Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
670
Views
0
Helpful
4
Replies

Site-to-Site and Easy Remote Server on same interface

greggm
Level 1
Level 1

‎07-14-2005 08:36 AM - edited ‎03-09-2019 11:50 AM

I currently have a Cisco 1711 device configured with a Site to Site VPN tunnel to a Cisco 831 device at a remote site. It works great.... I now configured the Easy VPN Server on the same interface as the Site to Site VPN tunnel is on and now the Site to Site VPN tunnel doesn't work but the VPN clients do. When I configure the "crypto isakmp key 123456 address 0.0.0.0 0.0.0.0 with the "no-xauth" command for the Site to Site VPN tunnel the Site to Site VPN tunnel begins to work but the VPN clients no longer work. What gives? Can I configure a Site to Site VPN tunnel and an Easy VPN server on the same interface?

Labels:
0 Helpful
4 Replies 4

sunilc
Level 1
Level 1

‎07-14-2005 11:52 AM

EZVPN and site-site should work on same intf.

But, you should not use wildcard keys (0.0.0.0) for site-site. You probably have the old style config, and the crypto map is defined globally to do xauth, the key for the clients is defined under the crypto isakamp client group parmeters.

Now, to get the site-site to work, you must define a specific key (since you know the remote site's ip) and use no-xauth after that.

crypto isakmp key 12345 100.1.1.1 no-xauth

If you need to use wildcard keys for site-site also, then this will not work. This is an old issue, and we came up with the new style config (using isakmp profiles and keyrings). So you will have 2 crypto map sequences, 2 isakmp prifiles - one matching Phase1 ID of vpn groupname, the other matching P1 ID of IP address with wildcard 0.0.0.0 and with a specific keyring.

Let me know if this is what you need and I can shoot a config.

0 Helpful

greggm
Level 1
Level 1
In response to sunilc

‎07-14-2005 01:37 PM

Yes.. then I think I need the isakmp profiles and keyrings config, since my remote site-to-site VPN's are dynamically IP assigned by the ISP. Here is a clip from my current config, where the crypto isakmp key xxxx address 0.0.0.0 0.0.0.0 no-xauth is used to get the site-to-site working but breaks the VPN clients.

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

aaa session-id common

i

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key passkey address 0.0.0.0 0.0.0.0 no-xauth

crypto isakmp keepalive 1800 periodic

!

crypto isakmp client configuration group remote-clients

key test

pool SDM_POOL_1

acl 104

group-lock

max-logins 3

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA

match address 100

crypto dynamic-map SDM_DYNMAP_1 2

set transform-set ESP-3DES-SHA

reverse-route

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

interface FastEthernet0

description Outside$ES_WAN$$ETH-WAN$$FW_OUTSIDE$

ip address dhcp client-id FastEthernet0

ip access-group 103 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect DEFAULT100 out

ip ips sdm_ips_rule in

ip ips sdm_ips_rule out

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no cdp enable

crypto map SDM_CMAP_1

0 Helpful

greggm
Level 1
Level 1
In response to sunilc

‎07-14-2005 06:39 PM

I got it. Thanks for pointing me in the right direction. Everything works great!!! Here was the web site I found that helped ---> http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/1800fix/scg/vpnezvpn.htm

0 Helpful

salleek
Level 1
Level 1
In response to sunilc

‎03-16-2006 09:05 AM

I'm trying to do Easy VPN server and S2S on the same router/Interface where most clients will be S2S and a smaller subset will be Easy VPN Remotes. I know about the ISAKMP profiles - but I have a very large installed base of S2S (5k) and don't want to use profiles unless I have to (keep me from having to modify 20k lines of configuration).

Would you mind emailing me this config. Got this setup w/ no-xauth? Here's what I've got on the server:

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

aaa session-id common

username xxx password xxx

username xxx password xxx

!

!

!

crypto isakmp policy 1

encr aes 256

hash md5

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp policy 2

encr 3des

authentication pre-share

lifetime 1800

crypto isakmp key test address 2.2.2.4 no-xauth

!

crypto isakmp client configuration group hwclient

key test123

acl 101

save-password

!

!

crypto ipsec transform-set 3adp esp-3des esp-sha-hmac

crypto ipsec transform-set AES256 esp-aes 256 esp-md5-hmac

crypto ipsec transform-set AES128 esp-aes esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set AES128

reverse-route

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

crypto map clientmap 20 ipsec-isakmp

set peer x.x.x.x

set transform-set 3adp

match address remote_client

reverse-route

!

!

!

!

interface FastEthernet0/0

ip address 15.x.x.x.x.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 2.x.x.x.x.255.0

duplex auto

speed auto

crypto map clientmap

!

ip access-list extended remote_client

permit ip 15.15.15.0 0.0.0.255 30.30.30.0 0.0.0.255

!

access-list 101 permit ip 15.15.15.0 0.0.0.255 any

I get this error from ipsec when the S2S tries to come up (Easy VPN remotes work fine):

rack4_2691-1#

*Jun 12 03:58:39.825: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 2.2.2.1, remote= 2.2.2.4,

local_proxy= 15.15.15.0/255.255.255.0/0/0 (type=4),

remote_proxy= 30.30.30.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0xFBC0AEAA(4223708842), conn_id= 0, keysize= 0, flags= 0x400A

*Jun 12 03:58:39.981: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 2.2.2.1, remote= 2.2.2.4,

local_proxy= 15.15.15.0/255.255.255.0/0/0 (type=4),

remote_proxy= 30.30.30.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

*Jun 12 03:58:39.981: IPSEC(validate_transform_proposal): transform proposal not supported for identity:

{esp-3des esp-sha-hmac }

*Jun 12 03:58:39.985: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 2.2.2.4

0 Helpful
Customers Also Viewed These Support Documents