Solved: How to setup VPN Client and site-to-site tunnel on Cisco 831

brtaylor · ‎02-09-2011

How can I set up a Cisco 831 router (branch location) so that it will accept inbound VPN Client connections and initiate a site-to-site IPSec tunnel to our hub location that uses a VPN 3005 Concentrator? I could get the tunnel to work by configuring it in a dynamic crypto map but interesting traffic on the Cisco 831 side would not bring the tunnel up. I could only bring it up from the hub side. If I use a static crypto map and apply it to the outside interface of the 831 I can get this to work but then I couldn't get the VPN Client to work.

Thanks.

Federico Coto Fajardo · ‎02-09-2011

The dynamic map is called clientmap
The static map is called mymap

You should have:

no crypto map outmap 10 ipsec-isakmp dynamic dynmap
crypto map mymap 10 ipsec-isakmp dynamic clientmap

interface Ethernet1
crypto map mymap

Federico.

View solution in original post

Federico Coto Fajardo · ‎02-09-2011

Looks fine.

The only thing is that you want to give priority to the static map.

no crypto map outmap 10 ipsec-isakmp dynamic dynmap

crypto map outmap 30 ipsec-isakmp dynamic dynmap

Federico.

View solution in original post

Federico Coto Fajardo · ‎02-09-2011

Hi,

Normally you will use a dynamic crypto map on the 831 to accept VPN client connections and use a static crypto map for the L2L tunnel.

The dynamic crypto map is binded to the static crypto map so both work at the same time.

Federico.

brtaylor · ‎02-09-2011

Hi Federico,

Thanks for the response. Here's what the router originally had. Does the static map automatically get bound to the dynamic map or is there a command to do that? Note the dynamic map is applied to the interface. Should it be the static map?

Thanks.

Brad

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

crypto map mymap 30 ipsec-isakmp

set peer 12.129.68.22

set transform-set myset

match address 107

!

crypto map outmap 10 ipsec-isakmp dynamic dynmap

interface Ethernet1

description $FW_OUTSIDE$$ES_WAN$$ETH-WAN$

crypto map clientmap

Federico Coto Fajardo · ‎02-09-2011

The dynamic map is called clientmap
The static map is called mymap

You should have:

no crypto map outmap 10 ipsec-isakmp dynamic dynmap
crypto map mymap 10 ipsec-isakmp dynamic clientmap

interface Ethernet1
crypto map mymap

Federico.

brtaylor · ‎02-09-2011

Hi Federico,

Thanks that helped! Here's my final config:

crypto isakmp client configuration group pengrp
key *******
pool vpnpool
acl 105
crypto isakmp profile VPNclient
   description VPN clients profile
   match identity group pengrp
   client authentication list userauthen
   isakmp authorization list groupauthor
   client configuration address respond
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile VPNclient
!
crypto map outmap 10 ipsec-isakmp dynamic dynmap
crypto map outmap 20 ipsec-isakmp
set peer 10.10.10.10
set transform-set myset
match address 115
!
interface Ethernet1
description $FW_OUTSIDE$$ES_WAN$$ETH-WAN$
crypto map outmap
!

Federico Coto Fajardo · ‎02-09-2011

Looks fine.

The only thing is that you want to give priority to the static map.

no crypto map outmap 10 ipsec-isakmp dynamic dynmap

crypto map outmap 30 ipsec-isakmp dynamic dynmap

Federico.