EzVPN and other VPN on same interface?

kir_mischenko · ‎02-20-2007

hello

Can Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(2)T, RELEASE SOFTWARE (fc1)

make easy vpn server and other l2l ipsec vpn tunnels on the same interface?

I have some ipsec VPN l2l tunnels and i whant to deploy easy vpn server. but i have only one interface to ISP with /30 network. I can't extend it.

Is it workable?

dominic.caron · ‎02-20-2007

It's painful to configure but it can work since 12.3(3).

you must use ISAKMP profile

http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd8034bd59.shtml

kir_mischenko · ‎02-20-2007

have you a working example?

i think about it over 4 days 8-\ it doesnt work!

Kamal Malhotra · ‎02-20-2007

Hi,

You need ISAKMP profile if the router is accepting the dynamic L2L connections also. If the requirement is something like :

The router has static to static LAN to LAN tunnel/s and wants to accept RA client connections (including the s/w clients as well as EzVPN), then you don't need to worry about anything. Just go ahead and configure the router for regular client connection and it should accept the EzVPN as well.

HTH.

Please do rate if it helps.

Regards,

Kamal

kir_mischenko · ‎02-20-2007

well

aaa authentication login aaa-list group radiussrv-group local

aaa authorization network aaan-list local

crypto isakmp policy 5

hash md5

authentication pre-share

group 2

crypto isakmp client configuration group cisco

key cisco

dns 192.168.22.11 192.168.22.12

domain cisco.com

pool easyvpn_pool

include-local-lan

backup-gateway ***.***.***.***

crypto ipsec transform-set DEFAULT esp-des esp-md5-hmac

crypto dynamic-map evpn-map 10

set transform-set DEFAULT

reverse-route

crypto map VPN1 client authentication list aaa-list

crypto map VPN1 isakmp authorization list aaan-list

crypto map VPN1 client configuration address respond

crypto map VPN1 10 ipsec-isakmp

set peer ***.***.***.***

set transform-set DEFAULT

match address 104

.

!!! my lan2lan static tunnels

.

crypto map VPN1 60 ipsec-isakmp dynamic evpn-map

int fa 0/1

crypto map VPN1

this is not work!

when i configure

crypto map VPN1 client authentication list aaa-list

static lan-to-lan tunnels didnt work - XAUTH failed...thay didnt support it its statc lan 2 lan routers

EasyVPN client can't fine isakmp policy...

Kamal Malhotra · ‎02-20-2007

Hi,

With this config, are the software VPN clients able to connect?

Please test if not already tested.

I would also appreciate if you can send the debugs.

Regards,

Kamal

kir_mischenko · ‎02-20-2007

no easy vpn didnt work in this config...

and lan2lan vpns going down when SA liftime excided. Thay can't conect becouse central router ask them fro XAUTH (crypto map VPN1 client authentication aaa-list)

i think that isakmp profiles can help me...

the next task is DMVPN with OER and etc...

then i install new IOS

what debug do you whant? debug will be in next 12 hours

Kamal Malhotra · ‎02-20-2007

Hi,

In that case, you can either configure the username under the EzVPN configuration on the EzVPN client or get rid of the following command from the EzVPN server :

crypto map VPN1 client authentication list aaa-list

Please remove the crypto map from the interface before removing this command and bind the crypto map back after removing this command.

Please test and see if it helps.

If is does not work, please enable the 'debug crypto isakmp', 'debug crypto ipsec' and 'debug crypto ipsec client ezvpn' and send the output to me.

HTH,

Please do rate if it helps.

Regards,

Kamal

kir_mischenko · ‎02-20-2007

crypto map VPN1 client authentication list aaa-list

this command didn't solve problem - i checked it 8-)

well now i will config isakmp profile... i think this help

kir_mischenko · ‎02-21-2007

Ok

i have the new config with ISAKMP profiles:

crypto isakmp profile EVPNclient

match identity group balans

client authentication list aaa-list

isakmp authorization list aaan-list

client configuration address respond

keepalive 20 retry 3

crypto dynamic-map evpn-map 10

set transform-set DEFAULT

set isakmp-profile EVPNclient

reverse-route

all other is the same

well! EasyVPNclient connects successfully

BUT

transport tunneling is inactive!

i never idea what happen...