An 871 router has been deployed at one of our employees houses, specifically to allow him to use a VoIP phone. It connects via an L2L IPSec tunnel back to a VPN 3005 concentrator.
The idea initially was to tag all non-trunked incoming packets with a VLAN id that had access to only the internet, and none of the corporate resources available through the site to site VPN tunnel. We wanted to force this user to use a VPN client connection on any computer in order to access these resources.
The phone configuration works fine, but anytime the VPN client establishes a connection, the site to site tunnel goes down and the phone breaks. At this point, the ONLY way I have found to re-establish the site to site tunnel is to reboot the router; even ater I have disconnected my client.
Debugs on the router show that it appears to be attempting to re-establish phase one ISAKMP negotiations but the live event log on the concentrator doesnt say anything about it.
My question is, is this something that should not be possible, or is it a bug?
Creating VPN tunnels behind NAT/PAT devices can become tricky. Trying to do multiple tunnels can be even more difficult/impossible. You could look into Nat-T which helps when creating tunnels behind NAT/PAT devices. I would image the 871 supports NAT-T but don't know for sure. On the concentrator it is a global config. You may want to look at getting a VPN hardware client. The concentrator has the ability to allow the HW client to connect with 1 VPN tunnell and auth each user trying to connect to resources. It also allows for the Cisco IP phones to bypass the auth.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :