I have VPN site to site with rsa-sig authentication and on one router is also as server to easy vpn solution with pre-share authentication. When the user connect to the server via VPN software client with local authentication thanks to this command "crypto map MAPA client authentication list REMOTE" the problem is that router can not create VPN site-to-site tunnel. When I do not put this command user can connect to the server without user and password authentication, there is only password for GROUP, tunnel between site to site have no problem to establish.
What can cause the problem in my LAB?
Anybody have any example for configuration site-to-site VPN with CA and Easy VPN on router.
On IOS you CAN have both Site-to-Site tunnels with rsa-sig authentication and EasyVPN tunnels! The first way to go: just configure dummy pre-shared key for all your rsa-sig (!) Site-to-Site tunnels and specify "no-xauth", such as:
This is not documented and may not work in all IOS releases.
The second way to go: use ISAKMP profiles which are available since IOS 12.2(13)T. This is documented on CCO. You'll have to list ALL your EasyVPN groups in the router config (unfortunately regex are not supported). Your router will request XAUTH for them. For Site-to-Site peers you can use so-called "wildcard" ISAKMP profile to match on any other peer's Identity (the Identity type should be "IP address" which is the default). No XAUTH challenge will be sent for such peers.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...