Unanswered Question
Nov 12th, 2009
User Badges:

Hello everyone , I have configured DMVPN Hub and EzVPN Server on Cisco 2811 at the headoffice and the branches are having 2600 routers . There are 5 Spokes at this moment for DMVPN . Users use Cisco EzVPN Client software to access HeadOffice network . However I am facing problems .

when i do sh crypto isakmp sa

I usually see errors like



And the IP address in the destination is the spokes of DMVPN . sometimes when i type in the HUB

crypto isakmp key cisco123 address no-xauth

static entry for DMVPN spoke and type no-xauth , it works fine sometimes but sometimes not . I could not test all the spokes at this moment because the network is not in production at this point .

I think the ezvpn server and dmvpn server is having a conflict in this crypto isakmp key thing .

Attached is my DMVPN HUB + EZVPN Server configuration

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Todd Pula Thu, 11/12/2009 - 14:51
User Badges:
  • Silver, 250 points or more

You will want to modify your configuration to use an isakmp profile. This will allow you to apply the EasyVPN xauth config to your incoming client connections only. For example,

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco123 address


crypto isakmp client configuration group testgroup

key testgroup

pool vpn-test-pool

crypto isakmp profile vpn-test-profile

match identity group testgroup

client authentication list VPN

isakmp authorization list VPN

client configuration address respond



crypto ipsec transform-set test esp-3des esp-md5-hmac


crypto ipsec profile test-profile

set transform-set test



crypto dynamic-map dyn-map 1

set transform-set test

set isakmp-profile vpn-test-profile

reverse-route remote-peer



crypto map test 1 ipsec-isakmp dynamic dyn-map


This Discussion