both Easy VPN Server and a Site-to-Site tunnel on the same interface?

both Easy VPN Server and a Site-to-Site tunnel on the same interface?
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
both Easy VPN Server and a Site-to-Site tunnel on the same interface? ksun6868 01-21-2008
Posted by ksun6868 on January 21, 2008, 1:17 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Greetings,

        We have a Cisco 3845. We are using it to route to internet (T3
Sprint)and I also configured EASY VPN Server.
        Now we want to build a Site-to-site VPN to an client site.

I am trying to make both Easy VPN Server and Site-to-site
tunnel to work on the same serial interface. I can bring both VPN up,
with some twist. I wonder if there is a better way to do this.
        The issue is with the ipsec policy and crypto maps.

        The Easy VPN defines crypto map as
                crypto map SDM_CMAP_1 client authentication list ab_login
                crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
                crypto map SDM_CMAP_1 client configuration address respond
                crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

        And the Site-to-Site VPN needs crypto map as
                crypto map SDM_CMAP_2 2 ipsec-isakmp
                 set transform-set SDM_TRANSFORMSET_1
                 set peer <peer ip>
                 match address SDM_1

        Each interface only takes one crypto map command. So I can start
either VPN by switching to different ipsec policy/crypto map, but not
both at the same time.
        However, I can start the Site-to-Site VPN first and then attach Easy
VPN Server's policy to it.
                crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
                crypto map SDM_CMAP_2 client authentication list ab_login
                crypto map SDM_CMAP_2 isakmp authorization list sdm_vpn_group_ml_1
                crypto map SDM_CMAP_2 client configuration address respond

        Both will be functioning. But if the Site-to-Site tunnel for some
reason is down, I could not restart it as it is. It will complain that
the configuration is different from the peer's or something like it.
        I would have to delete the crypto map, recreate the crypto map, start
the Site-to-Site, and then attache the EasyVPN stuff.

        The questions are:
        1. Is there a cleaner way of doing this (both Easy VPN Server and a
Site-to-Site tunnel on the same interface)?
        2. So far I have to start the site-to-site tunnel by clicking "Test
Tunnel" on the SDM interface. Is there better to start the tunnel?
        3. Can we use another interface rather than the one faces the
internet?
        4. We notice that site-to-site tunnel is down every 24 hours,
probably due to a time out. Is there anyway to set up so "no time
out"?

        Thanks!

Kang Sun
sun_kang@hotmail.com

Posted by Andrew J Cosgriff on January 21, 2008, 7:24 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
ksun6868 wrote :

> Greetings,
>
>         We have a Cisco 3845. We are using it to route to internet (T3
> Sprint)and I also configured EASY VPN Server.
>         Now we want to build a Site-to-site VPN to an client site.
>
> I am trying to make both Easy VPN Server and Site-to-site
> tunnel to work on the same serial interface. I can bring both VPN up,
> with some twist. I wonder if there is a better way to do this.
>         The issue is with the ipsec policy and crypto maps.
>
>         The Easy VPN defines crypto map as
>                 crypto map SDM_CMAP_1 client authentication list ab_login
>                 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
>                 crypto map SDM_CMAP_1 client configuration address respond
>                 crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
>
>         And the Site-to-Site VPN needs crypto map as
>                 crypto map SDM_CMAP_2 2 ipsec-isakmp
>                  set transform-set SDM_TRANSFORMSET_1
>                  set peer <peer ip>
>                  match address SDM_1
>
>         Each interface only takes one crypto map command. So I can start
> either VPN by switching to different ipsec policy/crypto map, but not
> both at the same time.

This may simply be a limitation of SDM - you might want to investigate
implementing it via the command line instead (I can assure you it works
fine there).

--
http://andrew.j.cosgriff.name/ | one step ahead of the hangman

Posted by on January 24, 2008, 9:57 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
wrote:
> ksun6868 wrote :
>
>
>
>
>
> > Greetings,
>
> > =A0 =A0We have a Cisco 3845. We are using it to route to internet (T3
> > Sprint)and I also configured =A0EASY VPN Server.
> > =A0 =A0Now we want to build a Site-to-site VPN to an client site.
>
> > =A0 =A0 =A0 =A0 =A0 =A0 I am trying to make both Easy VPN Server and Sit=
e-to-site
> > tunnel to work on the same serial interface. I can bring both VPN up,
> > with some twist. I wonder if there is a better way to do this.
> > =A0 =A0The issue is with the ipsec policy and crypto maps.
>
> > =A0 =A0The Easy VPN defines crypto map as
> > =A0 =A0 =A0 =A0 =A0 =A0crypto map SDM_CMAP_1 client authentication list =
ab_login
> > =A0 =A0 =A0 =A0 =A0 =A0crypto map SDM_CMAP_1 isakmp authorization list s=
dm_vpn_group_ml_1
> > =A0 =A0 =A0 =A0 =A0 =A0crypto map SDM_CMAP_1 client configuration addres=
s respond
> > =A0 =A0 =A0 =A0 =A0 =A0crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic =
SDM_DYNMAP_1
>
> > =A0 =A0And the Site-to-Site VPN needs crypto map as
> > =A0 =A0 =A0 =A0 =A0 =A0crypto map SDM_CMAP_2 2 ipsec-isakmp
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0set transform-set SDM_TRANSFORMSET_1
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0set peer <peer ip>
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0match address SDM_1
>
> > =A0 =A0Each interface only takes one crypto map command. So I can start
> > either VPN by switching to different ipsec policy/crypto map, but not
> > both at the same time.
>
> This may simply be a limitation of SDM - you might want to investigate
> implementing it via the command line instead (I can assure you it works
> fine there).
>
> --http://andrew.j.cosgriff.name/| one step ahead of the hangman- Hide quot=
ed text -
>

I think I posted a full working config in the thread:-
"Cisco 1760 router and VPN client Connection Issues Options"


Similar ThreadsPosted
site-to-site and easy vpn server on same interface April 22, 2008, 9:29 am
Problem with Easy VPN Server June 29, 2005, 12:30 am
Cisco 837 Easy VPN Server January 1, 2006, 10:15 am
Easy VPN Server and Windows XP March 1, 2007, 2:33 pm
Easy Vpn server on Cisco 837 January 16, 2008, 8:33 pm
Easy VPN - client doesn't get config from server April 12, 2006, 12:55 pm
VPN - Easy VPN Server (PIX 515) and Hardware Client (831 Router) February 16, 2005, 12:15 pm
Can't deny access between two groups of Easy VPN Server users June 16, 2005, 4:44 pm
Setting up a router with 29 Global IPs, BUT can't ping router internal interface from server or server interface from router December 11, 2005, 10:37 am
GRE Tunnel up/up Cannot ping tunnel interface March 6, 2006, 3:55 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map