Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1208
Views
4
Helpful
4
Replies

Cisco Easy&Dynamic VPN

Mohammed Al-odhari
Level 7
Level 7

‎03-16-2015 09:03 AM

Dear All,

i want to ask if a cisco router can work simultaneously configured for easy and dynamic vpn for different sites.

i mean i have a router which configured to respond for remote access easy vpn for some sites using the below config, can i used too to add dynamic vpn for other sites???

remote access easy vpn  config

!
aaa authentication login acs local
aaa authorization network acs local 

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!

crypto isakmp client configuration group CISCO
 key ciscocisco
 pool mypool
 acl 101
 save-password

!
crypto ipsec transform-set test esp-3des esp-md5-hmac 
 mode tunnel

!

crypto dynamic-map map 10
 set transform-set test 
 reverse-route

!

crypto map i-map client authentication list acs
crypto map i-map isakmp authorization list acs
crypto map i-map client configuration address respond
crypto map i-map 10 ipsec-isakmp dynamic map 
!

!
interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!

!
interface ATM0/1/0
 description DSL Interface
 no ip address
 no atm ilmi-keepalive
 pvc 8/35 
  encapsulation aal5snap
  pppoe-client dial-pool-number 1
 
!
interface Dialer0
 no ip address
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp authentication chap pap callin
 ppp chap hostname nama20004
 ppp chap password 0 220004
 ppp pap sent-username nama20004 password 0 220004
 crypto map i-map
!
ip local pool mypool 192.168.30.1 192.168.30.100
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip nat inside source list 171 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1

!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 171 deny   ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 171 permit ip any any
dialer-list 2 protocol ip permit
!

I want to add the below dynamic vpn config,,, can the router support both????


crypto keyring ccp-dmvpn-keyring  
  pre-shared-key address 0.0.0.0 0.0.0.0 key users@CISCO
!

crypto isakmp policy 11
 encr 3des
 authentication pre-share
 group 2

!

crypto isakmp profile ccp-dmvpn-isakmprofile
   keyring ccp-dmvpn-keyring
   match identity address 0.0.0.0 
!

crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac comp-lzs 
 mode transport
!

crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-AES-MD5 
 set isakmp-profile ccp-dmvpn-isakmprofile
!

interface Tunnel0
 bandwidth 1000
 ip address 172.16.0.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication DMVPN_NW
 ip nhrp map multicast dynamic
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source Dialer1
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile CiscoCP_Profile1
!

ip route 192.168.32.0 255.255.255.0 172.16.0.32
ip route 192.168.33.0 255.255.255.0 172.16.0.33
ip route 192.168.34.0 255.255.255.0 172.16.0.34

 

regards,,,

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎03-16-2015 09:44 AM

Yes, you can use both at the same time. For a less complex config you should perhaps migrate EzVPN to the new config-style instead of using crypto maps:

crypto isakmp client configuration group CISCO
 key ciscocisco
 pool mypool
 acl 101
 save-password

crypto isakmp profile VPN-RA
   match identity group CISCO
   client authentication list acs
   isakmp authorization list acs
   client configuration address respond
   virtual-template 1
crypto ipsec profile VPN-RA
 set transform-set ESP-AES128-SHA
!
interface Virtual-Template1 type tunnel
 description Tunnel for Cisco VPN-Client
 ip unnumbered Dialer1
 ip nat inside
 ip virtual-reassembly in
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-RA
--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Mohammed Al-odhari
Level 7
Level 7
In response to Karsten Iwen

‎03-16-2015 10:16 PM

Hi Karsten again,

i got your point, on the other hand can the branch also connect simultaneous to two HQs one using easy van and other using dynamic vpn ???????????

regarding the migration of the ezvpn can you provide me a full configuration example  of site to site easy vpnn without crypto map!!!! ?

thanks for your continuous help

0 Helpful

Mohammed Al-odhari
Level 7
Level 7
In response to Karsten Iwen

‎03-17-2015 12:38 AM

Dear Karsten 

attached is for the branch config which works fine with dynamic vpn with other hq not attached, but using the easy vpn i cant ping the hq local lan despite the show crypto isak sa shows QM_IDLE.

HQ easy vpn attached also cant ping the branch local lan and same the show crypto isak sa shows QM_IDLE.

i want site to site easy vpn between attached to ping both local LANs.

please feedback me.

hq-easy_vpn.txt
branch_1.txt
0 Helpful

Mohammed Al-odhari
Level 7
Level 7
In response to Karsten Iwen

‎03-17-2015 08:24 AM

Hi my friend again,

now using easy vpn , Hq can reach the remote lan of the branch but not vice versa after i rename the client group which was the mistake??

updated config is attached, branch cant reach the hq using easy vpn (ping 192.168.1.1), show command also there for sh cry ipsec sa,, ignore pinging from branch to (192.168.0.254) which is another site using dynamic vpn(using tunnel interface).

please take time to see the config.

branch_3.txt
hq_.txt
0 Helpful
Customers Also Viewed These Support Documents