Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > both Easy VPN Server and a Site-to-Site tunnel on the same interface?

Reply
Thread Tools

both Easy VPN Server and a Site-to-Site tunnel on the same interface?

 
 
ksun6868
Guest
Posts: n/a
 
      01-21-2008
Greetings,

We have a Cisco 3845. We are using it to route to internet (T3
Sprint)and I also configured EASY VPN Server.
Now we want to build a Site-to-site VPN to an client site.

I am trying to make both Easy VPN Server and Site-to-site
tunnel to work on the same serial interface. I can bring both VPN up,
with some twist. I wonder if there is a better way to do this.
The issue is with the ipsec policy and crypto maps.

The Easy VPN defines crypto map as
crypto map SDM_CMAP_1 client authentication list ab_login
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

And the Site-to-Site VPN needs crypto map as
crypto map SDM_CMAP_2 2 ipsec-isakmp
set transform-set SDM_TRANSFORMSET_1
set peer <peer ip>
match address SDM_1

Each interface only takes one crypto map command. So I can start
either VPN by switching to different ipsec policy/crypto map, but not
both at the same time.
However, I can start the Site-to-Site VPN first and then attach Easy
VPN Server's policy to it.
crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
crypto map SDM_CMAP_2 client authentication list ab_login
crypto map SDM_CMAP_2 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_2 client configuration address respond

Both will be functioning. But if the Site-to-Site tunnel for some
reason is down, I could not restart it as it is. It will complain that
the configuration is different from the peer's or something like it.
I would have to delete the crypto map, recreate the crypto map, start
the Site-to-Site, and then attache the EasyVPN stuff.

The questions are:
1. Is there a cleaner way of doing this (both Easy VPN Server and a
Site-to-Site tunnel on the same interface)?
2. So far I have to start the site-to-site tunnel by clicking "Test
Tunnel" on the SDM interface. Is there better to start the tunnel?
3. Can we use another interface rather than the one faces the
internet?
4. We notice that site-to-site tunnel is down every 24 hours,
probably due to a time out. Is there anyway to set up so "no time
out"?

Thanks!

Kang Sun
http://www.velocityreviews.com/forums/(E-Mail Removed)
 
Reply With Quote
 
 
 
 
Andrew J Cosgriff
Guest
Posts: n/a
 
      01-22-2008
ksun6868 wrote :

> Greetings,
>
> We have a Cisco 3845. We are using it to route to internet (T3
> Sprint)and I also configured EASY VPN Server.
> Now we want to build a Site-to-site VPN to an client site.
>
> I am trying to make both Easy VPN Server and Site-to-site
> tunnel to work on the same serial interface. I can bring both VPN up,
> with some twist. I wonder if there is a better way to do this.
> The issue is with the ipsec policy and crypto maps.
>
> The Easy VPN defines crypto map as
> crypto map SDM_CMAP_1 client authentication list ab_login
> crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
> crypto map SDM_CMAP_1 client configuration address respond
> crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
>
> And the Site-to-Site VPN needs crypto map as
> crypto map SDM_CMAP_2 2 ipsec-isakmp
> set transform-set SDM_TRANSFORMSET_1
> set peer <peer ip>
> match address SDM_1
>
> Each interface only takes one crypto map command. So I can start
> either VPN by switching to different ipsec policy/crypto map, but not
> both at the same time.


This may simply be a limitation of SDM - you might want to investigate
implementing it via the command line instead (I can assure you it works
fine there).

--
http://andrew.j.cosgriff.name/ | one step ahead of the hangman
 
Reply With Quote
 
 
 
 
Bod43@hotmail.co.uk
Guest
Posts: n/a
 
      01-25-2008
On 22 Jan, 00:24, Andrew J Cosgriff <(E-Mail Removed)>
wrote:
> ksun6868 wrote :
>
>
>
>
>
> > Greetings,

>
> > * *We have a Cisco 3845. We are using it to route to internet (T3
> > Sprint)and I also configured *EASY VPN Server.
> > * *Now we want to build a Site-to-site VPN to an client site.

>
> > * * * * * * I am trying to make both Easy VPN Server and Site-to-site
> > tunnel to work on the same serial interface. I can bring both VPN up,
> > with some twist. I wonder if there is a better way to do this.
> > * *The issue is with the ipsec policy and crypto maps.

>
> > * *The Easy VPN defines crypto map as
> > * * * * * *crypto map SDM_CMAP_1 client authentication list ab_login
> > * * * * * *crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
> > * * * * * *crypto map SDM_CMAP_1 client configuration address respond
> > * * * * * *crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

>
> > * *And the Site-to-Site VPN needs crypto map as
> > * * * * * *crypto map SDM_CMAP_2 2 ipsec-isakmp
> > * * * * * * *set transform-set SDM_TRANSFORMSET_1
> > * * * * * * *set peer <peer ip>
> > * * * * * * *match address SDM_1

>
> > * *Each interface only takes one crypto map command. So I can start
> > either VPN by switching to different ipsec policy/crypto map, but not
> > both at the same time.

>
> This may simply be a limitation of SDM - you might want to investigate
> implementing it via the command line instead (I can assure you it works
> fine there).
>
> --http://andrew.j.cosgriff.name/| one step ahead of the hangman- Hide quoted text -
>


I think I posted a full working config in the thread:-
"Cisco 1760 router and VPN client Connection Issues Options"

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
site-to-site and easy vpn server on same interface dt1649651@yahoo.com Cisco 3 04-22-2008 02:25 PM
Site to site VPn tunnel and VPN tunnel Trouble Cisco 1 08-04-2006 08:09 AM
Site to site VPn tunnel and VPN tunnel Trouble Cisco 0 08-04-2006 04:23 AM
Split Tunnel Blocks http through tunnel but passes http around tunnel a.nonny mouse Cisco 2 09-19-2004 12:10 AM
Termination of an IPSec VPN tunnel and a GRE Tunnel on one physical interface. John Ireland Cisco 1 11-11-2003 04:47 PM



Advertisments