04-20-2010 01:45 AM
hi
i want to confgure Ezvpn and Site to Site VPN however the problem is that the EasyVpn that only would work the Site to Site is not Working at all
i have configure 1 crypto map for both of VPN with different tagges
i had execlude the traffice for NOT being natted to and when i remove the Ezvpn the site to site work fine
crypto isakmp policy 100
encr aes
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10000
encr aes 256
authentication pre-share
group 5
crypto isakmp key 123456 address (removed)
crypto isakmp client configuration group easyvpn
key easyvpn
domain ezvpn
pool easyvpn
acl easyvpn
save-password
split-dns cme
max-users 9
netmask 255.255.255.0
!
crypto ipsec transform-set vpn esp-aes 256 esp-sha-hmac
crypto dynamic-map easyvpn 10
set transform-set dmvpn
reverse-route
!
!
crypto map easyvpn local-address Dialer1
crypto map easyvpn client authentication list easyvpn
crypto map easyvpn isakmp authorization list easyvpn
crypto map easyvpn client configuration address respond
crypto map easyvpn 100 ipsec-isakmp dynamic easyvpn
crypto map easyvpn 1000 ipsec-isakmp
set peer (removed)
set transform-set vpn
match address site
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password
ppp pap sent-username
crypto map easyVPN
ip access-list extended DSL_ACCESSLIST
deny ip 100.0.0.0 0.0.0.255 101.1.1.0 0.0.0.255
deny ip 100.0.0.0 0.0.0.255 70.0.0.0 0.0.0.255
permit ip 100.0.0.0 0.0.0.255 any
deny ip any any
ip access-list extended easyvpn
permit ip 100.0.0.0 0.0.0.255 70.0.0.0 0.0.0.255
ip access-list extended site
permit ip 100.0.0.0 0.0.0.255 101.1.1.0 0.0.0.255
best regards
Solved! Go to Solution.
04-20-2010 03:37 AM
The crypto map sequence number for the static crypto map (site-to-site vpn) should be higher (ie: sequence number should be lower) than the ezvpn (dynamic crypto map).
In your case, you should configure as follows:
crypto map easyvpn 10 ipsec-isakmp
set peer (removed)
set transform-set vpn
match address site
crypto map easyvpn 150 ipsec-isakmp dynamic easyvpn
Hope that resolves the issue.
04-20-2010 03:37 AM
The crypto map sequence number for the static crypto map (site-to-site vpn) should be higher (ie: sequence number should be lower) than the ezvpn (dynamic crypto map).
In your case, you should configure as follows:
crypto map easyvpn 10 ipsec-isakmp
set peer (removed)
set transform-set vpn
match address site
crypto map easyvpn 150 ipsec-isakmp dynamic easyvpn
Hope that resolves the issue.
04-20-2010 03:49 AM
Thanks alot it worked just fine
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: