1. Home
  2. Cisco Systems
  3. VPN Client & site-to-site, IOS 12.3

VPN Client & site-to-site, IOS 12.3

Alex, I have the same requirement as yours. I guess you do not have problem to configure the IPSEC for the roaming users or site-to-site separately. To have the site-to-site crypto map and romaing users crypto map to the same external interface, the idea is to assign different profile to the same crypto dynamic map.

The following is the main idea :

// profile definition for site-to-site crypto keyring spoke1 pre-shared-key address 0.0.0.0 0.0.0.0 key key@site2site crypto isakmp profile site-to-site_profile keyring spoke1 match identity address 0.0.0.0

// profile definition for roaming users crypto isakmp profile roaming_vpn_profile match identity group roaming_group client authentication list roaming_user isakmp authorization list roaming_group client configuration address respond

// assign them to same dynamic map crypto dynamic-map dynmap 10 set transform-set roaming-transform-set set isakmp-profile roaming_vpn_profile crypto dynamic-map dynmap 20 set transform-set spoke1_transform_set set isakmp-profile site-to-site_profile

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

then you can assign it to your external interface: # crypto map clientmap

HTH,

DT

Reply to
dt1649651
Loading thread data ...

I am wondering if it is possible to terminate both a site-to-site VPN tunnel and mobile clients running VPN Client 4.6.x on my router's (IOS

12.3) outside interface.

I am using a combination of static NAT and PAT on this router except for the encrypted traffic. As far as I have found out I can only apply one crypto map to the outside. I looked all over CCO but only found examples for either IOS with VPN Client or site-to-site VPN.

Am I missing something?

Alexander

Reply to
Alexander Apathy

Hi Alexander,

have a look at:

formatting link
specific:
formatting link
you have to add the config as another intance of your crypto map.

Andre

Reply to
Andre Janssen

formatting link

formatting link

even better:

formatting link

Reply to
Andre Janssen

Alexander Apathy schrieb:

Have this working on a 836 running 12.4(1a) with dynamic WAN ip. AFAIK 12.3(8)T introduced the possibility of static and dynamic crypto map on the same interface.

As a starting point you can configure with SDM.

Reply to
Uli Link

Andre Janssen schrieb:

formatting link

I used this doc as starting point, here is a cleaned part of my config, works with 12.3(8)YG2 or later...

********************************************************************* ! version 12.4 ! ! ! aaa authentication login default local-case aaa authentication login ezvpn_xauth local aaa authentication ppp default local-case aaa authorization console aaa authorization network ezvpn_group_auth local ! aaa session-id common ! ! username example secret 5 xxx ! ! ! crypto isakmp policy 5 encr 3des authentication pre-share group 2 ! crypto isakmp key lan-2-lan-psk address 0.0.0.0 0.0.0.0 no-xauth crypto isakmp identity hostname crypto isakmp keepalive 30 3 crypto isakmp client configuration address-pool local ezvpn-pool ! crypto isakmp client configuration group my-ezvpn key ezvpn-group-psk dns 192.168.100.1 domain mylocaldom.local pool ezvpn-pool acl 125 pfs max-logins 2 crypto isakmp profile my-ezvpn-pro match identity group my-ezvpn client authentication list ezvpn_xauth isakmp authorization list ezvpn_group_auth client configuration address respond ! ! crypto ipsec transform-set tfs-3des esp-3des esp-sha-hmac ! crypto identity vpnid_1 description VPN-PEER-ID fqdn test-sample.dyndns.org ! ! crypto dynamic-map ezvpn-dmap 1 description EZVPN Client set transform-set tfs-3des set pfs group2 set isakmp-profile my-ezvpn-pro reverse-route ! ! crypto map cmap_1 10 ipsec-isakmp set peer test-sample.dyndns.org dynamic set security-association lifetime kilobytes 262144 set security-association lifetime seconds 28800 set transform-set tfs-3des set pfs group2 set identity vpnid_1 match address 120 reverse-route crypto map cmap_1 65535 ipsec-isakmp dynamic ezvpn-dmap ! ! interface Ethernet0 ip address 192.168.190.1 255.255.255.0 ip access-group 110 in ip nat inside ip tcp adjust-mss 1452 ! ! interface ATM0 no ip address no ip redirects dsl operating-mode annexb-ur2 ! interface ATM0.1 point-to-point pvc 1/32 pppoe-client dial-pool-number 1 ! ! ! interface Dialer0 ip address negotiated ip access-group 104 in ip mtu 1492 ip nat outside encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname xxxbubuxxx ppp chap password 7 xxxxxxxxxxxxxxx crypto map cmap_1 crypto ipsec fragmentation before-encryption ! ! ip local pool ezvpn-pool 192.168.187.249 192.168.187.251 ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ip dns server ! ip nat inside source route-map ROUTE_MAP interface Dialer0 overload ! access-list 102 deny ip 192.168.190.0 0.0.0.255 192.168.188.0 0.0.1.255 access-list 102 deny ip 192.168.190.0 0.0.0.255 host 192.168.187.249 access-list 102 deny ip 192.168.190.0 0.0.0.255 host 192.168.187.250 access-list 102 deny ip 192.168.190.0 0.0.0.255 host 192.168.187.251 access-list 102 permit ip 192.168.190.0 0.0.0.255 any access-list 102 permit ip 172.22.234.0 0.0.0.7 any access-list 102 deny ip any any access-list 104 permit tcp any any eq www access-list 104 permit tcp any any eq smtp access-list 104 permit icmp any any echo access-list 104 permit icmp any any echo-reply access-list 104 permit icmp any any packet-too-big access-list 104 permit icmp any any time-exceeded access-list 104 permit icmp any any traceroute access-list 104 permit icmp any any unreachable access-list 104 permit esp any any access-list 104 permit gre any any access-list 104 permit udp any any eq isakmp access-list 104 permit udp any any eq non500-isakmp access-list 104 permit udp any any eq 10000 access-list 104 permit tcp any any eq 1723 access-list 104 permit tcp any any eq 139 access-list 104 permit udp any any eq netbios-ns access-list 104 permit udp any any eq netbios-dgm access-list 104 deny ip 10.0.0.0 0.255.255.255 any access-list 104 deny ip 172.16.0.0 0.15.255.255 any access-list 104 deny ip 192.168.0.0 0.0.255.255 any access-list 104 deny ip 127.0.0.0 0.255.255.255 any access-list 104 deny ip host 255.255.255.255 any access-list 104 deny ip host 0.0.0.0 any access-list 104 deny ip any any access-list 110 deny ip host 255.255.255.255 any access-list 110 deny ip 127.0.0.0 0.255.255.255 any access-list 110 permit ip any any access-list 120 remark VPN-IPSEC access-list 120 permit ip 192.168.190.0 0.0.0.255 192.168.188.0 0.0.1.255 access-list 125 permit ip 192.168.190.0 0.0.0.255 any dialer-list 1 protocol ip permit route-map ROUTE_MAP permit 1 match ip address 102 ! ! end *********************************************************************
Reply to
Uli Link

Thanks to everbody for their input. With IOS 12.3(11)YS and your hints I certainly will get things work this weekend.

Future I would like to replace local authentication with Radius. According to [1] any Radius server should be sufficient. Did anybody of you succeed in authenticating VPN clients using IOS and MS IAS?

MS IAS worked fine for me in scenarios with VPN clients and Cisco PIX. I am not sure if Cisco IOS and PIX behave the same (e.g. same Radius attributes) in regards of simple AAA.

Alexander

[1]
formatting link
Reply to
Alexander Apathy

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.