Question : ipsec vpn and remote vpn co-exist on same router ?

Hi there,

I have a Cisco router handling multiple site-to-site IPSec connections with different peers. Crypto map is applied on the outside interface and different sequence numbers are in use. i.e cyrpto map smap 10 for 1 peer, crypto map smap 20 for another peer and so on.

I have done my configuration for remote cisco vpn and it works fine on my test lab. However, if i put it on the live router, am just thinking there is 1 step where it might potentially conflict with existing site-to-site ipsec configuration ? i.e. The step where we sort of bind the dynamic map and static map together. Given below are those config lines.

crypto map smap 120 ipsec-isakmp dynamic-map dmap (120 is seq # of crypto map for remote vpn)

crypto map smap client authentication list test
crypto map smap client configuration address respond

Now, Won't the above 2 lines conflict with the other ipsec peers. We are not specifying the sequence # in the above two lines so wont it conflict with other IPSec site-to-site peers and try to bind this dynamic map to others when it's only required to be binded to the static map defined for this remote vpn ?

Not sure if I'm able to explain correctly -:)

Attached is also my relevant existing ipsec config

Code Snippet:

1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35:

crypto isakmp policy 25 encr 3des authentication pre-share group 2 crypto isakmp key xxx address y.y.y.y crypto isakmp key xxx address y.y.y.y crypto isakmp key xxx address y.y.y.y crypto isakmp key xxx address y.y.y.y ! ! crypto ipsec transform-set tset esp-aes mode transport crypto ipsec transform-set xxx_tset esp-aes 256 esp-sha-hmac crypto ipsec transform-set ho_byron_bay esp-aes 256 esp-sha-hmac crypto ipsec transform-set ho_yha_darwin esp-aes 256 esp-sha-hmac crypto ipsec transform-set gg_bris_valley_tset esp-aes 256 esp-sha-hmac ! ! crypto map cj_map 10 ipsec-isakmp set peer xxx set transform-set xxx match address 102 crypto map cj_map 120 ipsec-isakmp set peer xxx set transform-set ho_byron_bay match address HO_Byron_Bay crypto map cj_map 130 ipsec-isakmp set peer xxx set transform-set ho_yha_darwin match address HO_YHA_Darwin crypto map cj_map 140 ipsec-isakmp set peer xxx set transform-set gg_bris_valley_tset match address GG_BRIS_VALLEY

Open in New Window

Select All

Answer : ipsec vpn and remote vpn co-exist on same router ?

Hello !

What is SMAP?

You need to use the same crypto map, because the crypto map applied to the ouside interface is crypto map cj_map.

This is what you need to add (and sure, trust me it is not going to affect your other tunnels)

aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local


crypto isakmp client configuration group vpngroup
key cisco123
dns x.x.x.x
wins x.x.x.x
domain cisco.com
pool ippool
ACL xxx

crypto dynamic-map dynmap 10
set transform-set xxx

crypto map cj_map client authentication list userauthen
crypto map cj_map isakmp authorization list groupauthor
crypto map cj_map client configuration address respond
crypto map cj_map 65535 ipsec-isakmp dynamic dynmap

Or if you still do not believe me :-) then check this example:

Configuring IPsec Between Two Routers and a Cisco VPN Client 4.x
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml

Please let me know if this information was helpful.