site-to-site and easy vpn server on same interface

Discussion in 'Cisco' started by dt1649651@yahoo.com, Apr 22, 2008.

  1. Guest

    Is it possible to configure site-to-site and easy vpn server on the
    same interface ?

    I get stuck at this point: when I apply the ezvpn paramters "client
    authentication list list_name", "client configuration address respond"
    and "isakmp authorization list list_name" to the crypto map *set*,
    then that screws up the site-to-site ipsec because the site-to-site
    crypto map is under that same crypto map set.

    If I apply those mentioned parameters to the ezvpn *dynamic crypto
    map* then the site-to-site works but the ezvpn fails.

    Below is the config that I apply the ezvpn to the dynamic crypto map
    instead of the crypto map set:

    crypto dynamic-map ezvpn_remote_dynmap 10 <---- for ezvpn
    set transform-set nov_ezvpn_transform_set
    reverse-route
    !
    crypto map ezvpn_remote_dynmap client authentication list vpn <--
    to the dynamic map
    crypto map ezvpn_remote_dynmap isakmp authorization list vpn <-- to
    the dynamic map
    crypto map ezvpn_remote_dynmap client configuration address respond
    <-- to the dynamic map
    !

    ! if I use the following three commands instead of the abovee three,
    then
    ! the ezvpn works but not the site-to-site
    ! crypto map vpn_map client authentication list vpn
    ! crypto map vpn_map isakmp authorization list vpn
    ! crypto map vpn_map client configuration address respond



    crypto map vpn_map 10 ipsec-isakmp
    set peer x.y.z.t
    set transform-set aifi_nov_transform_set
    match address aifi_nov_crypto_acl
    crypto map vpn_map 100 ipsec-isakmp dynamic remote_dynmap
    crypto map vpn_map 110 ipsec-isakmp dynamic ezvpn_remote_dynmap
    !



    On the ASA5500 series, the authentication params are bound to the
    tunnel-group ipsec-attributes so I do not have any problem with having
    both ipsec site-to-site and ezvpn server. For the IOS, I do not know
    how to assign those params to that ezvpn crypto map only, not the
    whole map set.


    Thanks for your advice,

    DT
    , Apr 22, 2008
    #1
    1. Advertising

  2. Merv Guest

    Merv, Apr 22, 2008
    #2
    1. Advertising

  3. Guest

    I am lucky. After comparing the ASA config and the IOS config and
    looking at some ios config, I found out that I can bind the specific
    dynamic crypto map ( not the whole set ) to a given isakmp profile. It
    works now.

    DT
    , Apr 22, 2008
    #3
  4. Guest

    On Apr 22, 9:08 am, Merv <> wrote:
    > take a look at
    >
    > DMVPN and Easy VPN Server with ISAKMP Profiles Configuration Example
    >
    > http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuratio...


    Merv, thanks a lot.
    Hmm, I spent three hours on Cisco site and found only examples that
    bind those params into the cypto map set instead of using the isakmp
    profiles. Your URL shows me what I was looking for. That shows I need
    to improve my using of correct key words when searching :)

    Thanks.

    Dt
    , Apr 22, 2008
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Masud Reza
    Replies:
    2
    Views:
    7,421
    Masud Reza
    Oct 20, 2003
  2. Odhammar

    PIX VPN-VPN thru same interface

    Odhammar, Nov 4, 2003, in forum: Cisco
    Replies:
    9
    Views:
    591
    Walter Roberson
    Nov 6, 2003
  3. Andrea
    Replies:
    0
    Views:
    859
    Andrea
    Apr 19, 2004
  4. pasatealinux
    Replies:
    1
    Views:
    2,042
    pasatealinux
    Dec 17, 2007
  5. ksun6868
    Replies:
    2
    Views:
    1,295
Loading...

Share This Page