Cisco IOS Remote Access and Site to Site VPN on one router

Simultaneous use of Remote Access VPN and Site-to-Site VPN has a few caveats.

Important configuration lines:

1. crypto isakmp key Pr3sh4r3DKEY address 89.123.45.6 no-xauth
Make sure to include no-xauth for Site-to-Site VPN peer.

2. crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
Dynamic map should be last in crypto map assigned to external interface. You may use 65535 here at is is maximum supported number.

Example of Cisco IOS configuration with multiple VPN connections on one router:


crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2

crypto isakmp key Pr3sh4r3DKEY address 89.123.45.6 no-xauth

crypto isakmp client configuration group REMOTEGROUP
 key 
 dns 10.18.19.2
 pool REMOTEPOOL
 acl 110
!
!
crypto ipsec transform-set REMOTEVPN esp-3des esp-sha-hmac 
!
crypto dynamic-map DYNMAP 10
 set transform-set REMOTEVPN 
!
!

crypto map VPNMAP client authentication list vpnuserauth
crypto map VPNMAP isakmp authorization list vpngroupauthor
crypto map VPNMAP client configuration address respond

crypto map VPNMAP 5 ipsec-isakmp 
 set peer 213.219.124.154
 set transform-set REMOTEVPN 
 set pfs group2
 match address VPN_ACL

crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP

ip local pool REMOTEPOOL 192.168.100.10 192.168.100.20

2 thoughts on “Cisco IOS Remote Access and Site to Site VPN on one router

Leave a Reply

Your email address will not be published. Required fields are marked *