02-20-2007 02:22 AM - edited 02-21-2020 02:52 PM
hello
Can Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(2)T, RELEASE SOFTWARE (fc1)
make easy vpn server and other l2l ipsec vpn tunnels on the same interface?
I have some ipsec VPN l2l tunnels and i whant to deploy easy vpn server. but i have only one interface to ISP with /30 network. I can't extend it.
Is it workable?
02-20-2007 05:32 AM
It's painful to configure but it can work since 12.3(3).
you must use ISAKMP profile
http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd8034bd59.shtml
02-20-2007 05:38 AM
have you a working example?
i think about it over 4 days 8-\ it doesnt work!
02-20-2007 05:37 AM
Hi,
You need ISAKMP profile if the router is accepting the dynamic L2L connections also. If the requirement is something like :
The router has static to static LAN to LAN tunnel/s and wants to accept RA client connections (including the s/w clients as well as EzVPN), then you don't need to worry about anything. Just go ahead and configure the router for regular client connection and it should accept the EzVPN as well.
HTH.
Please do rate if it helps.
Regards,
Kamal
02-20-2007 05:49 AM
well
aaa authentication login aaa-list group radiussrv-group local
aaa authorization network aaan-list local
crypto isakmp policy 5
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group cisco
key cisco
dns 192.168.22.11 192.168.22.12
domain cisco.com
pool easyvpn_pool
include-local-lan
backup-gateway ***.***.***.***
crypto ipsec transform-set DEFAULT esp-des esp-md5-hmac
crypto dynamic-map evpn-map 10
set transform-set DEFAULT
reverse-route
crypto map VPN1 client authentication list aaa-list
crypto map VPN1 isakmp authorization list aaan-list
crypto map VPN1 client configuration address respond
crypto map VPN1 10 ipsec-isakmp
set peer ***.***.***.***
set transform-set DEFAULT
match address 104
.
.
!!! my lan2lan static tunnels
.
.
crypto map VPN1 60 ipsec-isakmp dynamic evpn-map
int fa 0/1
crypto map VPN1
this is not work!
when i configure
crypto map VPN1 client authentication list aaa-list
static lan-to-lan tunnels didnt work - XAUTH failed...thay didnt support it its statc lan 2 lan routers
EasyVPN client can't fine isakmp policy...
02-20-2007 08:07 AM
Hi,
With this config, are the software VPN clients able to connect?
Please test if not already tested.
I would also appreciate if you can send the debugs.
Regards,
Kamal
02-20-2007 08:32 AM
no easy vpn didnt work in this config...
and lan2lan vpns going down when SA liftime excided. Thay can't conect becouse central router ask them fro XAUTH (crypto map VPN1 client authentication aaa-list)
i think that isakmp profiles can help me...
the next task is DMVPN with OER and etc...
then i install new IOS
what debug do you whant? debug will be in next 12 hours
02-20-2007 08:55 AM
Hi,
In that case, you can either configure the username under the EzVPN configuration on the EzVPN client or get rid of the following command from the EzVPN server :
crypto map VPN1 client authentication list aaa-list
Please remove the crypto map from the interface before removing this command and bind the crypto map back after removing this command.
Please test and see if it helps.
If is does not work, please enable the 'debug crypto isakmp', 'debug crypto ipsec' and 'debug crypto ipsec client ezvpn' and send the output to me.
HTH,
Please do rate if it helps.
Regards,
Kamal
02-20-2007 06:58 PM
crypto map VPN1 client authentication list aaa-list
this command didn't solve problem - i checked it 8-)
well now i will config isakmp profile... i think this help
02-21-2007 03:20 AM
Ok
i have the new config with ISAKMP profiles:
crypto isakmp profile EVPNclient
match identity group balans
client authentication list aaa-list
isakmp authorization list aaan-list
client configuration address respond
keepalive 20 retry 3
crypto dynamic-map evpn-map 10
set transform-set DEFAULT
set isakmp-profile EVPNclient
reverse-route
all other is the same
well! EasyVPNclient connects successfully
BUT
transport tunneling is inactive!
i never idea what happen...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: