Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
454
Views
0
Helpful
2
Replies

problem with Ezvpn and Site to Site VPN

Go to solution
mohamed-elsherif
Level 1
Level 1

‎04-20-2010 01:45 AM

hi

i want to confgure Ezvpn and Site to Site VPN however the problem is that the EasyVpn that only would work the Site to Site is not Working at all

i have configure 1 crypto map for both of VPN with different tagges

i had execlude the traffice for NOT being natted to and when i remove the Ezvpn the site to site work fine

crypto isakmp policy 100
encr aes
hash md5
authentication pre-share
group 2 
!        
crypto isakmp policy 10000
encr aes 256
authentication pre-share
group 5 
crypto isakmp key 123456 address (removed)

crypto isakmp client configuration group easyvpn
key easyvpn
domain ezvpn
pool easyvpn
acl easyvpn
save-password
split-dns cme
max-users 9
netmask 255.255.255.0
!       

crypto ipsec transform-set vpn esp-aes 256 esp-sha-hmac

crypto dynamic-map easyvpn 10
set transform-set dmvpn
reverse-route
!
!
crypto map easyvpn local-address Dialer1
crypto map easyvpn client authentication list easyvpn
crypto map easyvpn isakmp authorization list easyvpn
crypto map easyvpn client configuration address respond
crypto map easyvpn 100 ipsec-isakmp dynamic easyvpn
crypto map easyvpn 1000 ipsec-isakmp
set peer (removed)
set transform-set vpn
match address site

interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password
ppp pap sent-username
crypto map easyVPN

ip access-list extended DSL_ACCESSLIST
deny   ip 100.0.0.0 0.0.0.255 101.1.1.0 0.0.0.255
deny   ip 100.0.0.0 0.0.0.255 70.0.0.0 0.0.0.255
permit ip 100.0.0.0 0.0.0.255 any
deny   ip any any
ip access-list extended easyvpn
permit ip 100.0.0.0 0.0.0.255 70.0.0.0 0.0.0.255
ip access-list extended site
permit ip 100.0.0.0 0.0.0.255 101.1.1.0 0.0.0.255

best regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎04-20-2010 03:37 AM

The crypto map sequence number for the static crypto map (site-to-site vpn) should be higher (ie: sequence number should be lower) than the ezvpn (dynamic crypto map).

In your case, you should configure as follows:


crypto map  easyvpn 10 ipsec-isakmp
set peer (removed)
set transform-set  vpn
match address site

crypto map easyvpn 150 ipsec-isakmp dynamic easyvpn

Hope that resolves the issue.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎04-20-2010 03:37 AM

The crypto map sequence number for the static crypto map (site-to-site vpn) should be higher (ie: sequence number should be lower) than the ezvpn (dynamic crypto map).

In your case, you should configure as follows:


crypto map  easyvpn 10 ipsec-isakmp
set peer (removed)
set transform-set  vpn
match address site

crypto map easyvpn 150 ipsec-isakmp dynamic easyvpn

Hope that resolves the issue.

0 Helpful

Go to solution
mohamed-elsherif
Level 1
Level 1
In response to Jennifer Halim

‎04-20-2010 03:49 AM

Thanks alot it worked just fine

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents