site-to-site and easy vpn server on same interface
in [Cisco]
|
From: dt1649651 on 22 Apr 2008 09:29 Is it possible to configure site-to-site and easy vpn server on the same interface ? I get stuck at this point: when I apply the ezvpn paramters "client authentication list list_name", "client configuration address respond" and "isakmp authorization list list_name" to the crypto map *set*, then that screws up the site-to-site ipsec because the site-to-site crypto map is under that same crypto map set. If I apply those mentioned parameters to the ezvpn *dynamic crypto map* then the site-to-site works but the ezvpn fails. Below is the config that I apply the ezvpn to the dynamic crypto map instead of the crypto map set: crypto dynamic-map ezvpn_remote_dynmap 10 <---- for ezvpn set transform-set nov_ezvpn_transform_set reverse-route ! crypto map ezvpn_remote_dynmap client authentication list vpn <-- to the dynamic map crypto map ezvpn_remote_dynmap isakmp authorization list vpn <-- to the dynamic map crypto map ezvpn_remote_dynmap client configuration address respond <-- to the dynamic map ! ! if I use the following three commands instead of the abovee three, then ! the ezvpn works but not the site-to-site ! crypto map vpn_map client authentication list vpn ! crypto map vpn_map isakmp authorization list vpn ! crypto map vpn_map client configuration address respond crypto map vpn_map 10 ipsec-isakmp set peer x.y.z.t set transform-set aifi_nov_transform_set match address aifi_nov_crypto_acl crypto map vpn_map 100 ipsec-isakmp dynamic remote_dynmap crypto map vpn_map 110 ipsec-isakmp dynamic ezvpn_remote_dynmap ! On the ASA5500 series, the authentication params are bound to the tunnel-group ipsec-attributes so I do not have any problem with having both ipsec site-to-site and ezvpn server. For the IOS, I do not know how to assign those params to that ezvpn crypto map only, not the whole map set. Thanks for your advice, DT
From: Merv on 22 Apr 2008 10:08 take a look at DMVPN and Easy VPN Server with ISAKMP Profiles Configuration Example http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801eafcb.shtml
From: dt1649651 on 22 Apr 2008 10:20 I am lucky. After comparing the ASA config and the IOS config and looking at some ios config, I found out that I can bind the specific dynamic crypto map ( not the whole set ) to a given isakmp profile. It works now. DT
From: dt1649651 on 22 Apr 2008 10:25 On Apr 22, 9:08 am, Merv <merv.hr...(a)rogers.com> wrote: > take a look at > > DMVPN and Easy VPN Server with ISAKMP Profiles Configuration Example > > http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuratio... Merv, thanks a lot. Hmm, I spent three hours on Cisco site and found only examples that bind those params into the cypto map set instead of using the isakmp profiles. Your URL shows me what I was looking for. That shows I need to improve my using of correct key words when searching :) Thanks. Dt
|
Pages: 1 Prev: Adding 3rd party SIP phone in CUCM Next: E1 Cabling for VWIC2-2MFT-T1/E1 |