site-to-site and easy vpn server on same interface

Discussion in 'Cisco' started by dt1649651, Apr 22, 2008.

  1. dt1649651

    dt1649651 Guest

    Is it possible to configure site-to-site and easy vpn server on the
    same interface ?

    I get stuck at this point: when I apply the ezvpn paramters "client
    authentication list list_name", "client configuration address respond"
    and "isakmp authorization list list_name" to the crypto map *set*,
    then that screws up the site-to-site ipsec because the site-to-site
    crypto map is under that same crypto map set.

    If I apply those mentioned parameters to the ezvpn *dynamic crypto
    map* then the site-to-site works but the ezvpn fails.

    Below is the config that I apply the ezvpn to the dynamic crypto map
    instead of the crypto map set:

    crypto dynamic-map ezvpn_remote_dynmap 10 <---- for ezvpn
    set transform-set nov_ezvpn_transform_set
    reverse-route
    !
    crypto map ezvpn_remote_dynmap client authentication list vpn <--
    to the dynamic map
    crypto map ezvpn_remote_dynmap isakmp authorization list vpn <-- to
    the dynamic map
    crypto map ezvpn_remote_dynmap client configuration address respond
    <-- to the dynamic map
    !

    ! if I use the following three commands instead of the abovee three,
    then
    ! the ezvpn works but not the site-to-site
    ! crypto map vpn_map client authentication list vpn
    ! crypto map vpn_map isakmp authorization list vpn
    ! crypto map vpn_map client configuration address respond



    crypto map vpn_map 10 ipsec-isakmp
    set peer x.y.z.t
    set transform-set aifi_nov_transform_set
    match address aifi_nov_crypto_acl
    crypto map vpn_map 100 ipsec-isakmp dynamic remote_dynmap
    crypto map vpn_map 110 ipsec-isakmp dynamic ezvpn_remote_dynmap
    !



    On the ASA5500 series, the authentication params are bound to the
    tunnel-group ipsec-attributes so I do not have any problem with having
    both ipsec site-to-site and ezvpn server. For the IOS, I do not know
    how to assign those params to that ezvpn crypto map only, not the
    whole map set.


    Thanks for your advice,

    DT
     
    dt1649651, Apr 22, 2008
    #1
    1. Advertisements

  2. dt1649651

    Merv Guest

    Merv, Apr 22, 2008
    #2
    1. Advertisements

  3. dt1649651

    dt1649651 Guest

    I am lucky. After comparing the ASA config and the IOS config and
    looking at some ios config, I found out that I can bind the specific
    dynamic crypto map ( not the whole set ) to a given isakmp profile. It
    works now.

    DT
     
    dt1649651, Apr 22, 2008
    #3
  4. dt1649651

    dt1649651 Guest

    Merv, thanks a lot.
    Hmm, I spent three hours on Cisco site and found only examples that
    bind those params into the cypto map set instead of using the isakmp
    profiles. Your URL shows me what I was looking for. That shows I need
    to improve my using of correct key words when searching :)

    Thanks.

    Dt
     
    dt1649651, Apr 22, 2008
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.