动态VPN 与静态VPN共存问题

Verify Crypto Map Sequence Numbers
If static and dynamic peers are configured on the same crypto map, the order of the crypto map entries is very
important. The sequence number of the dynamic crypto map entry must be higher than all of the other static
crypto map entries. If the static entries are numbered higher than the dynamic entry, connections with those
peers fail.
Here is an example of a properly numbered crypto map that contains a static entry and a dynamic entry. Note
that the dynamic entry has the highest sequence number and room has been left to add additional static entries:
crypto dynamic−map cisco 20 set transform−set myset
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 172.16.77.10
crypto map mymap 10 set transform−set myset
crypto map mymap 60000 ipsec−isakmp dynamic cisco
Disable XAUTH for L2L Peers
If a LAN−to−LAN tunnel and a Remote Access VPN tunnel are configured on the same crypto map, the
LAN−to−LAN peer is prompted for XAUTH information, and the LAN−to−LAN tunnel fails.
Note: This issue only applies to Cisco IOS and PIX 6.x. Because it uses tunnel−groups, PIX/ASA 7.x is not
affected by this issue.
Use the no−xauth keyword when you enter the isakmp key, so the device does not prompt the peer for
XAUTH information (username and password). This keyword disables XAUTH for static IPSec peers. Enter a
command similar to this on the device that has both L2L and RA VPN configured on the same crypto map:
router(config)# crypto isakmp key cisco123 address
172.22.1.164 no−xauth