candersoncc
IS-IT--Management
I have a Cisco 1811 with the Advanced IP Services image. I am running into a problem configuring different types of IPSEC simultaneously. It appears to be mostly limitations I am running into with dynamic peers.
Ideally, I would like to have the following set up:
1. Static IPSEC tunnels for clients (Some using VTIs, some crypto maps)
2. Dynamic IPSEC tunnels (gateway-gateway) for remote employees with no static public IP.
3. Dynamic IPSEC tunnels (VPN client software to gateway) for techs.
I have run into various problems when attempting these setups:
1. I enable xauth for the VPN client, and this causes ISAKMP to break for all the other tunnels as it forces xauth.
2. I've tried using ISAKMP profiles with associated keyrings, but first match on an address identity of 0.0.0.0 0.0.0.0 causes negotiation to fail for the static tunnels.
I had to reboot the router and restore the config as I reverted these changes when the static tunnels went down (they are pretty important), and I didn't get a copy of how I had the config at the time. So my question then is this: What would be the suggested strategy for this? I do not necessarily need to see a config, but if anyone knows how I can separate these out so they aren't conflicting, I'd appreciate any suggestions.
I also have plenty of public IPs, so if it would help to split the IPSEC with xauth to another static IP, I can do that.