Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
389
Views
0
Helpful
3
Replies

Site-to-Site VPN with CA and Easy VPN

Not applicable

‎01-18-2006 12:03 AM

Hello!

I have VPN site to site with rsa-sig authentication and on one router is also as server to easy vpn solution with pre-share authentication. When the user connect to the server via VPN software client with local authentication thanks to this command "crypto map MAPA client authentication list REMOTE" the problem is that router can not create VPN site-to-site tunnel. When I do not put this command user can connect to the server without user and password authentication, there is only password for GROUP, tunnel between site to site have no problem to establish.

What can cause the problem in my LAB?

Anybody have any example for configuration site-to-site VPN with CA and Easy VPN on router.

Labels:
Preview file
2 KB
0 Helpful
3 Replies 3

aacole
Level 5
Level 5

‎01-18-2006 10:49 AM

Been there, had the same issue.

The problem your running into is that its not possible to have L2L and client VPN's together in the same router when using rsa-sig authentication.

Its fine with pre-shared keys, as there is an option to disable the XAUTH feature on the L2L pre-shared key, you dont have the same option when using rsa-sig.

Andy

0 Helpful

Not applicable
In response to aacole

‎01-18-2006 11:50 PM

Thx!

How can I understand this. There is no posibility to configure Easy VPN client with xauth and site-to-site VPN with CA.

Dominik

0 Helpful

ovt
Level 4
Level 4
In response to

‎01-23-2006 08:28 AM

On IOS you CAN have both Site-to-Site tunnels with rsa-sig authentication and EasyVPN tunnels! The first way to go: just configure dummy pre-shared key for all your rsa-sig (!) Site-to-Site tunnels and specify "no-xauth", such as:

crypto isakmp key blah-blah-blah address a.b.c.d no-xauth

This is not documented and may not work in all IOS releases.

The second way to go: use ISAKMP profiles which are available since IOS 12.2(13)T. This is documented on CCO. You'll have to list ALL your EasyVPN groups in the router config (unfortunately regex are not supported). Your router will request XAUTH for them. For Site-to-Site peers you can use so-called "wildcard" ISAKMP profile to match on any other peer's Identity (the Identity type should be "IP address" which is the default). No XAUTH challenge will be sent for such peers.

You can find examples on CCO.

HTH,

Oleg Tipisov,

REDCENTER

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents