Does anyone know if it is possible to run an IPSEC/L2TP VPN concurrently with a IPSEC TUNNEL mode VPN for the Cisco VPN client on an ASA?
I have a customer who wants to use IPSEC over L2TP for most clients, but wants to use the Cisco VPN client to support Windows Vista clients. Phase 1 negotiation works fine, but Phase 2 only works for the Transform set with the highest priority. Effectively, this means that either the Windows DUN client or the Cisco VPN Client will negotiate Phase 2 depending on which Transform set is configured with the higher priority.
In the following configuration, Phase 2 for the IPSEC/L2TP VPN (outside_dyn_map 20) establishes, but Phase 2 for the Cisco VPN Client tunnel (outside_dyn_map 30) fails due to no valid SA?s.
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
>crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
>crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
>crypto dynamic-map outside_dyn_map 30 set transform-set ESP-3DES-MD5
>crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
>crypto map outside_map interface outside
If I change the priority of the transform sets, then the opposite occurs.
>crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
Any insight insight would be appreciated.