Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Site-to-Site VPN with CA and Easy VPN

Unanswered Question
Jan 18th, 2006
User Badges:


I have VPN site to site with rsa-sig authentication and on one router is also as server to easy vpn solution with pre-share authentication. When the user connect to the server via VPN software client with local authentication thanks to this command "crypto map MAPA client authentication list REMOTE" the problem is that router can not create VPN site-to-site tunnel. When I do not put this command user can connect to the server without user and password authentication, there is only password for GROUP, tunnel between site to site have no problem to establish.

What can cause the problem in my LAB?

Anybody have any example for configuration site-to-site VPN with CA and Easy VPN on router.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
aacole Wed, 01/18/2006 - 10:49
User Badges:
  • Bronze, 100 points or more

Been there, had the same issue.

The problem your running into is that its not possible to have L2L and client VPN's together in the same router when using rsa-sig authentication.

Its fine with pre-shared keys, as there is an option to disable the XAUTH feature on the L2L pre-shared key, you dont have the same option when using rsa-sig.


dominik.nowicki... Wed, 01/18/2006 - 23:50
User Badges:


How can I understand this. There is no posibility to configure Easy VPN client with xauth and site-to-site VPN with CA.


On IOS you CAN have both Site-to-Site tunnels with rsa-sig authentication and EasyVPN tunnels! The first way to go: just configure dummy pre-shared key for all your rsa-sig (!) Site-to-Site tunnels and specify "no-xauth", such as:

crypto isakmp key blah-blah-blah address a.b.c.d no-xauth

This is not documented and may not work in all IOS releases.

The second way to go: use ISAKMP profiles which are available since IOS 12.2(13)T. This is documented on CCO. You'll have to list ALL your EasyVPN groups in the router config (unfortunately regex are not supported). Your router will request XAUTH for them. For Site-to-Site peers you can use so-called "wildcard" ISAKMP profile to match on any other peer's Identity (the Identity type should be "IP address" which is the default). No XAUTH challenge will be sent for such peers.

You can find examples on CCO.


Oleg Tipisov,



This Discussion