[c-nsp] IPSec SA + EzVPN conflict
Stig Johansen
stig.johansen at ementor.no
Mon Jul 21 03:33:29 EDT 2008
Not sure if there is any command to enforce a client-side split-vpn
which breaks the server-side configuration. This would kind of
invalidate the whole securitymodel.
What you could do, is separate the two VPN's in two different VRF's. I
haven't tried putting an EzVPN-config in a VRF before, but maybe it
works? If not, let the EzVPN live in the global routing and stick the
IPSec-tunnel in another VRF. You'll have to do some creative
config/wiring on the LAN-side, but it should be possible.
Best regards,
Stig Meireles Johansen
--
http://en.wikipedia.org/wiki/Posting_style
For users of modern email clients and intelligent email services like
Google mail, which display entire email threads in logical order and
hide extraneous content, the distinction between different posting
styles is often now less relevant.
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Hicks
Sent: 20. juli 2008 21:06
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] IPSec SA + EzVPN conflict
Hello
One of my customers has an IPSec VPN to Company A, and wants to migrate
his
existing client-based VPN to Company B to the same router (3725 with
12.4(12)
Advanced Enterprise Services on it).
After putting the EzVPN config on, the VPN to Company B came up and
hosts there
were reachable. Nothing at Company A was reachable, yet the SAs were
still
established.
Further digging showed that the SAs for Company B's VPN specified a
remote
network of 0.0.0.0/0, tunnelling all traffic and not just to the subnet
we're
interested in.
Is there a way around this?
Peter
--
Peter Hicks | e: my.name at poggs.co.uk | g: 0x5DA31330 | w: www.poggs.com
A: Because it destroys the flow of the conversation
Q: Why is top-posting bad?
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list