Dyanmic crypto map

Unanswered Question
Sep 9th, 2009

Hello,

I have a VPN that will connect using one of 3 public IP addresses, is it possibel to setup a VPN like this? Normally I setup VPN's with a peer having a single static IP not a pool of IP's?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
whiteford Wed, 09/09/2009 - 23:21

Thanks Andrew,

I was thinking this must be a bit of a security risk allowing any IP, but I guess it isn't any different to the Cisco VPN client as the public IP for our user can be any IP really?

Also I just tried setting up a VPn via the wizard in the ASDM and it says 0.0.0.0 can't be used. Is this a CLI option only?

whiteford Thu, 09/10/2009 - 01:06

I think this is the only article related to my situation:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

Normally to add a VPN to the ASA I would add something like this:

access-list outside_MYcryptomap_15 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.18.1.0 255.255.255.0

crypto map outside_map 17 match address outside_MYcryptomap_1

crypto map outside_map 17 set pfs group5

crypto map outside_map 17 set security-association lifetime seconds 86400

crypto map outside_map 17 set peer 81.14.1.1

crypto map outside_map 17 set transform-set ESP-AES-256-SHA

tunnel-group 81.14.1.1 type ipsec-l2l

tunnel-group 81.14.1.1 general-attributes

default-group-policy My-L2L

tunnel-group 81.149.1.1 ipsec-attributes

pre-shared-key 123456789

isakmp keepalive threshold 10 retry 2

Possible to manipulate the above to be dynamic?

whiteford Thu, 09/10/2009 - 02:06

This is what I'm going to add to the ASA:

crypto ipsec transform-set dynset1 esp-AES 128 esp-sha-hmac

crypto dynamic-map cisco 1 set transform-set dynset1

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

authentication-server-group none

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key 123456789

Does it look ok to you?

whiteford Thu, 09/10/2009 - 02:15

Thanks for spending some of you time on this btw.

1) Sorry that was just an example psk (123456789) normally I use 10 chars leters,numbers, symbols, uppercase.

2) Where would I put this in my config example? I guess I would use "set pfs group5" somewhere and what about the timeout?

3) I will be setting the remote IP subnets so will will no, so I guess I can miss this out?

Thanks

whiteford Thu, 09/10/2009 - 02:39

I will try this after lunch. My boss is worried it's insecure, but I said it's the same as VPN client really as we don't know their public IP to lock the tunnel down with, would you agree?

whiteford Thu, 09/10/2009 - 02:53

Can you check this (not sure if my maps are right) and see what you think before I add?

crypto ipsec transform-set dynset1 esp-AES 128 esp-sha-hmac

crypto dynamic-map aw-dyn-map 1 set transform-set dynset1

crypto map dyn-map 1 ipsec-isakmp dynamic aw-dyn-map

crypto map dyn-map interface outside

crypto map dyn-map 1 set pfs group 5

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

authentication-server-group none

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key <64 char key here>

whiteford Thu, 09/10/2009 - 04:47

Andrew,

The first problem I got was:

crypto map dyn-map 1 set pfs group5

WARNING: This map entry is linked to dynamic-map: aw-dyn-map.

This attribute will be inactive!

please help

whiteford Thu, 09/10/2009 - 06:13

Andrew,

Sorry I'm confused (does take much does it)

I simply tried to add:

crypto ipsec transform-set dynset1 esp-AES 128 esp-sha-hmac

crypto dynamic-map cisco 1 set transform-set dynset1

crypto map dyn-map 1 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

crypto map dyn-map 1 set pfs group 5

;) no issues

Here is the thing, you can only have ONE crypto map configured on ONE interface at any one time.

Soooooo if you already have a crypto map configured and attached to the outside interface - then you just amend it, giving your dynamic crypto map and higher sequence number; hope this clears it up.

If not - see an example of one of my crypto maps:-

crypto ipsec transform-set ESP-3DES-SHA1

crypto dynamic-map dyno-map 10 set transform-set ESP-3DES-SHA1

crypto map vpntunnel-outside 1 match address vpn1

crypto map vpntunnel-outside 1 set peer 1.1.1.1

crypto map vpntunnel-outside 1 set transform-set ESP-3DES-SHA1

crypto map vpntunnel-outside 26 match address vpn2

crypto map vpntunnel-outside 26 set peer 2.2.2.2

crypto map vpntunnel-outside 26 set transform-set ESP-3DES-SHA1

crypto map vpntunnel-outside 60 match address vpn3

crypto map vpntunnel-outside 60 set peer 3.3.3.3

crypto map vpntunnel-outside 60 set transform-set ESP-3DES-SHA1

crypto map vpntunnel-outside 65535 ipsec-isakmp dynamic dyno-map

crypto map vpntunnel-outside interface outside

HTH>

whiteford Thu, 09/10/2009 - 06:54

I think I do. All my VPN's went down, when I compared the config with last night, I soon realised I had to add back:

"crypto map outside_map interface outside"

so when I added

"crypto map dyn-map interface outside"

bang! They all went down

If I get it I must leave "crypto map outside_map interface outside" as it is?

based on my example in the previous post how should that look? That way it shoudl click for me.

