Cisco IOS Remote Access and Site to Site VPN on one router

Simultaneous use of Remote Access VPN and Site-to-Site VPN has a few caveats.

Important configuration lines:

1. crypto isakmp key Pr3sh4r3DKEY address no-xauth
Make sure to include no-xauth for Site-to-Site VPN peer.

2. crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
Dynamic map should be last in crypto map assigned to external interface. You may use 65535 here at is is maximum supported number.

Example of Cisco IOS configuration with multiple VPN connections on one router:


crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2

crypto isakmp key Pr3sh4r3DKEY address no-xauth

crypto isakmp client configuration group REMOTEGROUP
acl 110
crypto ipsec transform-set REMOTEVPN esp-3des esp-sha-hmac
crypto dynamic-map DYNMAP 10
set transform-set REMOTEVPN

crypto map VPNMAP client authentication list vpnuserauth
crypto map VPNMAP isakmp authorization list vpngroupauthor
crypto map VPNMAP client configuration address respond

crypto map VPNMAP 5 ipsec-isakmp
set peer
set transform-set REMOTEVPN
set pfs group2
match address VPN_ACL

crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP

ip local pool REMOTEPOOL


Cisco VPN client and 3G modems

Cisco VPN client is not working with 3G modems out of the box on Windows 7. The VPN will come up, but no traffic will pass throught the tunnel.
The release notes for Cisco VPN Client 5 state: The VPN Client on Windows 7 does not support WWAN devices (also called wireless data cards).

To fix the problem you will need to update your DNE component:

For 32-bit OS:
For 64-bit OS:

After a restart VPN will work fine.