Hello! I'm trying to configure an IPsec star network with a couple of Linux boxes connecting to a central IOS router using dynamic-map. The Linux boxes all get their public IP addresses from DHCP, so the IOS router must use only dynamic peering for this IPsec network.
The IOS router I'm testing with is an old 2621 running c2600-ik9o3s3-mz.123-23. The Linux boxes run Busybox v1.0.5, with IPSec-tools 0.7. I have this configuration in the router: crypto keyring spokes pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123 crypto isakmp policy 10 encr aes hash md5 authentication pre-share group 5 lifetime 28800 crypto isakmp profile L2L keyring spokes match identity address 0.0.0.0 crypto ipsec transform-set myset esp-aes esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset set pfs group5 set isakmp-profile L2L crypto map mymap 10 ipsec-isakmp dynamic dynmap interface FastEthernet0/0 ip address 10.1.1.1 255.255.255.0 interface FastEthernet0/1 crypto map mymap Phase 1 seems ok, but then I get this in the Cisco debug: IPSEC(initialize_sas): invalid proxy IDs I have tried changing several IPsec parameters (encr, hash, group, transform-set, pfs, lifetime) both in Cisco and Linux but I always end up with the "invalid proxy IDs" error, and the information I find about this error is that it could be a mismatch between peering acl:s. But since the router uses dynamic peering I don't have a peering acl in the router. I have tried both 10.1.1.0/24 and 10.1.1.1/24 as "Remote Network" in the Linux. In my google attempts I found some sample configurations between Cisco and Linux, but unfortunately none using dynamic-map. Anyone knows what could be wrong, or how to better debug it? Thanks! -- Peter Olsson p...@leissner.se _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/