Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Crypto Map and Easy VPN Client on 1 Interface

I recently configured an easy vpn client connection on one of the interfaces (interface Vlan2) for our 1841 router.  This interface already has a crypto map applied to the same interface for a different peer.  The easy vpn client is actually replacing a part of the remaining crypto map entry.  I mention that only to say that when both tunnels were configured using the same crypto map, everything was fine.  The easy vpn tunnel is working fine now, and the crypto map ipsec tunnel establishes (phase 1 and 2), and even allows 2 or three packets across before traffic is seemingly not routed over the crypto map tunnel any longer.  Is there any way to get the two to play nice on the same interface?  Current config follows:

version 15.0

service nagle

no service pad

service tcp-keepalives-in

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router

!

boot-start-marker

boot system  flash:c1841-advsecurityk9-mz.150-1.M.bin

boot-end-marker

!

logging buffered 51200 warnings

no logging console

enable secret 5 xxxxxxxxxxxxxxxx

!

no aaa new-model

!

!       

!

memory-size iomem 25

clock timezone EDT -5

dot11 syslog

no ip source-route

ip spd mode aggressive

!

!

!

!

ip cef

no ip bootp server

no ip domain lookup

ip domain name yourdomain.com

vlan ifdescr detail

!

multilink bundle-name authenticated

!

!

!

!

!

license udi pid CISCO1841 sn FTX1033W0NK

archive

log config

  hidekeys

!

redundancy

!

!

ip tcp selective-ack

ip tcp path-mtu-discovery

!

track 123 interface Vlan2 ip routing

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 15

!

!

crypto ipsec transform-set myset esp-3des  esp-md5-hmac

!

!

!

crypto ipsec client ezvpn BACKUP

connect acl 160

ctcp

group unityvpn key abcdefg

mode network-extension

peer z.z.z.z

username testuser password test

xauth userid mode local

crypto ipsec client ezvpn PRIMARY

connect acl 160

ctcp

group unityvpn key abcdefg

backup BACKUP track 123

mode network-extension

peer z.z.z.z

username testuser password test

xauth userid mode local

!

!

bridge irb

!

!

!

!

interface FastEthernet0/0

ip address x.x.x.37 255.255.255.252

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

crypto ipsec client ezvpn BACKUP

!

!

interface FastEthernet0/1

description LAN

ip address 172.20.70.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

crypto ipsec client ezvpn PRIMARY inside

crypto ipsec client ezvpn BACKUP inside

!

!

interface FastEthernet0/1/0

switchport access vlan 2

!

!

interface FastEthernet0/1/1

!

!

interface FastEthernet0/1/2

!

!

interface FastEthernet0/1/3

!

!       

interface Vlan1

no ip address

!

!

interface Vlan2

ip address y.y.y.230 255.255.255.252

ip flow ingress

ip nat outside

ip virtual-reassembly

crypto map unitymap

crypto ipsec client ezvpn PRIMARY

!

!

ip forward-protocol nd

ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400  requests 10000

!

!

ip nat inside source route-map vpn interface  Vlan2 overload

ip route 0.0.0.0 0.0.0.0 y.y.y.229 track 123

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 x.x.x.38  2

!       

access-list 111 deny   ip 172.20.70.0 0.0.0.255  172.20.0.0 0.0.3.255

access-list 111 permit ip 172.20.70.0 0.0.0.255  any

access-list 160 permit ip 172.20.70.0 0.0.0.255  172.20.0.0 0.0.3.255

no cdp run

!

!

!

route-map vpn permit 10

match ip address 111

!

!

!

control-plane

!

!       

bridge 1 protocol ieee

bridge 1 route ip

!

line con 0

line aux 0

line vty 0 4

password 7 xxxxxxxxxxxxxxxxxx

login

transport input telnet

line vty 5 15

password 7 xxxxxxxxxxxxxxxxxx

login

transport input telnet

!

scheduler allocate 20000 1000

end

Everyone's tags (4)
2284
Views
0
Helpful
0
Replies
CreatePlease login to create content