In my previous post I used certificate maps rather then using match identity groups. Why?
I could have easily used "match identity group LAB" as you can see in debugs from previous post, but I prefer not to. Certificate maps are here to stay they offer much more flexibility then static matching.
Here's some background why you might want to consider using cert maps in production.
As of IOS 12.4(20)T (including and everything above) some connection - like L2L tunnels from example stopped sending Unity VID. So what? So, match identity group will not work in this case, it's only being used in case of ezvpn - where unity tag is set. Where is this documented? It's not, but feel free to check your debugs :)
A thought on virtual templates if you're not using them, you should start moving your setup to this. Cisco will be making this THE ezvpn setup (for both client and server). It offer hugle flexibility improvements and fixes some of the shortcomings of legacy configurations (NAT, firewall, access-lists), plus all other remote access methods (L2TP, PPTP and yes recently even webvpn) are using it already
Virtual-template ezvpn setup is referenced as DVTI, while tunnel interfaces with "tunnel mode ipsec ipv4" is called SVTI - just in case you have to work with Cisco TAC.
- Troubleshooting DMVPN
- DMVPN phase 3 - basic configuration example.
- FWSM - routing considerations or "Why clearing xla...
- ASA/PIX PKI implementation. Mupliple trustpoints c...
- IPsec VPN on Catalyst 6500 or 7600.
- IPsec and VRFs. So who's doing the VRF handoff any...
- EZVPN with certificates. part3
- EZVPN with certificates. part2
- ▼ January (8)