both Easy VPN Server and a Site-to-Site tunnel on the same interface?

Discussion in 'Cisco' started by ksun6868, Jan 21, 2008.

  1. ksun6868

    ksun6868 Guest

    Greetings,

    We have a Cisco 3845. We are using it to route to internet (T3
    Sprint)and I also configured EASY VPN Server.
    Now we want to build a Site-to-site VPN to an client site.

    I am trying to make both Easy VPN Server and Site-to-site
    tunnel to work on the same serial interface. I can bring both VPN up,
    with some twist. I wonder if there is a better way to do this.
    The issue is with the ipsec policy and crypto maps.

    The Easy VPN defines crypto map as
    crypto map SDM_CMAP_1 client authentication list ab_login
    crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
    crypto map SDM_CMAP_1 client configuration address respond
    crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

    And the Site-to-Site VPN needs crypto map as
    crypto map SDM_CMAP_2 2 ipsec-isakmp
    set transform-set SDM_TRANSFORMSET_1
    set peer <peer ip>
    match address SDM_1

    Each interface only takes one crypto map command. So I can start
    either VPN by switching to different ipsec policy/crypto map, but not
    both at the same time.
    However, I can start the Site-to-Site VPN first and then attach Easy
    VPN Server's policy to it.
    crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
    crypto map SDM_CMAP_2 client authentication list ab_login
    crypto map SDM_CMAP_2 isakmp authorization list sdm_vpn_group_ml_1
    crypto map SDM_CMAP_2 client configuration address respond

    Both will be functioning. But if the Site-to-Site tunnel for some
    reason is down, I could not restart it as it is. It will complain that
    the configuration is different from the peer's or something like it.
    I would have to delete the crypto map, recreate the crypto map, start
    the Site-to-Site, and then attache the EasyVPN stuff.

    The questions are:
    1. Is there a cleaner way of doing this (both Easy VPN Server and a
    Site-to-Site tunnel on the same interface)?
    2. So far I have to start the site-to-site tunnel by clicking "Test
    Tunnel" on the SDM interface. Is there better to start the tunnel?
    3. Can we use another interface rather than the one faces the
    internet?
    4. We notice that site-to-site tunnel is down every 24 hours,
    probably due to a time out. Is there anyway to set up so "no time
    out"?

    Thanks!

    Kang Sun
     
    ksun6868, Jan 21, 2008
    #1

    1. Advertisements

  2. ksun6868

    Andrew J Cosgriff Guest

    ksun6868 wrote :
    This may simply be a limitation of SDM - you might want to investigate
    implementing it via the command line instead (I can assure you it works
    fine there).
     
    Andrew J Cosgriff, Jan 22, 2008
    #2

    1. Advertisements

  3. ksun6868

    Bod43 Guest

    I think I posted a full working config in the thread:-
    "Cisco 1760 router and VPN client Connection Issues Options"
     
    Bod43, Jan 25, 2008
    #3

    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads

  1. Termination of an IPSec VPN tunnel and a GRE Tunnel on one physical interface.

  2. Split Tunnel Blocks http through tunnel but passes http around tunnel

  3. site-to-site VPN tunnel with remote VPN clients

  4. VPN site to site & Remote access VPN ( vpn client) over the same interface

  5. VPN Client is assigning the same IP Address to both the interface andthe default gateway.

  6. site-to-site and easy vpn server on same interface

Loading...