10-17-2012 10:04 PM
I am standing up a site with a L2L connection, but needs to host vpn client connections as well. I know you can do it with good ole crypto maps, but isn't the preferred method these days with Virtual Tunnel Interfaces? Trying to figure out the best method to handle it. Any links/guidance appreciated.
Solved! Go to Solution.
10-17-2012 10:19 PM
Hi Robert,
To be honest, today the best recommendation is to run AnyConnect instead of the legacy IPsec client.
In case you would need to run the IPsec client, it does not really matter whether you use a Virtual interface or not, since from the client's perspective the VPN functionalilty is the same.
I would recommend simple crypto map for a simple RA connection on a Router not handling many VPN connection types like DMVPN, VTI, DVTI, etc.
However, if you want to get more familiar with DVTI, then I suggest this link:
Configuring Cisco Easy VPN with IPSec Dynamic Virtual Tunnel Interface (DVTI)
Remember that the configuration for a hardware box or a software is pretty much the same on the VPN server.
With a crypto map:
Router Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration Example
So as you can see the client's configuration is the same on the server:
crypto isakmp client configuration group vpngroup key cisco123 dns 10.10.10.10 wins 10.10.10.20 domain cisco.com pool ippool acl 101
What really changes is to whether use a crypto map or a VTI.
Hope it helps.
Portu.
Please rate any helpful posts
Message was edited by: Javier Portuguez
10-17-2012 10:21 PM
10-17-2012 10:09 PM
Here is a sample config for your reference:
http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a00809c7171.shtml
Hope that helps.
10-17-2012 10:13 PM
That’s how I know how to do it (crypto maps). But it seems a little while back someone recommended using Virtual Tunnel Interfaces, especially if you wanted to do any type of QOS over the tunnel and use GRE’s.
Robert
10-17-2012 10:19 PM
Hi Robert,
To be honest, today the best recommendation is to run AnyConnect instead of the legacy IPsec client.
In case you would need to run the IPsec client, it does not really matter whether you use a Virtual interface or not, since from the client's perspective the VPN functionalilty is the same.
I would recommend simple crypto map for a simple RA connection on a Router not handling many VPN connection types like DMVPN, VTI, DVTI, etc.
However, if you want to get more familiar with DVTI, then I suggest this link:
Configuring Cisco Easy VPN with IPSec Dynamic Virtual Tunnel Interface (DVTI)
Remember that the configuration for a hardware box or a software is pretty much the same on the VPN server.
With a crypto map:
Router Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration Example
So as you can see the client's configuration is the same on the server:
crypto isakmp client configuration group vpngroup key cisco123 dns 10.10.10.10 wins 10.10.10.20 domain cisco.com pool ippool acl 101
What really changes is to whether use a crypto map or a VTI.
Hope it helps.
Portu.
Please rate any helpful posts
Message was edited by: Javier Portuguez
10-17-2012 10:21 PM
10-17-2012 10:25 PM
This is exactly what I was looking for. Thank you guys!
10-17-2012 10:46 PM
You are very welcome Robert
Thanks for counting on us.
10-22-2012 12:24 AM
OK, so I'm getting a little lost in the different designs. I have a VTI (I guess Static VTI) on each router that is up and running and passing OSPF across. So, the L2L is working great. Now, I want each router to also handle VPN Clients (legacy ipsec client software or anyconnect) as well. This is where I am lost. How, or what type of VTI do I setup on each end that will allow the router to do both? I have read the documentation, but it's very confusing. Any help is appreciated.
10-22-2012 01:43 AM
One way that I can suggest is by using dynamic VTI and configure EZVPN or you can also configure SSLVPN on one router and use the other router as a redundancy/failover using HSRP.
More info about DVTI can be found on following link,
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1080079
10-22-2012 09:38 PM
I agree with Rudy, set up DVTI for your RA IPsec clients:
Configuring Cisco Easy VPN with IPSec Dynamic Virtual Tunnel Interface (DVTI)
crypto isakmp client configuration group cisco
key cisco
dns 6.0.0.2
wins 7.0.0.1
domain cisco.com
pool dpool
acl 101
!
crypto isakmp profile vi
match identity group cisco
isakmp authorization list default
client configuration address respond
virtual-template 1
!
* This is just a portion of the entire configuration.
So as you can see, all you need on the IPsec software side is the same as always:
Group name: cisco
Group password: cisco
The client side is not aware of the DVTI settings on the Router side.
Check and let me know if you still have any questions.
Thanks.
Please rate any helpful posts
10-23-2012 08:46 AM
I wonder, can I use a SVTI for my Site-to-Site connections and a DVTI for the clients, on the same router?
10-23-2012 09:45 AM
Yes you can.
10-23-2012 10:30 AM
OK, I'll lab it tonight. My understand of the logic is if the request comes into the router, if it sources from the known crypto peer address, the router will forward the request to the SVTI. If it comes in from an unknown, the request will be forwarded to the DVTI for an attempt to authenticate with the configured group name and credentials?
10-24-2012 08:07 AM
Keep us posted.
Thanks.
Portu
10-30-2012 10:27 AM
OK, so configured both routers last night. I managed to get the SVTI and DVTI (SVTI for L2L tunnel and DVTI for vpn clients) to work great on the router that has a static ip. However, one of the router is at my house which has a dynamic IP. No big deal as far as everything else is concerned because I just put "ip dhcp" on F0/0 (WAN Interface). However, once I built the config for the DVTI, I kept getting errors on the terminal (received uncencrypted packet when it should be encrypted) from the ISAKMP engine. Now, the SVTI was up the whole time, but as soon as I press 'connect' on my VPN client, I see that error. Eventually this hosed things up and brought down my SVTI.
So my question is this, being that F0/0 is 'ip dhcp" and the vritual template is "unnumbered", does this pose a problem and won't work?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide