Hello I built a VPN with a Cisco836 router as concentrator for two direct IPSec connection with fixed addresse, one IPSec connection from a dynamic address and one IPSec connection from a Cisco VPN Client. All connection should work over a PKI infrastrucure with x509 certificates.
With the configuration below all IPSec connections work fine only the VPNClient connection does not work. If I configure the access-list 101 with permit ip any any then all IPSec connection work but only over the VPNClient profile and not over their own profile and access-list????!!!!
If I configure additional XAUTH for VPNClient connection then the also the other IPSec connection want to authenticate by XAUTH???!!!
Is anybody there who can say me the mistake of these configuration below?
in which there is a IOS hub router (your 836), a PIX w spoke with a L2L config, a PIX set up as an EzVPN client (dynamic IP address), and a VPN client configuration, similar to what you have set up.
Create an ISAKMP Profile for each tunnel type, and use the "match identity" command under these to map the specific remote tunnel attributes.
For example, you can do a "match identity address x.x.x.x" for your LAN-to-LAN tunnel because you know the address it will be coming from.
Use a "match identity group " for your VPN clients, where is the group name configured in the VPN client profile. Under that profile you can then add your "isakmp client authen/author" type commands.
Define a similar ISAKMP Profile with another "match identity group " where is the group name configured on the remote IPSec device with a dynamic IP address.
Then you just define a crypto map as normal, and map it to two instances of a dynamic crypto map, both pointing to your two "match identity group ..." ISAKMP Profiles. The router will pick the best match, assign it to teh most specific ISAKMP Profile and take all the tunnel's attributes from that.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :