That’s how I know how to do it (crypto maps). But it seems a little while back someone recommended using Virtual Tunnel Interfaces, especially if you wanted to do any type of QOS over the tunnel and use GRE’s.

Robert

This is exactly what I was looking for. Thank you guys!

You are very welcome Robert

Thanks for counting on us.

OK, so I'm getting a little lost in the different designs. I have a VTI (I guess Static VTI) on each router that is up and running and passing OSPF across. So, the L2L is working great. Now, I want each router to also handle VPN Clients (legacy ipsec client software or anyconnect) as well. This is where I am lost. How, or what type of VTI do I setup on each end that will allow the router to do both? I have read the documentation, but it's very confusing. Any help is appreciated.

One way that I can suggest is by using dynamic VTI and configure EZVPN or you can also configure SSLVPN on one router and use the other router as a redundancy/failover using HSRP.

More info about DVTI can be found on following link,

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1080079

I agree with Rudy, set up DVTI for your RA IPsec clients:

Configuring Cisco Easy VPN with IPSec Dynamic Virtual Tunnel Interface (DVTI)

crypto isakmp client configuration group cisco

     key cisco

     dns 6.0.0.2

     wins 7.0.0.1

     domain cisco.com

     pool dpool

     acl 101

!

crypto isakmp profile vi

   match identity group cisco

   isakmp authorization list default

   client configuration address respond

   virtual-template 1

!

* This is just a portion of the entire configuration.

So as you can see, all you need on the IPsec software side is the same as always:

Group name: cisco

Group password: cisco

The client side is not aware of the DVTI settings on the Router side.

Check and let me know if you still have any questions.

Thanks.

Please rate any helpful posts

I wonder, can I use a SVTI for my Site-to-Site connections and a DVTI for the clients, on the same router?

Yes you can.

OK, I'll lab it tonight. My understand of the logic is if the request comes into the router, if it sources from the known crypto peer address, the router will forward the request to the SVTI. If it comes in from an unknown, the request will be forwarded to the DVTI for an attempt to authenticate with the configured group name and credentials?

Keep us posted.

Thanks.

Portu

OK, so configured both routers last night. I managed to get the SVTI and DVTI (SVTI for L2L tunnel and DVTI for vpn clients) to work great on the router that has a static ip. However, one of the router is at my house which has a dynamic IP. No big deal as far as everything else is concerned because I just put "ip dhcp" on F0/0 (WAN Interface). However, once I built the config for the DVTI, I kept getting errors on the terminal (received uncencrypted packet when it should be encrypted) from the ISAKMP engine. Now, the SVTI was up the whole time, but as soon as I press 'connect' on my VPN client, I see that error. Eventually this hosed things up and brought down my SVTI.

So my question is this, being that F0/0 is 'ip dhcp" and the vritual template is "unnumbered", does this pose a problem and won't work?