Thanks again Andrew.

whiteford Fri, 09/11/2009 - 06:18

Thanks I take it I can call the "DefaultL2LGroup" anything?

Also to remove this if I have to I can just use:

no tunnel-group DefaultL2LGroup type ipsec-l2l

no tunnel-group DefaultL2LGroup general-attributes

no default-group-policy AW-L2L no

tunnel-group DefaultL2LGroup ipsec-attributes

no pre-shared-key <>

whiteford Fri, 09/11/2009 - 06:56

I understand that part, I'm just not sure where you got "DefaultL2LGroup" from, whether it is a system default "word" itself or you made up this?

I was thinking of just copying you code into my ASA tomorrow (out of hours) and testing?

whiteford Fri, 09/11/2009 - 07:09

Great stuff!

I will try adding just those 4 lines tomorrow and let you know how it goes.

1.) The great thing now is (well tomorrow) I can setup VPN's without knowing the customers IP address. I guess as long as the pre-shared key, and the IKE and IPsec phases match then I should be ok? Although I will use the IP if they have knowledge of it.

2.) Is having a dynamic VPN quite common?

OK - cool

1) Yep - makes things a little easier

2) Yes - as most buisness ADSL prices are still quite high (in the UK at least) and bundling a static IP on top, increases the cost. I have seen a sharp increase in dynamic VPN's. It also makes bringing a new remote site on-line much easier....just pre-configure the pix/asa and send out!!

whiteford Fri, 09/11/2009 - 07:34

Nice.

If I decide to turn this dynamic feature off, how would I achieve this?

whiteford Fri, 09/11/2009 - 07:54

Thanks, sorry for the simple questions.

I'm only a CCNA, forced in to the ASA world. Hopefully some training soon.

whiteford Sat, 09/12/2009 - 02:36

Hi Andrw,

I have added what you suggested. Now I need to connect a remote VPN to my ASA.

I am going through the ASDM IPsec VPN wizard, but it asks me to put in a IP address of the remote peer which I don't have. Do I have to use the CLI only for this? If I use 0.0.0.0 it says not supported.

My remote network has the 64 character pre-shared key I create and is pointing to my ASA's outside IP.

IKE Encryption - AES

IKE Authentication - SHA 256

IKE DH - Group5

IKE Lifetiem - 86400

IPsec Encryption - AES

IPsec Authentication - SHA 256

IPsec DH - Group5

SA life time - 86400

whiteford Sat, 09/12/2009 - 02:58

So the END I guess would be my ASA as it has a static and the "tiger" would be this remote VPN, which is a non Cisco device - horrid GUI.

This is what I originally tried to add:

I beleive I will need to remove "crypto map dyn-map interface outside" as I already have a outside crypto map as mentioned before. Does it look ok?

crypto ipsec transform-set dynset1 esp-AES 128 esp-sha-hmac

crypto dynamic-map aw-dyn-map 1 set transform-set dynset1

crypto map dyn-map 1 ipsec-isakmp dynamic aw-dyn-map

crypto map dyn-map interface outside

crypto map dyn-map 1 set pfs group 5

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

authentication-server-group none

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key <64 char key here>

whiteford Sat, 09/12/2009 - 03:46

OK, so I don't need the crypto map part?

My earlier config contains:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

for debug I will use "degub crypto isakmp 254"

whiteford Sat, 09/12/2009 - 04:02

Ah the debug is now showing somehthing at last:

Sep 12 12:57:56 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, IKE MM Responder FSM error history (struct &0xd0c4bf70) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG5, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG5, EV_TIMEOUT-->MM_WAIT_MSG5, NullEvent-->MM_SND_MSG4, EV_CRYPTO_ACTIVE-->MM_SND_MSG4, EV_SND_MSG-->MM_SND_MSG4, EV_START_TMR-->MM_SND_MSG4, EV_RESEND_MSG

Sep 12 12:57:56 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, IKE SA MM:53bb3ccd terminating: flags 0x01000002, refcnt 0, tuncnt 0

Sep 12 12:57:56 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, sending delete/delete with reason message

Sep 12 12:57:56 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, constructing blank hash payload

Sep 12 12:57:56 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, constructing IKE delete payload

Sep 12 12:57:56 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, constructing qm hash payload

Sep 12 12:57:56 [IKEv1]: IP = 214.*.*.67, IKE_DECODE SENDING Message (msgid=73ff5505) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Sep 12 12:57:56 [IKEv1]: Group = DefaultL2LGroup, IP = 214.*.*.67, Removing peer from peer table failed, no match!

