cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2169
Views
0
Helpful
8
Replies

1841

akif.naeem21
Level 1
Level 1

i want to configure remote access vpn on my production level router on which we setup p2p ipsec vpn. please guide me can i do this on same router with existing policy/ike. would love if get any working example cause i have't much time... thanks 

1 Accepted Solution

Accepted Solutions

This is actually normal behavior for the IOS router. It supports a single crypto map on an interface. So what you need to do is to combine the logic of clientmap and of CMAP into a single crypto map and then use that single map on the interface.

HTH

Rick

HTH

Rick

View solution in original post

8 Replies 8

Richard Burts
Hall of Fame
Hall of Fame

When you mention p2p IPsec vpn are you talking about site to site vpn or about something else?

I have set up site to site VPN and Remote Access VPN (AnyConnect) on an IOS router and it works. There is very little policy shared between the two implementations. For example the site to site VPN probably uses IKEv1 but if you choose to use IPsec in AnyConnect it will use IKEv2 (and the default is for AnyConnect to use SSL and not IPsec). If you show us what you have configured I may be able to point you at what you will need to add AnyConnect.

HTH

Rick

HTH

Rick

hi thanks all,

now i am having a very strange problem, i m configuring both VPN on same interface but map overwrite each other....

below are my configure....
********************************************RemoteVPN*******************************************

Router(config)#
Router(config)#aaa new-model
Router(config)#aaa authentication login userauthen local
Router(config)#aaa authorization network groupauthor local
Router(config)#aaa session-id common
Router(config)#resource policy

Router(config)#username akif.naeem secret 0 ev003

Router(config)#crypto isakmp policy 100
Router(config-isakmp)#encryption 3des
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#group 2
Router(config-isakmp)#

Router(config)#crypto isakmp client configuration group vpnclient
Router(config-isakmp-group)#key evamp123
Router(config-isakmp-group)#dns 10.10.10.10
Router(config-isakmp-group)#wins 10.10.10.20
Router(config-isakmp-group)#domain ev.com
Router(config-isakmp-group)#pool ippool
Router(config-isakmp-group)#acl 120

Router(config)#crypto ipsec transform-set trset esp-3des esp-md5-hmac

Router(config)#crypto dynamic-map dynmap 10
Router(config-crypto-map)#set transform-set trset
Router(config-crypto-map)#reverse-route

Router(config)#crypto map clientmap client authentication list userauthen
Router(config)#crypto map clientmap isakmp authorization list groupauthor
Router(config)#crypto map clientmap client configuration address respond
Router(config)#crypto map clientmap 10 ipsec-isakmp dynamic dynmap

Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 124.x.x.x 255.255.255.248
Router(config-if)#no shutdown
Router(config-if)#ip virtual-reassembly
Router(config-if)#crypto map clientmap

Router(config)#ip local pool ippool 192.168.x.x 192.168.x.x
Router(config)#ip http server
Router(config)#no ip http secure-server
Router(config)#access-list 120 permit ip any any

Router#wr
Building configuration...

******************************IPsecVPN Phase-2***************************************

R2(config)# crypto isakmp key ev address 124.x.x.x
R2(config)# ip access-list extended 150
R2(config-ext-nacl)# permit ip any any

R2(config)# crypto ipsec transform-set EnS esp-3des esp-md5-hmac
R2(config)# crypto map CMAP 20 ipsec-isakmp
R2(config-crypto-map)# set peer 124.x.x.x
R2(config-crypto-map)# set transform-set EnS
R2(config-crypto-map)# match address 150

R2(config)# interface FastEthernet0/0
R2(config- if)# crypto map CMAP




Its overwriting newly added map .... can i configure both vpn on same interface...

This is actually normal behavior for the IOS router. It supports a single crypto map on an interface. So what you need to do is to combine the logic of clientmap and of CMAP into a single crypto map and then use that single map on the interface.

HTH

Rick

HTH

Rick

thanks @Richard Burts, Now step ahead, but facing phase 1 xuth error, means tunnels not coming up it gets deleted after auxth error. CISCO#show crypto isa sa IPv4 Crypto ISAKMP SA dst src state conn-id status 124.109.x.x 124.x.x.x CONF_XAUTH 2026 ACTIVE 124.109.x.x 124.x.x.x MM_NO_STATE 2025 ACTIVE (deleted) 124.109.x.x 124.x.x.x MM_NO_STATE 2024 ACTIVE (deleted)

If you are getting xauth error then check the authentication parameters. If you do not find the issue there then perhaps run debug on the ISAKMP.

HTH

Rick

HTH

Rick

Diego Lopez
Level 1
Level 1

Hello,

You can check this documentation it will give you the set by set process to setup the VPN client on a cisco router:

http://www.cisco.com/c/en/us/support/docs/routers/3600-series-multiservice-platforms/91193-rtr-ipsec-internet-connect.html

just modify the name of the crypto map accordingly to the names that you are using in your existing setup site to site and remote access can work together.

I am surprised at this suggestion. The link shows how to configure split tunneling when using the old IPsec VPN client. In today's environment why suggest a product that is EOL and EOS. Why would we suggest a Remote Access VPN solution different from AnyConnect? Additionally this example shows only Remote Access VPN and does not show coexistence of Remote Access VPN with Site to Site VPN.

HTH

Rick

HTH

Rick

Hello Richard,

When people talk about remote access VPN is most likely referring to the VPN client and this user is requesting configuration example not client advice. If the user could confirm what he was looking for would be great.

The configuration here is not illustrating site to site tunnel coexisting with remote access vpn but I can confirm that it works because I have done it and works with no problems, the ipsec client works with the dynamic crypto map and if you have static maps on top of that one they can operate with no issues.

I understand that the VPN client is out of sale and support but not all the users will have the option to purchase an SSL license to enable Anyconnect that's another thing to consider when recommending Anyconnect.