03-14-2017 05:02 PM - edited 03-05-2019 08:11 AM
Hello community,
i am aware it is possible to use the VPN-client to access the DMVPN-hub and therefore the companynetwork.
My problem is, this is not an option, before the migration to DMVPN at a customers network some users (unexpected!) still were using the VPN-client on macs and iphones and ipads, to access the branch in their own country. Routing packets around the planet makes not much sense because of the huuuuge RTTs...
Has someone an idea how to configure a spoke to work as VPN-server again? According to the debugs the problem is the XAUTH on phase 1...i tried around with examples who achieved this functionality on the hub, with profiles and keyrings, but i couldn't get it working.
I want to avoid rolling back the DMVPN on one of the routercouples in the locations which still need that.
Any help very appreciated, many thanks in advance,
Andreas
Solved! Go to Solution.
03-14-2017 11:25 PM
The easiest option by far is to use AnyConnect. Keep IPSEC for DMVPN and SSL for user to site VPN.
Failing that then use you can use both DMVPN and user to site IPSec VPN at the same time. You just need to be careful about your match criteria.
For example if you use a pre-shared key and a wildcard to match the DMVPN connections you are going to have grief. If you use certificate based authentication for DMVPN then that match will be unique compared to the user to site IPSec VPN.
Also I would not use an old style dynamic map. I would use a new style VTI interface for the inbound user to site VPN connections.
03-14-2017 11:25 PM
The easiest option by far is to use AnyConnect. Keep IPSEC for DMVPN and SSL for user to site VPN.
Failing that then use you can use both DMVPN and user to site IPSec VPN at the same time. You just need to be careful about your match criteria.
For example if you use a pre-shared key and a wildcard to match the DMVPN connections you are going to have grief. If you use certificate based authentication for DMVPN then that match will be unique compared to the user to site IPSec VPN.
Also I would not use an old style dynamic map. I would use a new style VTI interface for the inbound user to site VPN connections.
03-23-2017 07:37 AM
Hi Philip,
thanks for your input, and sorry i rated just right now.
Finally we went to use SSL-VPN over Sophos at that customer, which was planned anyways in two months...so problem is solved^^
Kind regards,
Andreas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide