site-to-site and easy vpn server on same interface

Discussion in 'Cisco' started by dt1649651, Apr 22, 2008.

  1. dt1649651

    dt1649651 Guest

    Is it possible to configure site-to-site and easy vpn server on the
    same interface ?

    I get stuck at this point: when I apply the ezvpn paramters "client
    authentication list list_name", "client configuration address respond"
    and "isakmp authorization list list_name" to the crypto map *set*,
    then that screws up the site-to-site ipsec because the site-to-site
    crypto map is under that same crypto map set.

    If I apply those mentioned parameters to the ezvpn *dynamic crypto
    map* then the site-to-site works but the ezvpn fails.

    Below is the config that I apply the ezvpn to the dynamic crypto map
    instead of the crypto map set:

    crypto dynamic-map ezvpn_remote_dynmap 10 <---- for ezvpn
    set transform-set nov_ezvpn_transform_set
    crypto map ezvpn_remote_dynmap client authentication list vpn <--
    to the dynamic map
    crypto map ezvpn_remote_dynmap isakmp authorization list vpn <-- to
    the dynamic map
    crypto map ezvpn_remote_dynmap client configuration address respond
    <-- to the dynamic map

    ! if I use the following three commands instead of the abovee three,
    ! the ezvpn works but not the site-to-site
    ! crypto map vpn_map client authentication list vpn
    ! crypto map vpn_map isakmp authorization list vpn
    ! crypto map vpn_map client configuration address respond

    crypto map vpn_map 10 ipsec-isakmp
    set peer x.y.z.t
    set transform-set aifi_nov_transform_set
    match address aifi_nov_crypto_acl
    crypto map vpn_map 100 ipsec-isakmp dynamic remote_dynmap
    crypto map vpn_map 110 ipsec-isakmp dynamic ezvpn_remote_dynmap

    On the ASA5500 series, the authentication params are bound to the
    tunnel-group ipsec-attributes so I do not have any problem with having
    both ipsec site-to-site and ezvpn server. For the IOS, I do not know
    how to assign those params to that ezvpn crypto map only, not the
    whole map set.

    Thanks for your advice,

    dt1649651, Apr 22, 2008
    1. Advertisements

  2. dt1649651

    Merv Guest

    Merv, Apr 22, 2008
    1. Advertisements

  3. dt1649651

    dt1649651 Guest

    I am lucky. After comparing the ASA config and the IOS config and
    looking at some ios config, I found out that I can bind the specific
    dynamic crypto map ( not the whole set ) to a given isakmp profile. It
    works now.

    dt1649651, Apr 22, 2008
  4. dt1649651

    dt1649651 Guest

    Merv, thanks a lot.
    Hmm, I spent three hours on Cisco site and found only examples that
    bind those params into the cypto map set instead of using the isakmp
    profiles. Your URL shows me what I was looking for. That shows I need
    to improve my using of correct key words when searching :)


    dt1649651, Apr 22, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.