cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1293
Views
0
Helpful
9
Replies

Easy VPN Remote and Site to Site on the Same Interface

dick.svensson
Level 1
Level 1

Hi,

This is the case:

We have a remote site which needs to be connected to our office, and at the same time be connected to a third party, both using VPN.

The connection to our office is done by EasyVPN and the one to the third party is done by using a crypto-map (ISKMP tunnel). According to the documentation, this should be possible:

:BeginQuote:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_7/ftezvpnr.htm

Easy VPN Remote and Site to Site on the same Interface

This feature allows the Easy VPN remote and site to site (crypto map) to be supported on the same interface, making it possible to both establish a tunnel to another Easy VPN server and have another site to site on the same interface simultaneously. A typical application would be a third-party VPN service provider that is managing a remote router via the site-to-site tunnel and using Easy VPN Remote to connect the remote site to a corporate Easy VPN server.

For more information about the Easy VPN Remote and Site to Site on the Same Interface feature, see "Easy VPN Remote and Site to Site on the Same Interface" in the section " Additional References

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_7/ftezvpnr.htm#wp1027269

:End Quote:

I'm basically just interested in the document that's being referred to, it's exactly our case...

Have anyone done this, or have ideas of how it should be done ?

Txs, in advance.

--

Dick Svensson

9 Replies 9

gfullage
Cisco Employee
Cisco Employee

I wrote a sample config for this a while back that has yet to be published to CCO. I'll email the html page straight to the email address in your CCO profile, let me know if the email address is invalid or you want me to end it somewhere else.

I have recived your email, and will start to look at the example. I will get back to this thread and post a followup to inform others how it's progressing.

/Best regards

--

Dick Svensson

I too am have a similar circumstance. I have a PIX 501 and a PIX 506E in a site to site with VPN Dialer acces to the 506E. I would like to see how you have configured it, My Site to Site keeps getting dropped and I have to restart the 501 and magicly is it back up for about an hour, then gets dropped. I am starting to lean towards faulty equipment.

I really don't see the simularity in our cases, but if you say so it's probably true. I don't use a Virtual Dailer interface, and I don't get up my tunnels at the same time. But please enlighten me about your problem, and maybe we can take down this bull togheter.

/Regards

Dick Svensson

PIX 6.2(2) with site - to site vpn and new Easy VPN-remote to another PIX acting as Easy VPN Server. Does that work? Your example above says it is working for IOS.

Pix says that only crypto map or easy vpn remote can be active, not both.

Many Thanks

regards

Peter

I have the same problem with the site-to-site and easy vpn remote on the same interface.

Can you help me please?,

Thanks in advance

Not applicable

Hi,

Today, after 11 years I've come with the same problem. Can you pls share the sample config?

gfullage
Cisco Employee
Cisco Employee

Boy, had to scan the archives to find this.  I don't even know how valid this is any more really, as the IOS config has moved on quite significantly from there, but I've attached the HTML file I made up years ago and a small picture to go along with it. 

Note the .txt file will need to be renamed to .html, then you sould just be able to browse to it directly.  This system wouldn't let me upload a .html file.

Have fun.

Not applicable

Thank you SIR, for you prompt response. My case is Router B, however, my P2P VPN is working normally, when I add ezvpn conf, EZVPN starts working normally but P2P VPN shows the state as CONF_XAUTH.

However, I've found the solution which need to be tested.

"Use the no-xauth keyword when you enter the isakmp key, so the device does not prompt the peer for XAUTH information (username and password). This keyword disables XAUTH for static IPsec peers. Enter a command similar to this on the device that has both L2L and RA VPN configured on the same crypto map:"

router(config)#crypto isakmp key cisco123 address 
   172.22.1.164 no-xauth
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: