02-15-2010 04:01 PM
hi guys
I am setting up vpn connection on 2800s router.
there is already gre tunnels and site-to-site vpn connections onm this router.
I tried to create an 'easy vpn' connection but it failed as my interface fa0/1 is the source for gre tunnel in existing configuration.
Now without touching the existing gre tunnel config, is it possible for me to setup a vpn connection using fa0/1, so my users can connect to vpn to this router via cisco vpn client?
Please help.
Cheers
02-16-2010 06:43 AM
This URL describes a similar setup to what you are trying to do. The tunnel source is the same interface that has the crypto map applied. HTH
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801eafcb.shtml
02-16-2010 01:44 PM
hi there, see the below config from my lab:
---------------------------------------------
I think I am a bit close, but need to find a way to co-exist the site-to-site map and dynamic map (for my vpn client) under the same crypto map applied on interface fa0/1
!!!!!!!!!!!!!!!!!!!! This is existing config !!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!! for site-to-site vpn !!!!!!!!!!!!!!!!!!!!!!!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set mySite esp-3des esp-sha-hmac
mode transport
!
!
!
crypto map site-to-site-map 1 ipsec-isakmp
description Site to Site VPN to remote site
set peer 205.1.2.3
set transform-set mySite
match address 123
!
!
!
interface Tunnel1
description GRE Tunnel to Remote site (192.168.40.2)
bandwidth 100000
ip address 192.168.40.1 255.255.255.0
keepalive 10 3
tunnel source FastEthernet0/1
tunnel destination 201.x.x.x
!
!
!
interface FastEthernet0/1
description TO_Internet
ip address 201.1.2.3 255.255.255.252
ip access-group INTERNET-IN in
load-interval 30
speed 100
full-duplex
crypto map site-to-site-map
!
!
!!!!!!!!!!!!!!!!!!!! My solution for vpn client !!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
aaa authentication login VPN_AUTH local
!
ip local pool MY_VPN_POOL 10.100.10.10 10.100.10.20
!
!
crypto ipsec transform-set MY_VPN_SET esp-3des esp-sha-hmac
!
!
!
crypto map MY_VPN client authentication list VPN_AUTH
crypto map MY_VPN isakmp authorization list VPN_AUTH
crypto map MY_VPN client configuration address respond
crypto map MY_VPN 10 ipsec-isakmp dynamic MY_VPN_MAP
!
!
!
crypto isakmp client configuration group MY_VPN
key cisco
dns x.x.x.x
domain x.x.x.x
pool MY_VPN_POOL
!
!
!
!!!!!!!!!!!!!!!! this is where the problem is !!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!Should I use the below or the one after that, cuz I need dynamic-map !!!!!!!!!!!!!!!!!!!
!
crypto map site-to-site-map 2 ipsec-isakmp
description VPN For MY_VPN
set transform-set MY_VPN_SET
!
!!!!!!!!!!!!!!!!!!OR this one, cuz I need dynamic-map !!!!!!!!!!!!!!!!!!!
!
crypto dynamic-map MY_VPN_MAP 10
set transform-set MY_VPN_SET
reverse-route
02-17-2010 06:08 AM
Yes, you apply the dynamic map to the crypto map. Here is a better example of what you are trying to do. HTH
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: