Cisco IOS Remote Access and Site to Site VPN on one router

Simultaneous use of Remote Access VPN and Site-to-Site VPN has a few caveats.

Important configuration lines:

1. crypto isakmp key Pr3sh4r3DKEY address no-xauth
Make sure to include no-xauth for Site-to-Site VPN peer.

2. crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
Dynamic map should be last in crypto map assigned to external interface. You may use 65535 here at is is maximum supported number.

Example of Cisco IOS configuration with multiple VPN connections on one router:

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2

crypto isakmp key Pr3sh4r3DKEY address no-xauth

crypto isakmp client configuration group REMOTEGROUP
 acl 110
crypto ipsec transform-set REMOTEVPN esp-3des esp-sha-hmac 
crypto dynamic-map DYNMAP 10
 set transform-set REMOTEVPN 

crypto map VPNMAP client authentication list vpnuserauth
crypto map VPNMAP isakmp authorization list vpngroupauthor
crypto map VPNMAP client configuration address respond

crypto map VPNMAP 5 ipsec-isakmp 
 set peer
 set transform-set REMOTEVPN 
 set pfs group2
 match address VPN_ACL

crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP

ip local pool REMOTEPOOL

OpenVPN route all traffic via VPN

To add default route via VPN server add following lines into your server’s configuration file (usually /etc/openvpn/server.conf).

 push "redirect-gateway def1"
 push "dhcp-option DNS"

DNS option may be required, if you are having troubles with name resolution after connecting to VPN.