04-15-2002 08:28 AM - edited 02-21-2020 11:41 AM
Hello, i have following Problem:
I need different tunnels on one Router and different VPN Clients.
Working with one Cryptomap does not work. With 2 Cryptomap i can use one or the other one not both on same time. Interface Serial0 takes only one cryptomap.
I tryed also to make a dummy loopback interface for the secoud Map. but no connect by any tests. I tryed also to disable all Firewall by testing.
Existing: Cisco 1750 IPSec 3DES + VPN-Module
Connection to Internet Serial 0 NAT
New IOS Release 12.2.8(T) 3DES
Existing 7 Tunnels to other IOSes 17xx + 26xx +
NAT/PAT My whole net to one IP to customer side
Existing VPN Clients 1.1 with Windows NT works also on same Cryptomap
NEW:
But now in additional i need VPN Client 3.5.x and Windows 2000.
But here I have different way do define.
crypto map cm-cryptomap client authentication list my-useraut
crypto map cm-cryptomap isakmp authorization list my-groupaut
crypto isakmp client configuration group xxxx
and so one ..... (Like Example on Cisco samples)
To I have a way to combine all those ?
Thanks Robert
04-15-2002 01:02 PM
Hi Robert
The details are a little vauge so if possible maybe you could post some excerts from your config.
What I will say is that in even the most unusual VPN configurations including using different both VPN clients, different policies, and different transform-sets one crypto map is sufficient. I have never seen an instance of two crypto maps that could not be combined into one.
Of course I haven't seen everything, so post your crypto maps and we can take a look.
04-15-2002 11:53 PM
Thanks, here are the dependent statments of my config:
I removed the VPN Dynamic für VPN Client 1.1 because I can install anyway there also the 3.5 client.
*******here the running config *****
!
crypto isakmp enable
crypto isakmp identity address
!
crypto isakmp policy 5
encryption des
hash md5
authentication pre-share
group 1
!
crypto isakmp key *************** address x.x.x.x
crypto isakmp key *************** address y.y.y.y
!->>> and 5 more
!
crypto ipsec transform-set cm-transformset ah-md5-hmac esp-des esp-md5-hmac
!
crypto map cm-cryptomap local-address Serial0
!
crypto map cm-cryptomap 5 ipsec-isakmp
match address 105
set peer x.y.z.z.
set transform-set cm-transformset
set security-association lifetime seconds 3600
set security-association lifetime kilobytes 4608000
!
crypto map cm-cryptomap 6 ipsec-isakmp
!->>> and 5 more
!
interface FastEthernet0
no shutdown
ip address 192.168.123.254 255.255.255.0
......
!
interface Serial0
ip address 212.x.y.z 255.255.255.252
ip nat outside
crypto map cm-cryptomap
......
!
********************************
in additional for the VPN 3.5.x i tryed
********************************
aaa new-model
aaa authentication login my-useraut local
aaa authorization network my-groupaut local
!
username **** password 0 ****
!
crypto isakmp policy 2
encr 3des
hash sha
authentication pre-share
group 2
!
ip local pool vpn-dial-pool 192.168.124.1 192.168.124.254
!
crypto isakmp client configuration group *****
key ****
pool vpn-dial-pool
!
crypto ipsec transform-set vpn-transform esp-3des esp-sha-hmac
!
crypto dynamic-map vpn-dynamic 15
set transform-set vpn-transform
!
crypto map cm-cryptomap client authentication list my-useraut
crypto map cm-cryptomap isakmp authorization list my-groupaut
crypto map cm-cryptomap client configuration address respond
crypto map cm-cryptomap 15 ipsec-isakmp dynamic vpn-dynamic
!
*****************
When i add "crypto map cm-cryptomap isakmp authorization list my-groupaut" and the client keywords to my " cm-cryptomap", the other tunnels does not work anymore. Only the Client 3.5 works
So if you see any choise, please let me know. Robert
04-23-2002 12:43 AM
At the moment, i have no solution. So i try do renew my question.
Thanks for any help
Robert
05-07-2002 07:29 PM
I just got over the same issue. Search Cisco.com for a doc entitled "Ability to Disable Extended Authentication for Static IPSec Peers".
05-08-2002 09:33 AM
Thank's
"crypto isakmp key MyKey address x.y.x.y no-xauth"
works.
Robert
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: