Hi!
I have faced with such trouble:
Imagine what our clients uses 2 type of equipment:
1) Laptop/Desktop with Cisco IPSEC VPN Client installed
2) PDA, which is running Win2003M, running native Windows L2TP over IPSEC.
I can successfully configure only one of them at moment, but not both. Problem is in dynamic map:
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
crypto ipsec transform-set 4l2tp ah-md5-hmac esp-3des
mode transport
!
crypto dynamic-map dynmap 5
set transform-set 4l2tp
match address 166
crypto dynamic-map dynmap 10
set transform-set vpn
reverse-route
!
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
description to xDSL bridge
ip address .....
ip nat outside
crypto map clientmap
!
I have no idea how to force l2tp clients use dynmap 5 and Cisco clients use dynmap 10. It seems if transform sets in 5-th entry doesn't match with client side (if he use Cisco VPN,not L2TP/IPSEC), then router does not check 10-th entry in dynmap and do drop SA.
I can even broaden the question scope: Is it possible to handle set of different transform sets in a dynamic map (if peer ip address is undetermined).
Any suggestion will be appreciate!