03-14-2015 11:01 AM
I have an EZVpn client/server model. The server and client are both 2821's. Currently I am doing split tunneling and only tunneling 10.x.x.x traffic via an ACL pushed from the server. I have a need to tunnel all traffic from one specific IP on the client network and would like to continue split tunneling the rest. Below is the current configuration. I have tried modifying the ACL on the server and/or the client to achieve what I am trying to do but the crypto maps are as expected. In the current configuration the Crypto Maps show tunneling anything to 10.x.x.x -
----------------------Server ------
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
crypto isakmp client configuration group SiteVPN
key 12345
domain domain.local
acl 101
split-dns domain.local
!
crypto isakmp profile SiteVPN-profile
vrf Site1VPN
match identity group SiteVPN
isakmp authorization list default
client configuration address initiate
client configuration address respond
!
crypto dynamic-map SiteVPN-profile 1
set transform-set tset
set reverse-route distance 10
set isakmp-profile SiteVPN-profile
reverse-route
!
crypto map external 101 ipsec-isakmp dynamic SiteVPN-profile
!
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
--------------------Client ---------
crypto isakmp key 12345 hostname vpn.blah.com
!
crypto ipsec client ezvpn SiteVPN
connect auto
group SiteVPN key 12345
mode network-extension
peer vpn.blah.com
xauth userid mode interactive
03-14-2015 06:49 PM
Hi Douglas,
What you can do is leave the existing profile for split-tunnel clients and create an additional profile and for client needed everything into tunnel.
that solves your need.
thanks
03-15-2015 09:47 PM
rizwanr74,
Thanks for the reply - From my understanding of EZvpn is that it only supports one tunnel and if I try to configure it on the client I get an error that confirms it once I try to apply the outside interface... 'Error:Crypto EZVPN currently supports only one tunnel'.
It is possible EZVPN is not a solution to this issue and I may have to go another route but we have been using it for the last 7+ years and it has worked for our needs thus far so why change, but I am willing to explore other option if needed. It is important to note that any other solution needs to be scalable, allow for dynamic clients (public IP) and be able to VRF's on the server/headend side of things.
Thanks in advanced!
-Doug
03-17-2015 07:13 PM
Hi Doug,
"From my understanding of EZvpn is that it only supports one tunnel"
Yes that is true for on client router but you want to tunnel everything from specific client-router to hub and so you create a secondary new isakmp-profile map it to a second dynamic-crypto instance and you use the second isakmp-profile on the specific router-client needs to tunnel everything to hub.
Please take a look at the attached Cisco doc.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide