09-27-2016 12:56 PM
hello,
I'm new in Cisco world and I have problem
In my cisco router 881 i have configured client to site vpn
this is configuration
aaa new-model
aaa local authentication attempts max-fail 500
aaa authentication login default local
aaa authentication login VPN_GMP_LOGIN local
aaa authorization exec default local
aaa authorization network VPN_GMP_GROUP local
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group test_GMP
key XXXXXXXXXXXXX
dns 192.168.x.x
domain test.test
pool VPN_test_POOL
acl 100
crypto ipsec transform-set GMP_DEFAULT esp-3des esp-sha-hmac
mode tunnel
crypto dynamic-map GMP_DYNAMIC 10
set transform-set GMP_DEFAULT
crypto map GMP_MAP client authentication list VPN_GMP_LOGIN
crypto map GMP_MAP isakmp authorization list VPN_GMP_GROUP
crypto map GMP_MAP client configuration address respond
crypto map GMP_MAP 10 ipsec-isakmp dynamic GMP_DYNAMIC
ip local pool VPN_test_POOL 192.168.240.129 192.168.240.255
interface FastEthernet4
crypto map GMP-MAP
I want to configure Site to site vpn with another router. I know how to configure the other router but
I do not know how configure this router. I want that both vpn (site to site and client to site) could work simultaneously. if anyone know answer please help me
09-27-2016 05:53 PM
Hi lado00001,
In this case the configuration of the S2S is not going to affect your remote clients at all.
Config:
crypto isakmp key <presharedkey> address <peerip>
crypto map GMP_MAP 1 ipsec-isakmp
set peer <ip>
set transform-set GMP_DEFAULT
match address <interesting traffic>
If this router is doing NAT you need to exempt the traffic that you would like to send through the tunnel.
Example:
ip access-list extended interesting-t
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
ip access-list extended nonat
deny ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
permit ip 1.1.1.0 0.0.0.255 any
ip nat inside source list nonat inteface g0/1 overload
With those commands you are going to make sure the traffic going through the tunnel is not going to be natted to your outside interface.
You can also take a look to this configuration guide:
http://www.cisco.com/c/en/us/support/docs/routers/1700-series-modular-access-routers/71462-rtr-l2l-ipsec-split.html
Hope this info helps!!
Rate if helps you!!
-JP-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide