Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Client and Site to Site VPN from one device

An 871 router has been deployed at one of our employees houses, specifically to allow him to use a VoIP phone. It connects via an L2L IPSec tunnel back to a VPN 3005 concentrator.

The idea initially was to tag all non-trunked incoming packets with a VLAN id that had access to only the internet, and none of the corporate resources available through the site to site VPN tunnel. We wanted to force this user to use a VPN client connection on any computer in order to access these resources.

The phone configuration works fine, but anytime the VPN client establishes a connection, the site to site tunnel goes down and the phone breaks. At this point, the ONLY way I have found to re-establish the site to site tunnel is to reboot the router; even ater I have disconnected my client.

Debugs on the router show that it appears to be attempting to re-establish phase one ISAKMP negotiations but the live event log on the concentrator doesnt say anything about it.

My question is, is this something that should not be possible, or is it a bug?


Re: Client and Site to Site VPN from one device

Creating VPN tunnels behind NAT/PAT devices can become tricky. Trying to do multiple tunnels can be even more difficult/impossible. You could look into Nat-T which helps when creating tunnels behind NAT/PAT devices. I would image the 871 supports NAT-T but don't know for sure. On the concentrator it is a global config. You may want to look at getting a VPN hardware client. The concentrator has the ability to allow the HW client to connect with 1 VPN tunnell and auth each user trying to connect to resources. It also allows for the Cisco IP phones to bypass the auth.

Hope this helps.


Please rate if it helps.

CreatePlease to create content