Re: Can I use VPN3030 for site-to site and remote access VPN ?
Can I use both function for two VPN function in same box ? YES
Do I use same pre-shared key for both ? YOU COULD BUT I WOULDN'T USE THE SAME KEY FOR DIFFERENT CONNECTIONS, COULD CAUSE SECURITY ISSUES LATER
My network is :
VPN3030 ipsec with pix(remote) - DOABLE
vpnclient from internet connect to vpn3030. -DOABLE
Does I need two groups for them ? YOU NEED TO DEFINE A "GROUP" FOR THE REMOTE ACCESS CONNECTION, BUT NOT FOR THE LAN2LAN (UNLESS YOU USE EZVPN ON THE PIX or IOS ROUTER, THEN YOU WOULD CONFIGURE THAT CONNECTION AS A REMOTE ACCESS CONNECTION AND DEFINE GROUPS)
Does I use the same preshared-key? Or
Specific key for each group ? I WOULD USE A DIFFERENT KEY PER CONNECTION.
Remote Access and LAN2LAN connections can coexist on the Concentrator, but they are configured differently.
in most cases when you configure Remote Access connections, they are for roaming clients that are using VPN Client Software or for small offices using IOS Routers or PIX running EzVPN feature set or the 3002 hardware client. In these instances you will need to push policies down to them ('Mode Config' i.e. IP Address they will use on the inside of your network, DNS and WINS Server, etc..). This is configured under Configuration > UserManagement > Groups).
On the flipside is the LAN2LAN connections. You don't define a "group" for that. the preshared key is define with all the other parameters (phase1, phase2 policies, subnets/hosts to protect) on the same page (Configuration > Tunneling Protocols > IPSec > LAN-to-LAN)
you create the LAN2LAN connections under Traffic Management.
I have copied and pasted this from our Concentrator. Page: Configuration > Tunneling Protocols > IPSec > LAN-to-LAN
"This section lets you configure IPSec LAN-to-LAN connections. LAN-to-LAN connections are established with other VPN 3000 Concentrators, PIX firewalls, 7100/4000 series routers and other IPSec-compliant security gateways. To configure a VPN 3002 or other remote access connection, go to User Management and configure a Group and User. To configure NAT over LAN-to-LAN, go to LAN-to-LAN NAT Rules."
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :