Actually that was my next question. In order to create an isakmp profile, you must have a match statement. So is it necessary to apply the isakmp profile to a crypto map (or ipsec profile if one is being used) since you need a match statement anyways. And if it is necessary, why not just match an address of 0.0.0.0 0.0.0.0 in the isakmp profile since you are applying the isakmp profile to the crypto map or ipsec profile that needs it? Just seems a little redundant to have an exact match statement in the isakmp profile, then apply this to a crypto map, while the crypto map has the same match statement.
-----Original Message----- From: Stuart Hare [mailto:[email protected]] Sent: Sunday, August 09, 2009 3:57 PM To: Shawn H. Mesiatowsky Cc: <[email protected]> Subject: Re: [OSL | CCIE_Security] easyvpn and L2L on same cisco router Shawn Yes this is the preferred solution. The only thing I would add is to apply the isakmp profile to th crypto map to force ez to use it. Stu Sent from my iPhone On 9 Aug 2009, at 20:38, "Shawn H. Mesiatowsky" <[email protected]> wrote: > I was trying to setup easyvpn server and L2L cpn on the same ios > router. When an L2L tunnel would try to establish, it would try to use > xauth as this was applied to the crypto map. To fix this I created a > separate isakmp profile using xauth and only applied it to the vpn > group for easyvpn. Just wondering if this is the correct way to handle > this, or if there is any other way (recommended or not) > > > > crypto isakmp policy 10 > > encr 3des > > hash md5 > > authentication pre-share > > group 2 > > crypto isakmp key cisco address 172.16.115.1 > > crypto isakmp client configuration group vpngroup > > key cisco > > pool vpnpool > > save-password > > > > crypto isakmp profile isakmp_dynamic > > match identity group vpngroup > > client authentication list vpn > > isakmp authorization list vpn > > client configuration address respond > > > > crypto ipsec transform-set trans1 esp-3des esp-md5-hmac > > > > crypto dynamic-map dynmap 10 > > set transform-set trans1 > > reverse-route > > > > crypto map mymap 10 ipsec-isakmp > > set peer 172.16.115.1 > > set transform-set trans1 > > match address vpn > > > > crypto map mymap 50 ipsec-isakmp dynamic dynmap > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, > please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
