I have an EZVpn client/server model. The server and client are both 2821's. Currently I am doing split tunneling and only tunneling 10.x.x.x traffic via an ACL pushed from the server. I have a need to tunnel all traffic from one specific IP on the client network and would like to continue split tunneling the rest. Below is the current configuration. I have tried modifying the ACL on the server and/or the client to achieve what I am trying to do but the crypto maps are as expected. In the current configuration the Crypto Maps show tunneling anything to 10.x.x.x -
crypto isakmp policy 1
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
crypto isakmp client configuration group SiteVPN
crypto isakmp profile SiteVPN-profile
match identity group SiteVPN
isakmp authorization list default
client configuration address initiate
client configuration address respond
crypto dynamic-map SiteVPN-profile 1
set transform-set tset
set reverse-route distance 10
set isakmp-profile SiteVPN-profile
crypto map external 101 ipsec-isakmp dynamic SiteVPN-profile
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
crypto isakmp key 12345 hostname vpn.blah.com
crypto ipsec client ezvpn SiteVPN
group SiteVPN key 12345
xauth userid mode interactive
What you can do is leave the existing profile for split-tunnel clients and create an additional profile and for client needed everything into tunnel.
that solves your need.
Thanks for the reply - From my understanding of EZvpn is that it only supports one tunnel and if I try to configure it on the client I get an error that confirms it once I try to apply the outside interface... 'Error:Crypto EZVPN currently supports only one tunnel'.
It is possible EZVPN is not a solution to this issue and I may have to go another route but we have been using it for the last 7+ years and it has worked for our needs thus far so why change, but I am willing to explore other option if needed. It is important to note that any other solution needs to be scalable, allow for dynamic clients (public IP) and be able to VRF's on the server/headend side of things.
Thanks in advanced!
"From my understanding of EZvpn is that it only supports one tunnel"
Yes that is true for on client router but you want to tunnel everything from specific client-router to hub and so you create a secondary new isakmp-profile map it to a second dynamic-crypto instance and you use the second isakmp-profile on the specific router-client needs to tunnel everything to hub.
Please take a look at the attached Cisco doc.