware IPSEC VPN Concentrator with? multiple dynamic
peers on GNS.

I have two client profiles on the 7200 concentrator.
I can have both clients working.
But I noticed when doing a restart of all the session, one of the client
will stop working.
I'm getting an error of:
*Feb 18 20:58:27.811: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from
172.16.1.2 failed its sanity check or is malformed


which means preshare keys do not match. But i am very sure they are accurate
and match.

I have to re-create the whole profile so it will work again (keyring,
dynamic profile, dynamic-map).
I am not sure if this is just a GNS problem or config itself.


Below is my config for the 7200 VPN concentrator.
I hope someone can share their ideas.
thanks

Client 1 is ABC
Clilent 2 is XYZ

ip vrf A
?rd 1:1
?route-target export 1:1
?route-target import 1:1
!
ip vrf B
?rd 2:2
?route-target export 2:2
?route-target import 2:2
!
!
!
crypto keyring VRF-B
? pre-shared-key address 0.0.0.0 0.0.0.0 key XYZ crypto keyring VRF-A ?
pre-shared-key address 0.0.0.0 0.0.0.0 key ABC !
crypto isakmp policy 1
?encr 3des
?authentication pre-share
?group 2

crypto isakmp profile XYZ
?? vrf B
?? keyring VRF-B
?? match identity address 0.0.0.0

crypto isakmp profile ABC
?? vrf A
?? keyring VRF-A
?? match identity address 0.0.0.0
!
!
crypto ipsec transform-set vpn esp-3des esp-sha-hmac !
crypto dynamic-map ABC 10
?set transform-set vpn
?set isakmp-profile ABC
?match address ABC-remote
!
crypto dynamic-map XYZ 10
?set transform-set vpn
?set isakmp-profile XYZ
?match address XYZ-remote
!
!
crypto map VPN 11 ipsec-isakmp dynamic XYZ crypto map VPN 12 ipsec-isakmp
dynamic ABC



ip access-list extended ABC-remote
?permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

ip access-list extended XYZ-remote
?permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255


ip route vrf A 10.0.0.0 255.0.0.0 172.16.1.2 global ip route vrf B 10.2.0.0
255.255.0.0 172.16.1.3 global


interface FastEthernet1/0
description WAN-to-Internet 

ip address 172.16.1.1 255.255.255.0
?duplex full
?speed 100
?crypto map VPN


interface Loopback10
?ip vrf forwarding A
?ip address 10.1.1.1 255.255.255.0
!
interface Loopback20
?ip vrf forwarding B
?ip address 10.1.1.1 255.255.255.0

------------------------------

Message: 8
Date: Sat, 18 Feb 2012 11:25:42 -0500
From: Ann Kwok <annkwok80 at gmail.com>
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] cisco as LNS
Message-ID:
	<CACwqZxi4vYTnk9q8DQu5QEmT15L1SVwx1ZP5025mt0A8b0WMaw at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hello

Which cisco product can be LNS to support 2000 ppp users and around 850M
output?

ls it stable?

How much memory recommend too?

Thank you


------------------------------

Message: 9
Date: Sat, 18 Feb 2012 16:49:10 +0000
From: Aled Morris <aledm at qix.co.uk>
To: Ann Kwok <annkwok80 at gmail.com>
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] cisco as LNS
Message-ID:
	<CAO1bj=aBdQOMQR+r6UK9YmgvW14m5x=UALLupWgFaa5Lae30Zg at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On 18 February 2012 16:25, Ann Kwok <annkwok80 at gmail.com> wrote:

> Hello
>
> Which cisco product can be LNS to support 2000 ppp users and around 
> 850M output?
>
> ls it stable?
>
> How much memory recommend too?
>
>
ASR1001 is the recommended platform now.  I've not used one for LNS but ours
have been stable in other roles.

Aled


------------------------------

_______________________________________________
cisco-nsp mailing list
cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp

End of cisco-nsp Digest, Vol 111, Issue 43
******************************************



More information about the cisco-nsp mailing list