Re: Native IPSEC plus L2TP over IPSEC

Kypamop · ‎04-13-2005

Hi!

I have faced with such trouble:

Imagine what our clients uses 2 type of equipment:

1) Laptop/Desktop with Cisco IPSEC VPN Client installed

2) PDA, which is running Win2003M, running native Windows L2TP over IPSEC.

I can successfully configure only one of them at moment, but not both. Problem is in dynamic map:

crypto ipsec transform-set vpn esp-3des esp-sha-hmac

crypto ipsec transform-set 4l2tp ah-md5-hmac esp-3des

mode transport

!

crypto dynamic-map dynmap 5

set transform-set 4l2tp

match address 166

crypto dynamic-map dynmap 10

set transform-set vpn

reverse-route

!

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

interface FastEthernet0/0

description to xDSL bridge

ip address .....

ip nat outside

crypto map clientmap

!

I have no idea how to force l2tp clients use dynmap 5 and Cisco clients use dynmap 10. It seems if transform sets in 5-th entry doesn't match with client side (if he use Cisco VPN,not L2TP/IPSEC), then router does not check 10-th entry in dynmap and do drop SA.

I can even broaden the question scope: Is it possible to handle set of different transform sets in a dynamic map (if peer ip address is undetermined).

Any suggestion will be appreciate!

mhussein · ‎04-13-2005

Hello,

Consider using "IPSec profiles" for each type, and set the dynamic map to match based on the profile. See this configuration example:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

HTH,

Mustafa