Site-to-Site VPN and Remote VPN Access config on same router

Unanswered Question
Sep 14th, 2007


I have a site-to-site setup between a HQ and 2 branches. I however want to configure remote access to the HQ for offsite users who wan to connect from the internet into the LAN. The site-to-site vpn was achieved using Crypto Map policies to the interfaces. To create remote access VPN, i also have to use crypto map policy, but the cahllenge is i cannot use more than 1 crypto map policy on an interface.

Or can I? Any suggestions?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Tshi M Fri, 09/14/2007 - 13:27

yes you can...please post your vpn config part so that i can make the right recommendations. you can remove things such as your key, peer addresses, etc.

kelloggs4life Sun, 09/16/2007 - 03:34


attached are the config files for the router.

Let me know your comments and observations. I noticed that when i applied the remote VPN config, my site-to-site vpn stopped working. reason being that the crypto map policies for the fast ethernet interfaces had changed.


Tshi M Sun, 09/16/2007 - 05:49

You have found your answer, you cannot apply different crypto map to the same interface. use the same crypto map for your site to site and your remote VPN. That is all there is to it.

spkolla Fri, 09/28/2007 - 01:54

As mentioned by Femi, We are also having the same problem. In any router we can only assign to one crypto map. And have use the same name for S2S & Remote access configuration. It's causing the S2S tunnel to fail.

Any ideal how to do it?

kelloggs4life Fri, 09/28/2007 - 05:02


what u need to do is create same Crypto map for both the site to site and remote access.

Just use the same crypto map name

see sample below

crypto dynamic-map DYNMAP_2 10

set transform-set t_aml1

crypto map VPN-Map-1 client authentication list sdm_vpn_xauth_ml_1

crypto map VPN-Map-1 isakmp authorization list sdm_vpn_group_ml_1

crypto map VPN-Map-1 client configuration address respond

! Crypto-map is created for site-to-site tunnel1

crypto map VPN-Map-1 10 ipsec-isakmp

set peer

set transform-set ESP-3DES-SHA2

set pfs group2

match address Crypto-list

! Crypto-map is created for site-to-site tunnel2

crypto map VPN-Map-1 11 ipsec-isakmp

set peer

set transform-set ESP-3DES-SHA2

set pfs group2

match address Crypto-list

! Crypto-map is created for Remote Access

crypto map VPN-Map-1 35 ipsec-isakmp dynamic DYNMAP_2


Tshi M Fri, 09/28/2007 - 05:34

that was my reply few weeks ago but never got credits for it;

guibarati Fri, 09/28/2007 - 12:25

Refer to "no-xauth" for the authentication problems you are probably going to find


This Discussion