Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Easy VPN Remote and Site to Site on the Same Interface

Hi,

This is the case:

We have a remote site which needs to be connected to our office, and at the same time be connected to a third party, both using VPN.

The connection to our office is done by EasyVPN and the one to the third party is done by using a crypto-map (ISKMP tunnel). According to the documentation, this should be possible:

:BeginQuote:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_7/ftezvpnr.htm

Easy VPN Remote and Site to Site on the same Interface

This feature allows the Easy VPN remote and site to site (crypto map) to be supported on the same interface, making it possible to both establish a tunnel to another Easy VPN server and have another site to site on the same interface simultaneously. A typical application would be a third-party VPN service provider that is managing a remote router via the site-to-site tunnel and using Easy VPN Remote to connect the remote site to a corporate Easy VPN server.

For more information about the Easy VPN Remote and Site to Site on the Same Interface feature, see "Easy VPN Remote and Site to Site on the Same Interface" in the section " Additional References

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_7/ftezvpnr.htm#wp1027269

:End Quote:

I'm basically just interested in the document that's being referred to, it's exactly our case...

Have anyone done this, or have ideas of how it should be done ?

Txs, in advance.

--

Dick Svensson

9 REPLIES
Cisco Employee

Re: Easy VPN Remote and Site to Site on the Same Interface

I wrote a sample config for this a while back that has yet to be published to CCO. I'll email the html page straight to the email address in your CCO profile, let me know if the email address is invalid or you want me to end it somewhere else.

New Member

Re: Easy VPN Remote and Site to Site on the Same Interface

I have recived your email, and will start to look at the example. I will get back to this thread and post a followup to inform others how it's progressing.

/Best regards

--

Dick Svensson

New Member

Re: Easy VPN Remote and Site to Site on the Same Interface

I too am have a similar circumstance. I have a PIX 501 and a PIX 506E in a site to site with VPN Dialer acces to the 506E. I would like to see how you have configured it, My Site to Site keeps getting dropped and I have to restart the 501 and magicly is it back up for about an hour, then gets dropped. I am starting to lean towards faulty equipment.

New Member

Re: Easy VPN Remote and Site to Site on the Same Interface

I really don't see the simularity in our cases, but if you say so it's probably true. I don't use a Virtual Dailer interface, and I don't get up my tunnels at the same time. But please enlighten me about your problem, and maybe we can take down this bull togheter.

/Regards

Dick Svensson

pf
New Member

Re: Easy VPN Remote and Site to Site on the Same Interface

PIX 6.2(2) with site - to site vpn and new Easy VPN-remote to another PIX acting as Easy VPN Server. Does that work? Your example above says it is working for IOS.

Pix says that only crypto map or easy vpn remote can be active, not both.

Many Thanks

regards

Peter

New Member

Re: Easy VPN Remote and Site to Site on the Same Interface

I have the same problem with the site-to-site and easy vpn remote on the same interface.

Can you help me please?,

Thanks in advance

Anonymous
N/A

Hi,

Hi,

Today, after 11 years I've come with the same problem. Can you pls share the sample config?

Cisco Employee

Boy, had to scan the archives

Boy, had to scan the archives to find this.  I don't even know how valid this is any more really, as the IOS config has moved on quite significantly from there, but I've attached the HTML file I made up years ago and a small picture to go along with it. 

Note the .txt file will need to be renamed to .html, then you sould just be able to browse to it directly.  This system wouldn't let me upload a .html file.

Have fun.

Anonymous
N/A

Thank you SIR, for you prompt

Thank you SIR, for you prompt response. My case is Router B, however, my P2P VPN is working normally, when I add ezvpn conf, EZVPN starts working normally but P2P VPN shows the state as CONF_XAUTH.

However, I've found the solution which need to be tested.

"Use the no-xauth keyword when you enter the isakmp key, so the device does not prompt the peer for XAUTH information (username and password). This keyword disables XAUTH for static IPsec peers. Enter a command similar to this on the device that has both L2L and RA VPN configured on the same crypto map:"

router(config)#crypto isakmp key cisco123 address 
   172.22.1.164 no-xauth
412
Views
0
Helpful
9
Replies