Introduction
Hardware and Software Versions
Network diagram
Configurations
RouterA
RouterB
VPN client
Related Information
This configuration details the new feature in 12.3(11)T enabling a router to be configured as an EzVPN client and with a static LAN-to-LAN tunnel on the same interface. A typical application would be a remote router that acts as a client to the headquarters Easy VPN server while it also has a site-to-site tunnel that is used strictly for management.
In the network diagram below, RouterA is configured as both an EzVPN client and with a LAN-to-LAN tunnel to RouterB. The LAN-to-LAN tunnel defines only traffic from RouterA itself to the network behind RouterB, this tunnel could be used for encrypting Telnet, SNMP, syslog, TFTP, etc traffic to and from RouterA to the network behind RouterB.
At the same time, traffic from the network behind RouterA can access the network behind RouterB using the EzVPN client functions configured on RouterA.
The following configurations were tested using the following software versions:Cisco IOS Version 12.3(11)T on the EzVPN client and L2L router (RouterA)Cisco IOS Version 12.3(6) on the remote EzVPN server router RouterB (this could feasibly be any crypto version supporting the EzVPN server feature)
| version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname RouterA ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging enable password cisco ! no network-clock-participate slot 1 no network-clock-participate wic 0 no aaa new-model ip subnet-zero ip cef ! ! ! ! ip ips po max-events 100 no ip domain lookup ip dhcp-server 172.17.81.127 no ftp-server write-enable ! ! ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp keepalive 20 10 ! ! crypto ipsec transform-set 3des esp-3des esp-sha-hmac ! ! ! EzVPN client configuration crypto ipsec client ezvpn china connect auto group china key mnbvcxz mode network-extension peer 10.66.79.105 ! ! LAN-to-LAN tunnel configuration for management traffic crypto map mymap 10 ipsec-isakmp set peer 10.66.79.105 set transform-set 3des match address 120 ! ! ! interface FastEthernet0/0 description Outside interface ip address 10.66.79.102 255.255.255.224 ip nat outside ip virtual-reassembly duplex auto speed auto crypto map mymap crypto ipsec client ezvpn china ! ! interface FastEthernet1/0 description Inside interface ip address 10.1.1.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto crypto ipsec client ezvpn china inside ! ! ip classless ip route 0.0.0.0 0.0.0.0 10.66.79.97 ip route 10.2.2.0 255.255.255.0 10.66.79.105 ! no ip http server no ip http secure-server ip nat inside source list 100 interface FastEthernet0/0 overload ! Send syslog traffic from RouterA to a syslog server behind RouterB. This traffic will be encrypted using the LAN-to-LAN tunnel logging trap warnings logging source-interface FastEthernet0/0 logging 10.2.2.100 ! access-list 100 permit ip 10.1.1.0 0.0.0.255 any access-list 120 permit ip host 10.66.79.102 10.2.2.0 0.0.0.255 dialer-list 1 protocol ip permit ! ! Send SNMP traffic from RouterA to a SNMP server behind RouterB. This traffic will be encrypted using the LAN-to-LAN tunnel snmp-server trap-source FastEthernet0/0 snmp-server host 10.2.2.100 cisco123 ! ! control-plane ! ! ! ! line con 0 exec-timeout 0 0 line aux 0 modem InOut modem autoconfigure type usr_courier transport input all speed 115200 line vty 0 4 login transport preferred all transport input all ! ! NTP traffic from this router will also be encrypted over the LAN-to-LAN tunnel ntp server 10.2.2.200 source FastEthernet0/0 ! end |
| version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname RouterB ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging ! aaa new-model ! ! aaa authorization network groupauthor local aaa session-id common ip subnet-zero ip cef ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp keepalive 10 ! ! Configuration for EzVPN server, these parameters match the EzVPN client configuration on RouterA. This tunnel is used for traffic from 10.1.1.0 to 10.2.2.0 only crypto isakmp client configuration group china key mnbvcxz acl 150 ! ! crypto ipsec transform-set 3des esp-3des esp-sha-hmac ! crypto dynamic-map dynmap 1 set transform-set 3des reverse-route ! ! ! ! Crypto map "mymap" defines both a LAN-to-LAN tunnel (instance 10) and a dynamic crypto map (instance 99) for the EzVPN server. crypto map mymap isakmp authorization list groupauthor crypto map mymap client configuration address respond crypto map mymap 10 ipsec-isakmp set peer 10.66.79.102 set transform-set 3des match address 120 crypto map mymap 99 ipsec-isakmp dynamic dynmap ! ! ! ! interface Ethernet0/0 description Outside interface ip address 10.66.79.105 255.255.255.224 half-duplex crypto map mymap ! interface BRI0/0 no ip address shutdown ! interface Ethernet0/1 description Inside interface ip address 10.2.2.1 255.255.255.0 half-duplex ! no ip http server no ip http secure-server ip classless ip route 0.0.0.0 0.0.0.0 10.66.79.97 ! ! ! Access-list 120 defines the LAN-to-LAN tunnel traffic. Access-list 150 defines the split-tunnel network sent to RouterA for the EzVPN tunnel. access-list 120 permit ip 10.2.2.0 0.0.0.255 host 10.66.79.102 access-list 150 permit ip 10.2.2.0 0.0.0.255 any ! ! ! ! ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 ! ! ! end |
Easy VPN Client - 12.3(11)T new features
All contents are Copyright © 1992--2001 Cisco Systems Inc. All rights reserved. Important Notices and Privacy Statement.