mattiaseriksson Tue, 08/14/2007 - 00:40
User Badges:
  • Bronze, 100 points or more

Yes it does, just add the dynamic crypto map to the existing crypto-map.


Ex.

crypto dynamic-map myDYN-MAP 5 set transform-set mySET

crypto map myMAP 1 ipsec-isakmp dynamic myDYN-MAP

andrey.v.tyurin Tue, 08/14/2007 - 02:50
User Badges:

I mean that I already have this worked config:

crypto ipsec transform-set P2Pset esp-des esp-md5-hmac

crypto map P2Pmap 9 ipsec-isakmp

crypto map P2Pmap 9 match address P2P

crypto map P2Pmap 9 set pfs group5

crypto map P2Pmap 9 set peer 1.1.1.1

crypto map P2Pmap 9 set transform-set P2Pset

crypto map P2Pmap 9 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map P2Pmap 10 ipsec-isakmp

crypto map P2Pmap 10 match address P2P2

crypto map P2Pmap 10 set pfs group2

crypto map P2Pmap 10 set peer 2.2.2.2

crypto map P2Pmap 10 set transform-set P2Pset

crypto map P2Pmap 11 ipsec-isakmp

crypto map P2Pmap 11 match address P2P3

crypto map P2Pmap 11 set pfs group2

crypto map P2Pmap 11 set peer 3.3.3.3

crypto map P2Pmap 11 set transform-set P2Pset

crypto map P2Pmap 11 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map P2Pmap interface VPN

isakmp enable VPN

isakmp key ******** address 1.1.1.1 netmask 255.255.255.255

isakmp key ******** address 2.2.2.2 netmask 255.255.255.255

isakmp key ******** address 3.3.3.3 netmask 255.255.255.255

isakmp identity address

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption des

isakmp policy 9 hash md5

isakmp policy 9 group 5

isakmp policy 9 lifetime 86400




and now I want to do easy vpn server for the peer 4.4.4.4 What I must write to my config?



I think that it will be :


isakmp policy 10 authentication pre-share


isakmp policy 10 encryption des


isakmp policy 10 hash md5


isakmp policy 10 group 2


isakmp policy 10 lifetime 86400


then



crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac


crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10


crypto dynamic-map outside_dyn_map 10 set transform-set ESP-DES-MD5

crypto map P2Pmap 12 ipsec-isakmp dynamic outside_dyn_map

crypto map P2Pmap 12 set peer 4.4.4.4


crypto map P2Pmap client authentication LOCAL



then I do vpngroup and users end that' all....



Am I right???


mattiaseriksson Tue, 08/14/2007 - 03:30
User Badges:
  • Bronze, 100 points or more

Yes, but with easyvpn you rarely need to configure a peer address and assign an acl to the dynamic crypto-map because most config goes into the vpngroup. But it should work as you want it to anyway.


I would exclude these lines:


no crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10

no crypto map P2Pmap 12 set peer 4.4.4.4


You also need to configure the vpngroup wih split-tunnel, and nat exemption as usual.

Actions

This Discussion