07-14-2005 08:36 AM - edited 03-09-2019 11:50 AM
I currently have a Cisco 1711 device configured with a Site to Site VPN tunnel to a Cisco 831 device at a remote site. It works great.... I now configured the Easy VPN Server on the same interface as the Site to Site VPN tunnel is on and now the Site to Site VPN tunnel doesn't work but the VPN clients do. When I configure the "crypto isakmp key 123456 address 0.0.0.0 0.0.0.0 with the "no-xauth" command for the Site to Site VPN tunnel the Site to Site VPN tunnel begins to work but the VPN clients no longer work. What gives? Can I configure a Site to Site VPN tunnel and an Easy VPN server on the same interface?
07-14-2005 11:52 AM
EZVPN and site-site should work on same intf.
But, you should not use wildcard keys (0.0.0.0) for site-site. You probably have the old style config, and the crypto map is defined globally to do xauth, the key for the clients is defined under the crypto isakamp client group parmeters.
Now, to get the site-site to work, you must define a specific key (since you know the remote site's ip) and use no-xauth after that.
crypto isakmp key 12345 100.1.1.1 no-xauth
If you need to use wildcard keys for site-site also, then this will not work. This is an old issue, and we came up with the new style config (using isakmp profiles and keyrings). So you will have 2 crypto map sequences, 2 isakmp prifiles - one matching Phase1 ID of vpn groupname, the other matching P1 ID of IP address with wildcard 0.0.0.0 and with a specific keyring.
Let me know if this is what you need and I can shoot a config.
07-14-2005 01:37 PM
Yes.. then I think I need the isakmp profiles and keyrings config, since my remote site-to-site VPN's are dynamically IP assigned by the ISP. Here is a clip from my current config, where the crypto isakmp key xxxx address 0.0.0.0 0.0.0.0 no-xauth is used to get the site-to-site working but breaks the VPN clients.
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
i
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key passkey address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 1800 periodic
!
crypto isakmp client configuration group remote-clients
key test
pool SDM_POOL_1
acl 104
group-lock
max-logins 3
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
match address 100
crypto dynamic-map SDM_DYNMAP_1 2
set transform-set ESP-3DES-SHA
reverse-route
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
interface FastEthernet0
description Outside$ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet0
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip ips sdm_ips_rule in
ip ips sdm_ips_rule out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
07-14-2005 06:39 PM
I got it. Thanks for pointing me in the right direction. Everything works great!!! Here was the web site I found that helped ---> http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/1800fix/scg/vpnezvpn.htm
03-16-2006 09:05 AM
I'm trying to do Easy VPN server and S2S on the same router/Interface where most clients will be S2S and a smaller subset will be Easy VPN Remotes. I know about the ISAKMP profiles - but I have a very large installed base of S2S (5k) and don't want to use profiles unless I have to (keep me from having to modify 20k lines of configuration).
Would you mind emailing me this config. Got this setup w/ no-xauth? Here's what I've got on the server:
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
username xxx password xxx
username xxx password xxx
!
!
!
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 2
encr 3des
authentication pre-share
lifetime 1800
crypto isakmp key test address 2.2.2.4 no-xauth
!
crypto isakmp client configuration group hwclient
key test123
acl 101
save-password
!
!
crypto ipsec transform-set 3adp esp-3des esp-sha-hmac
crypto ipsec transform-set AES256 esp-aes 256 esp-md5-hmac
crypto ipsec transform-set AES128 esp-aes esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set AES128
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
crypto map clientmap 20 ipsec-isakmp
set peer x.x.x.x
set transform-set 3adp
match address remote_client
reverse-route
!
!
!
!
interface FastEthernet0/0
ip address 15.x.x.x.x.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 2.x.x.x.x.255.0
duplex auto
speed auto
crypto map clientmap
!
ip access-list extended remote_client
permit ip 15.15.15.0 0.0.0.255 30.30.30.0 0.0.0.255
!
access-list 101 permit ip 15.15.15.0 0.0.0.255 any
I get this error from ipsec when the S2S tries to come up (Easy VPN remotes work fine):
rack4_2691-1#
*Jun 12 03:58:39.825: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 2.2.2.1, remote= 2.2.2.4,
local_proxy= 15.15.15.0/255.255.255.0/0/0 (type=4),
remote_proxy= 30.30.30.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xFBC0AEAA(4223708842), conn_id= 0, keysize= 0, flags= 0x400A
*Jun 12 03:58:39.981: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 2.2.2.1, remote= 2.2.2.4,
local_proxy= 15.15.15.0/255.255.255.0/0/0 (type=4),
remote_proxy= 30.30.30.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Jun 12 03:58:39.981: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
{esp-3des esp-sha-hmac }
*Jun 12 03:58:39.985: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 2.2.2.4
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide