problem with Ezvpn and Site to Site VPN

Answered Question
Apr 20th, 2010
User Badges:

hi

i want to confgure Ezvpn and Site to Site VPN however the problem is that the EasyVpn that only would work the Site to Site is not Working at all

i have configure 1 crypto map for both of VPN with different tagges

i had execlude the traffice for NOT being natted to and when i remove the Ezvpn the site to site work fine


crypto isakmp policy 100
encr aes
hash md5
authentication pre-share
group 2 
!        
crypto isakmp policy 10000
encr aes 256
authentication pre-share
group 5 
crypto isakmp key 123456 address (removed)


crypto isakmp client configuration group easyvpn
key easyvpn
domain ezvpn
pool easyvpn
acl easyvpn
save-password
split-dns cme
max-users 9
netmask 255.255.255.0
!       

crypto ipsec transform-set vpn esp-aes 256 esp-sha-hmac

crypto dynamic-map easyvpn 10
set transform-set dmvpn
reverse-route
!
!
crypto map easyvpn local-address Dialer1
crypto map easyvpn client authentication list easyvpn
crypto map easyvpn isakmp authorization list easyvpn
crypto map easyvpn client configuration address respond
crypto map easyvpn 100 ipsec-isakmp dynamic easyvpn
crypto map easyvpn 1000 ipsec-isakmp
set peer (removed)
set transform-set vpn
match address site


interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password
ppp pap sent-username
crypto map easyVPN


ip access-list extended DSL_ACCESSLIST
deny   ip 100.0.0.0 0.0.0.255 101.1.1.0 0.0.0.255
deny   ip 100.0.0.0 0.0.0.255 70.0.0.0 0.0.0.255
permit ip 100.0.0.0 0.0.0.255 any
deny   ip any any
ip access-list extended easyvpn
permit ip 100.0.0.0 0.0.0.255 70.0.0.0 0.0.0.255
ip access-list extended site
permit ip 100.0.0.0 0.0.0.255 101.1.1.0 0.0.0.255


best regards

Correct Answer by Jennifer Halim about 7 years 2 months ago

The crypto map sequence number for the static crypto map (site-to-site vpn) should be higher (ie: sequence number should be lower) than the ezvpn (dynamic crypto map).


In your case, you should configure as follows:


crypto map  easyvpn 10 ipsec-isakmp
set peer (removed)
set transform-set  vpn
match address site


crypto map easyvpn 150 ipsec-isakmp dynamic easyvpn


Hope that resolves the issue.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Tue, 04/20/2010 - 03:37
User Badges:
  • Cisco Employee,

The crypto map sequence number for the static crypto map (site-to-site vpn) should be higher (ie: sequence number should be lower) than the ezvpn (dynamic crypto map).


In your case, you should configure as follows:


crypto map  easyvpn 10 ipsec-isakmp
set peer (removed)
set transform-set  vpn
match address site


crypto map easyvpn 150 ipsec-isakmp dynamic easyvpn


Hope that resolves the issue.

Actions

This Discussion