02-09-2011 07:25 AM
How can I set up a Cisco 831 router (branch location) so that it will accept inbound VPN Client connections and initiate a site-to-site IPSec tunnel to our hub location that uses a VPN 3005 Concentrator? I could get the tunnel to work by configuring it in a dynamic crypto map but interesting traffic on the Cisco 831 side would not bring the tunnel up. I could only bring it up from the hub side. If I use a static crypto map and apply it to the outside interface of the 831 I can get this to work but then I couldn't get the VPN Client to work.
Thanks.
Solved! Go to Solution.
02-09-2011 08:09 AM
The dynamic map is called clientmap
The static map is called mymap
You should have:
no crypto map outmap 10 ipsec-isakmp dynamic dynmap
crypto map mymap 10 ipsec-isakmp dynamic clientmap
interface Ethernet1
crypto map mymap
Federico.
02-09-2011 09:31 AM
Looks fine.
The only thing is that you want to give priority to the static map.
no crypto map outmap 10 ipsec-isakmp dynamic dynmap
crypto map outmap 30 ipsec-isakmp dynamic dynmap
Federico.
02-09-2011 07:41 AM
Hi,
Normally you will use a dynamic crypto map on the 831 to accept VPN client connections and use a static crypto map for the L2L tunnel.
The dynamic crypto map is binded to the static crypto map so both work at the same time.
Federico.
02-09-2011 08:01 AM
Hi Federico,
Thanks for the response. Here's what the router originally had. Does the static map automatically get bound to the dynamic map or is there a command to do that? Note the dynamic map is applied to the interface. Should it be the static map?
Thanks.
Brad
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
crypto map mymap 30 ipsec-isakmp
set peer 12.129.68.22
set transform-set myset
match address 107
!
crypto map outmap 10 ipsec-isakmp dynamic dynmap
interface Ethernet1
description $FW_OUTSIDE$$ES_WAN$$ETH-WAN$
crypto map clientmap
02-09-2011 08:09 AM
The dynamic map is called clientmap
The static map is called mymap
You should have:
no crypto map outmap 10 ipsec-isakmp dynamic dynmap
crypto map mymap 10 ipsec-isakmp dynamic clientmap
interface Ethernet1
crypto map mymap
Federico.
02-09-2011 09:21 AM
Hi Federico,
Thanks that helped! Here's my final config:
crypto isakmp client configuration group pengrp
key *******
pool vpnpool
acl 105
crypto isakmp profile VPNclient
description VPN clients profile
match identity group pengrp
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile VPNclient
!
crypto map outmap 10 ipsec-isakmp dynamic dynmap
crypto map outmap 20 ipsec-isakmp
set peer 10.10.10.10
set transform-set myset
match address 115
!
interface Ethernet1
description $FW_OUTSIDE$$ES_WAN$$ETH-WAN$
crypto map outmap
!
02-09-2011 09:31 AM
Looks fine.
The only thing is that you want to give priority to the static map.
no crypto map outmap 10 ipsec-isakmp dynamic dynmap
crypto map outmap 30 ipsec-isakmp dynamic dynmap
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide