Introduction
This document describes a problem that is encountered when the Cisco Easy VPN Client and Cisco Easy VPN Server are used on the same interface that runs Cisco IOS® Versions 15.2(1)T or later.
Prerequisites
Requirements
Cisco recommends that you have knowledge of Easy VPN configurations.
Tip: Refer to the Easy VPN Configuration Guide, Cisco IOS Release 15M&T for configuration details.
Components Used
The information in this document is based on Cisco IOS Versions 15.2(1)T and later.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Background Information
Cisco IOS Versions 15.2(1)T and earlier support these features, which are no longer supported in later versions:
- Easy VPN Remote and Server on the Same Interface – This feature allows the Easy VPN Remote and Easy VPN Server to be supported on the same interface, which makes it possible to both establish a tunnel to another Easy VPN Server and terminate the Easy VPN Client on the same interface simultaneously. A typical application involves a geographically remote location for which the Easy VPN Remote is used in order to connect to a corporate Easy VPN Software Server and also in order to terminate the local software client users.
- Easy VPN Remote and Site-to-Site on the Same Interface – This feature allows the Easy VPN Remote and site-to-site (crypto map) to be supported on the same interface, which makes it possible to both establish a tunnel to another Easy VPN Server and have another site-to-site on the same interface simultaneously. A typical application involves a third-party VPN service provider that manages a remote router via the site-to-site tunnel and uses the Easy VPN Remote in order to connect the remote site to a corporate Easy VPN Server.
Tip: Refer to the Easy VPN Remote and Server on the Same Interface section of the Easy VPN Configuration Guide, Cisco IOS Release 15M&T for additional information.
Problem
When you apply a crypto map to an interface that is already configured for IOS Easy VPN, the crypto map command is not applied to that interface.
Cisco IOS Behavior Changes
In Cisco IOS Versions 15.2(1)T and later, this is not a supported configuration, as multiple Security Association Databases (SADBs) are not added for each interface.
Note: This issue is tracked in Cisco bug ID CSCtx47112 – Crypto map cannot be applied to the same interface configured for ezvpn.
Solution
In order to resolve this issue, separate the crypto map configurations from the legacy Easy VPN and move one of them to a Virtual Tunnel Interface-based (VTI-based) configuration:
- Change the site-to-site crypto map to Generic Routing Encapsulation (GRE)/IPSec with tunnel protection or Secure VTI (SVTI).
- Change Easy VPN to FlexVPN.