I recently configured an easy vpn client connection on one of the interfaces (interface Vlan2) for our 1841 router. This interface already has a crypto map applied to the same interface for a different peer. The easy vpn client is actually replacing a part of the remaining crypto map entry. I mention that only to say that when both tunnels were configured using the same crypto map, everything was fine. The easy vpn tunnel is working fine now, and the crypto map ipsec tunnel establishes (phase 1 and 2), and even allows 2 or three packets across before traffic is seemingly not routed over the crypto map tunnel any longer. Is there any way to get the two to play nice on the same interface? Current config follows:
version 15.0
service nagle
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash:c1841-advsecurityk9-mz.150-1.M.bin
boot-end-marker
!
logging buffered 51200 warnings
no logging console
enable secret 5 xxxxxxxxxxxxxxxx
!
no aaa new-model
!
!
!
memory-size iomem 25
clock timezone EDT -5
dot11 syslog
no ip source-route
ip spd mode aggressive
!
!
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
vlan ifdescr detail
!
multilink bundle-name authenticated
!
!
!
!
!
license udi pid CISCO1841 sn FTX1033W0NK
archive
log config
hidekeys
!
redundancy
!
!
ip tcp selective-ack
ip tcp path-mtu-discovery
!
track 123 interface Vlan2 ip routing
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 15
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
!
!
crypto ipsec client ezvpn BACKUP
connect acl 160
ctcp
group unityvpn key abcdefg
mode network-extension
peer z.z.z.z
username testuser password test
xauth userid mode local
crypto ipsec client ezvpn PRIMARY
connect acl 160
ctcp
group unityvpn key abcdefg
backup BACKUP track 123
mode network-extension
peer z.z.z.z
username testuser password test
xauth userid mode local
!
!
bridge irb
!
!
!
!
interface FastEthernet0/0
ip address x.x.x.37 255.255.255.252
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
crypto ipsec client ezvpn BACKUP
!
!
interface FastEthernet0/1
description LAN
ip address 172.20.70.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
crypto ipsec client ezvpn PRIMARY inside
crypto ipsec client ezvpn BACKUP inside
!
!
interface FastEthernet0/1/0
switchport access vlan 2
!
!
interface FastEthernet0/1/1
!
!
interface FastEthernet0/1/2
!
!
interface FastEthernet0/1/3
!
!
interface Vlan1
no ip address
!
!
interface Vlan2
ip address y.y.y.230 255.255.255.252
ip flow ingress
ip nat outside
ip virtual-reassembly
crypto map unitymap
crypto ipsec client ezvpn PRIMARY
!
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map vpn interface Vlan2 overload
ip route 0.0.0.0 0.0.0.0 y.y.y.229 track 123
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 x.x.x.38 2
!
access-list 111 deny ip 172.20.70.0 0.0.0.255 172.20.0.0 0.0.3.255
access-list 111 permit ip 172.20.70.0 0.0.0.255 any
access-list 160 permit ip 172.20.70.0 0.0.0.255 172.20.0.0 0.0.3.255
no cdp run
!
!
!
route-map vpn permit 10
match ip address 111
!
!
!
control-plane
!
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
line aux 0
line vty 0 4
password 7 xxxxxxxxxxxxxxxxxx
login
transport input telnet
line vty 5 15
password 7 xxxxxxxxxxxxxxxxxx
login
transport input telnet
!
scheduler allocate 20000 1000
end