1. Home
  2. Cisco Systems
  3. either VPN Client or remote dynamic ipsec peer works, not both

either VPN Client or remote dynamic ipsec peer works, not both

I can set up either a remote VPN Client 4.6 or a remote dynamic-ip router to connect to my router ( 2811 12.3(8)T6) with ipsec, but not both.

For the case of remote VPN Client, I specify the preshared key and remote group with "crypto isakmp client configuration group vpnclient" and "key myclientkey".

For the case of a remote dynamic-ip router, I specify the preshared key thru "crypto isakmp key mypeerkey 0.0.0.0 0.0.0.0 no-xauth".

My problem is "crypto isakmp key mypeerkey" overrides the key of the VPN client : I have to set VPN client to use the key "mypeerkey". This is not very bad, but then in this case I have to get rid of "no-xauth" because VPN Client wants xauth( am I wrong? ) . But without "no-xauth" my remote dynamic router fails connecting to.

My question is how I specify the key for the remote dynamic router separately from the key for the VPN Client ?

If the above is not possible ( I have to use same key ) then how I specify in which case "no-xauth" will apply ?

Or do I do something wrong basically then which is the correct one ?

Thanks,

DT

Reply to
dt1649651
Loading thread data ...

In article , snipped-for-privacy@yahoo.com wrote: :I can set up either a remote VPN Client 4.6 or a remote dynamic-ip :router to connect to my router ( 2811 12.3(8)T6) with ipsec, but not :both.

:For the case of remote VPN Client, I specify the preshared key and :remote group with "crypto isakmp client configuration group vpnclient" :and "key myclientkey".

:For the case of a remote dynamic-ip router, I specify the preshared key :thru "crypto isakmp key mypeerkey 0.0.0.0 0.0.0.0 no-xauth".

:My problem is "crypto isakmp key mypeerkey" overrides the key of the :VPN client :

I haven't looked at the relevant material in IOS. In Cisco's PIX, the vpngroup key is supposed to override the "isakmp key" when the PIX figures out that the remote device is a VPN client or an Easy VPN Remote device (which would match against the vpngroup name 'default'.)

formatting link

IOS has some differences in the treatment of clients, but I suspect that it should similar in this regard.

Reply to
Walter Roberson

vpnclient"

formatting link

Under "crypto isakmp client configuration group vpnclient" there is subcommand "key" that specifies the preshared key for this group. Without the "crypto isakmp key", the key under this group works just fine, but whenever I have the command "crypto isakmp key" then the client fails to connect.

That's why I think the subcommand "key" of client configuration group is overidden by "crypto isakmp key".

DT

Reply to
dt1649651

formatting link

I found it :-) Instead of using the "crypto isakmp key" that I believe it overiddes or has more priority than the group's key, I use 2 profiles : one for the VPN client and one for the dynamic router. The profile for the dynamic peer is : crypto isakmp profile spoke1tohubvpnprofile keyring spoke1 match identity address 0.0.0.0

and the one for the VPN client refers to the vpn client group by : crypto isakmp profile clientvpnprofile match identity group vpnclient

then I use a dynamic-map to refer to these two profiles, smth like using C pointers :-)

DT

Reply to
dt1649651

formatting link
>

Just found this nice article about what I was looking for. Just in case somebody gets into my same problem :

formatting link
DT

Reply to
dt1649651

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.