Showing results for 
Search instead for 
Did you mean: 
Douglas Oman

EZVpn ACL/Crypto map Issues?

I have an EZVpn client/server model. The server and client are both 2821's. Currently I am doing split tunneling and only tunneling 10.x.x.x traffic via an ACL pushed from the server. I have a need to tunnel all traffic from one specific IP on the client network and would like to continue split tunneling the rest. Below is the current configuration. I have tried modifying the ACL on the server and/or the client to achieve what I am trying to do but the crypto maps are as expected. In the current configuration the Crypto Maps show tunneling anything to 10.x.x.x - 



----------------------Server ------

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
crypto isakmp client configuration group SiteVPN
 key 12345
 domain domain.local
 acl 101
 split-dns domain.local
crypto isakmp profile SiteVPN-profile
   vrf Site1VPN
   match identity group SiteVPN
   isakmp authorization list default
   client configuration address initiate
   client configuration address respond
crypto dynamic-map SiteVPN-profile 1
 set transform-set tset
 set reverse-route distance 10
 set isakmp-profile SiteVPN-profile
crypto map external 101 ipsec-isakmp dynamic SiteVPN-profile
access-list 101 permit ip any



--------------------Client ---------

crypto isakmp key 12345 hostname
crypto ipsec client ezvpn SiteVPN
 connect auto
 group SiteVPN key 12345
 mode network-extension
 xauth userid mode interactive

Rising star

Hi Douglas,


What you can do is leave the existing profile for split-tunnel clients and create an additional profile and for client needed everything into tunnel.


that solves your need.




 Thanks for the reply - From my understanding of EZvpn is that it only supports one tunnel and if I try to configure it on the client I get an error that confirms it once I try to apply the outside interface... 'Error:Crypto EZVPN currently supports only one tunnel'.

It is possible EZVPN is not a solution to this issue and I may have to go another route but we have been using it for the last 7+ years and it has worked for our needs thus far so why change, but I am willing to explore other option if needed. It is important to note that any other solution needs to be scalable, allow for dynamic clients (public IP) and be able to VRF's on the server/headend side of things.


Thanks in advanced!


Hi Doug,


"From my understanding of EZvpn is that it only supports one tunnel" 

Yes that is true for on client router but you want to tunnel everything from specific client-router to hub and so you create a secondary new isakmp-profile map it to a second dynamic-crypto instance and you use the second isakmp-profile on the specific router-client needs to tunnel everything to hub.

Please take a look at the attached Cisco doc.



Content for Community-Ad