Cisco IOS Remote Access and Site to Site VPN on one router

Simultaneous use of Remote Access VPN and Site-to-Site VPN has a few caveats.

Important configuration lines:

1. crypto isakmp key Pr3sh4r3DKEY address 89.123.45.6 no-xauth
Make sure to include no-xauth for Site-to-Site VPN peer.

2. crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
Dynamic map should be last in crypto map assigned to external interface. You may use 65535 here at is is maximum supported number.

Example of Cisco IOS configuration with multiple VPN connections on one router:

[code]

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2

crypto isakmp key Pr3sh4r3DKEY address 89.123.45.6 no-xauth

crypto isakmp client configuration group REMOTEGROUP
key
dns 10.18.19.2
pool REMOTEPOOL
acl 110
!
!
crypto ipsec transform-set REMOTEVPN esp-3des esp-sha-hmac
!
crypto dynamic-map DYNMAP 10
set transform-set REMOTEVPN
!
!

crypto map VPNMAP client authentication list vpnuserauth
crypto map VPNMAP isakmp authorization list vpngroupauthor
crypto map VPNMAP client configuration address respond

crypto map VPNMAP 5 ipsec-isakmp
set peer 213.219.124.154
set transform-set REMOTEVPN
set pfs group2
match address VPN_ACL

crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP

ip local pool REMOTEPOOL 192.168.100.10 192.168.100.20

[/code]

2 thoughts on “Cisco IOS Remote Access and Site to Site VPN on one router

Leave a Reply

Your email address will not be published. Required fields are marked *