Sep 12 12:57:56 [IKEv1]: Group = DefaultL2LGroup, IP = 214.*.*.67, Error: Unable to remove PeerTblEntry

This remote site is on 172.181.11.0/24 and ned to get to my subnet behind the ASA on 192.168.91.0/24

whiteford Sat, 09/12/2009 - 04:54

Hmm phase 1 is complete now, this is my output:

Sep 12 13:29:15 [IKEv1]: Group = DefaultL2LGroup, IP = 214.*.*.67, Received encrypted Oakley Main Mode packet with invalid payloads, MessID = 0

Sep 12 13:29:15 [IKEv1]: IP = 214.*.*.67, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 72

Sep 12 13:29:15 [IKEv1]: Group = DefaultL2LGroup, IP = 214.*.*.67, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting

Sep 12 13:29:15 [IKEv1]: Group = DefaultL2LGroup, IP = 214.*.*.67, Duplicate Phase 1 packet detected. Retransmitting last packet.

Sep 12 13:29:15 [IKEv1]: Group = DefaultL2LGroup, IP = 214.*.*.67, P1 Retransmit msg dispatched to MM FSM

Sep 12 13:29:16 [IKEv1]: Group = DefaultL2LGroup, IP = 214.*.*.67, Duplicate Phase 1 packet detected. Retransmitting last packet.

Sep 12 13:29:16 [IKEv1]: Group = DefaultL2LGroup, IP = 214.*.*.67, P1 Retransmit msg dispatched to MM FSM

Sep 12 13:29:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, IKE MM Responder FSM error history (struct &0xd0c4bf70) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG5, NullEvent-->MM_SND_MSG4, EV_CRYPTO_ACTIVE-->MM_SND_MSG4, EV_SND_MSG-->MM_SND_MSG4, EV_START_TMR-->MM_SND_MSG4, EV_RESEND_MSG-->MM_WAIT_MSG5, EV_RESEND_MSG

Sep 12 13:29:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, IKE SA MM:d0eb2626 terminating: flags 0x01000002, refcnt 0, tuncnt 0

Sep 12 13:29:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, sending delete/delete with reason message

Sep 12 13:29:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, constructing blank hash payload

Sep 12 13:29:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, constructing IKE delete payload

Sep 12 13:29:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, constructing qm hash payload

Sep 12 13:29:16 [IKEv1]: IP = 214.*.*.67, IKE_DECODE SENDING Message (msgid=b5bcb867) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76

Sep 12 13:29:16 [IKEv1]: Group = DefaultL2LGroup, IP = 214.*.*.67, Removing peer from peer table failed, no match!

Sep 12 13:29:16 [IKEv1]: Group = DefaultL2LGroup, IP = 214.*.*.67, Error: Unable to remove PeerTblEntry

Sep 12 13:29:16 [IKEv1]: IP = 214.*.*.67, Received encrypted packet with no matching SA, dropping

whiteford Mon, 09/14/2009 - 02:11

Hi Andrew,

It seemed what ever I added stopped VPN client users from access our network, could the changes I added of affected them in anyway?

I'm set the config back to thursdays now and all can connect.

whiteford Mon, 09/14/2009 - 05:54

Am I right in saying Cisco VPN client users are also dynamic connections?

Think I will need to read that link again as you suggested

I simply added:

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

authentication-server-group none

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key <64 char key here>

This the config for users on the ASA which seemd to stop users logging on, they would get the logon screen on the VPN client and it would then go and try authenticate the user and fail:

tunnel-group DefaultL2LGroup general-attributes

default-group-policy AW-L2L

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key <64 char key>

tunnel-group DefaultRAGroup ipsec-attributes

isakmp ikev1-user-authentication (outside) none

tunnel-group corp_users type remote-access

tunnel-group corp_users general-attributes

address-pool CLIENT_VPN_POOL

authentication-server-group RADIUS

default-group-policy corp_users

tunnel-group corp_users ipsec-attributes

pre-shared-key

tunnel-group corp_users ppp-attributes

no authentication chap

no authentication ms-chap-v1

tunnel-group corp_admins type remote-access

tunnel-group corp_admins general-attributes

address-pool ADMIN_VPN_POOL

authentication-server-group RADIUS

default-group-policy corp_admins

tunnel-group corp_admins ipsec-attributes

pre-shared-key

Maybe addeding those settings change the config for the remote users.

apdatasoft Mon, 09/14/2009 - 02:58

Hi,

Whiteford can you tell me what encrytion would you use for dynamic VPN in phase1/2. So that i can build the configuration for you

Cheers

AP

whiteford Mon, 09/14/2009 - 05:28

Hi,

Well I normally use AES/SHA 256.

Networks:

Remote: 172.18.1.0/24

Local:192.168.90.0/24

Thanks

apdatasoft Mon, 09/14/2009 - 03:05

Hi Whitefor,

Could you tell me what encryption would you use for Phase1/2 Dynamic VPN, so that i can build the configuration for you,

Cheers

AP

I can understand that - but to some minds to rest.....even if the phase 1/2 encryption key was captured in a man in the middle attack, the hacker would need to decrypt it and use it.....in the time frame it takes for the session to establish - as anti replay is a major factor in IPSEC.

So this means the hacker needs to break an 128bit AES encrypted key, the last time I checked no computer exists on the planet earth that can compute or even brute force it in under 50 million years.

If you use PFS as I suggested, this means the ecnryption key is re-negotiated anyway so the same encryption key's are never used more thant the specific time period.

Actions

This Discussion