Multiple VPN profiles on single router

Unanswered Question
Nov 1st, 2005

Currently i have a router that is setup to accept inbound connections from users using the cisco software vpn client, which is working fine. Now i need to expand this routers capabilities. I need it to support a tunnel to another router as well. The requirements of the new vpn connection are as follows:




Group 2

Default Lifetime




Default Lifetime

What i am looking for is a configuration example. I have no idea what to look for, or even what this is called to search cisco's site. Any advice is appreciated, i am really new to vpns.

Thanks much

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
thisisshanky Tue, 11/01/2005 - 21:54

How is your existing router configuration look like ? Do you have a dynamic crypto map configured on the router, which in turn is referenced by a static crypto map ? If yes, each static crypto map has an instance number and you can define multiple instances of the same static crypto map, as follows.

aaa new-model



aaa authentication login VPN-CLIENTS group radius

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2


crypto isakmp policy 2

encr aes

authentication pre-share

group 2

hash sha

crypto ipsec transform-set test-set esp-3des esp-sha-hmac

crypto isakmp client configuration group test-vpn-group





crypto dynamic-map test-map 10

set transform-set test-set

crypto map radius-map client authentication list VPN-CLIENTS

crypto map radius-map isakmp authorization list group-auth

crypto map radius-map client configuration address respond

crypto map radius-map 10 ipsec-isakmp dynamic test-map

crypto map radius-map 20 (For site to site vpn)

Crypto instance 20 will define site to site vpn settings, while crypto instance 10 will take care of vpn clients.


jeffdanderson Wed, 11/02/2005 - 17:26

Not sure what you call the setup that is currently on the router. I pasted the relevant parts below. I am a complete newbie when it comes to vpns. I have setup a few following some configuration examples, but my understanding is lacking. If you could show me how to integrate the 2 VPN together, that would be great.

aaa authentication login userauth local

aaa authentication login line line enable

aaa authorization network groupauthor local

aaa session-id common

crypto isakmp policy 3

hash md5

authentication pre-share

group 2

no crypto isakmp ccm

crypto isakmp client configuration group mycompanyvpn

key supersecretvpnkey


pool mycompanypool

acl 105

crypto ipsec transform-set mycompanyset esp-3des esp-md5-hmac

crypto dynamic-map mycompany-dynamic-map 10

set transform-set mycompanyset

crypto map mycompanymap client authentication list userauth

crypto map mycompanymap isakmp authorization list groupauthor

crypto map mycompanymap client configuration address respond

crypto map mycompanymap 10 ipsec-isakmp dynamic mycompany-dynamic-map

interface Serial0/0

crypto map mycompanymap

ip local pool mycompanypool

route-map nonat permit 102

match ip address 102

access-list 102 deny ip

access-list 102 permit ip any

access-list 105 permit ip

On the other side of the tunnel is the following private network Let pretend that the VPN peer of the terminating router is

jackko Wed, 11/02/2005 - 18:21

you can pretty much leave the existing config, except acl 102. the reason being this acl is used for no nat, so you need to add the


crypto isakmp policy 2

encr aes

authentication pre-share

group 2

hash sha

crypto ipsec transform-set newset esp-aes esp-sha-hmac

crypto isakmp key

 address no-xauth

access-list 102 deny ip

access-list 102 deny ip

access-list 102 permit ip any

access-list 107 permit ip

crypto map mycompanymap 20 ipsec-isakmp

set peer

set transform-set newset

match address 107

jeffdanderson Sat, 11/05/2005 - 18:17

Well i have added the appropriate commmands to the router and the tunnel isnt coming up. It hits the ACL and tries to bring up the tunnel but it fails. I have captured the output from a debug crypto isakmp. If i am reading the debug properly i think the key exchange is failing. I dont have access to the remote end so i want to confirm this before i contact the company supporting the other side. I have attached the output from the debug. Please advise.

I forgot to add the attachment and it wont let me do it after the fact. Please see the next post for the debug output.


jackko Sat, 11/05/2005 - 21:27

it would be helpful if you post the latest config.

jeffdanderson Sat, 11/05/2005 - 22:31

See attached. This should be all the relevent info. The actual config is really extensive and i dont want to make it public friendly unless i absolutely have to.

jeffdanderson Tue, 11/08/2005 - 16:57

Nobody has any suggestions? If i cant get this working soon i am going to have to resort to TAC, which i am trying to avoid.


This Discussion