setting up 'easy vpn server' on 2800s router with site-to-site vpn

Aun Iqbal · ‎02-15-2010

hi guys
I am setting up vpn connection on 2800s router.

there is already gre tunnels and site-to-site vpn connections onm this router.

I tried to create an 'easy vpn' connection but it failed as my interface fa0/1 is the source for gre tunnel in existing configuration.

Now without touching the existing gre tunnel config, is it possible for me to setup a vpn connection using fa0/1, so my users can connect to vpn to this router via cisco vpn client?

Please help.
Cheers

slmansfield · ‎02-16-2010

This URL describes a similar setup to what you are trying to do. The tunnel source is the same interface that has the crypto map applied. HTH

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801eafcb.shtml

Aun Iqbal · ‎02-16-2010

hi there, see the below config from my lab:

---------------------------------------------

I think I am a bit close, but need to find a way to co-exist the site-to-site map and dynamic map (for my vpn client) under the same crypto map applied on interface fa0/1

!!!!!!!!!!!!!!!!!!!! This is existing config !!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!! for site-to-site vpn !!!!!!!!!!!!!!!!!!!!!!!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth

!

crypto ipsec transform-set mySite esp-3des esp-sha-hmac

mode transport

!

crypto map site-to-site-map 1 ipsec-isakmp

description Site to Site VPN to remote site

set peer 205.1.2.3

set transform-set mySite

match address 123

!

interface Tunnel1

description GRE Tunnel to Remote site (192.168.40.2)

bandwidth 100000

ip address 192.168.40.1 255.255.255.0

keepalive 10 3

tunnel source FastEthernet0/1

tunnel destination 201.x.x.x

!

interface FastEthernet0/1

description TO_Internet

ip address 201.1.2.3 255.255.255.252

ip access-group INTERNET-IN in

load-interval 30

speed 100

full-duplex

crypto map site-to-site-map

!

!!!!!!!!!!!!!!!!!!!! My solution for vpn client !!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

aaa authentication login VPN_AUTH local

!

ip local pool MY_VPN_POOL 10.100.10.10 10.100.10.20

!

crypto ipsec transform-set MY_VPN_SET esp-3des esp-sha-hmac

!

crypto map MY_VPN client authentication list VPN_AUTH

crypto map MY_VPN isakmp authorization list VPN_AUTH

crypto map MY_VPN client configuration address respond

crypto map MY_VPN 10 ipsec-isakmp dynamic MY_VPN_MAP

!

crypto isakmp client configuration group MY_VPN

key cisco

dns x.x.x.x

domain x.x.x.x

pool MY_VPN_POOL

!

!!!!!!!!!!!!!!!! this is where the problem is !!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!Should I use the below or the one after that, cuz I need dynamic-map !!!!!!!!!!!!!!!!!!!

!

crypto map site-to-site-map 2 ipsec-isakmp

description VPN For MY_VPN

set transform-set MY_VPN_SET

!

!!!!!!!!!!!!!!!!!!OR this one, cuz I need dynamic-map !!!!!!!!!!!!!!!!!!!

!

crypto dynamic-map MY_VPN_MAP 10

set transform-set MY_VPN_SET

reverse-route

slmansfield · ‎02-17-2010

Yes, you apply the dynamic map to the crypto map. Here is a better example of what you are trying to do. HTH

http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml