How to Bind Multiple l2l connections in a single crypto map

Answered Question
Jul 8th, 2013
User Badges:

Hello guys,


I was wondering if someone can assist me solving my issue.


I had one vpn connection on asa (created a while ago by someone else) and now i want also to create a second connection to azure cloud.


I am really confused since when i use the command "crypto map dyn-map interface outside" the <remote branch ip> connection is working properly

but azure connection is not.


If i use the command " crypto map outside-map interface outside" Azure l2l is working but Remote branch is not.


What am i doing wrong?






FW# show run | include crypto


access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.21.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 192.168.21.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.12.0 255.255.255.0 192.168.21.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.21.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 host 192.168.22.1

access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 host 192.168.20.1

access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 host 192.168.22.1


access-list outside_2_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.30.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.30.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 192.168.6.0 255.255.255.0 192.168.30.0 255.255.255.0


access-list russia_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list russia_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.21.0 255.255.255.0

access-list russia_cryptomap extended permit ip 192.168.6.0 255.255.255.0 192.168.21.0 255.255.255.0

access-list russia_cryptomap extended permit ip 192.168.12.0 255.255.255.0 192.168.21.0 255.255.255.0

access-list russia_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.21.0 255.255.255.0

access-list russia_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0


crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac


crypto ipsec ikev1 transform-set TRANSFORMSET-NEOCLOUD esp-aes-256 esp-sha-hmac


crypto ipsec ikev1 transform-set TRANSET esp-aes esp-sha-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map DYNMAP 1 set ikev1 transform-set TRANSET

crypto dynamic-map DYNMAP 1 set security-association lifetime seconds 28800

crypto dynamic-map DYNMAP 1 set security-association lifetime kilobytes 4608000


crypto dynamic-map DYNMAP 1 set reverse-route


crypto dynamic-map DYNMAP 2 match address ACCESSLISTNEOCLOUD


crypto dynamic-map DYNMAP 2 set peer <azure ip>


crypto dynamic-map DYNMAP 2 set ikev1 transform-set TRANSFORMSET-CLOUD


crypto dynamic-map DYNMAP 2 set security-association lifetime seconds 3600


crypto dynamic-map DYNMAP 2 set security-association lifetime kilobytes 102400000


crypto dynamic-map DYNMAP 2 set reverse-route


crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5


crypto map outside_map 2 match address outside_1_cryptomap


crypto map outside_map 2 set peer <remote branch ip>


crypto map outside_map 2 set security-association lifetime seconds 28800


crypto map outside_map 2 set security-association lifetime kilobytes 4608000


crypto map outside_map 11 match address ACCESSLISTNEOCLOUD


crypto map outside_map 11 set peer <azure ip>


crypto map outside_map 11 set ikev1 transform-set TRANSFORMSET-CLOUD


crypto map outside_map 11 set security-association lifetime seconds 3600


crypto map outside_map 11 set security-association lifetime kilobytes 102400000


crypto map dyn-map 10 ipsec-isakmp dynamic DYNMAP


crypto map dyn-map interface outside


crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP


crypto map dmz_map interface dmz


crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP


crypto map inside_map interface inside


crypto ca trustpool policy


crypto ikev1 enable outside


crypto ikev1 enable inside


crypto ikev1 enable dmz


crypto ikev1 policy 5


crypto ikev1 policy 9


crypto ikev1 policy 10


crypto ikev1 policy 20


crypto ikev1 policy 30


crypto ikev1 policy 50


crypto ikev1 policy 70


crypto ikev1 policy 65535

Correct Answer by Jouni Forss about 4 years 1 month ago

Hi,


Well since we are talking about L2L VPN / Site to Site VPN we shouldnt be using Dynamic Map at all.


Also Dynamic Map configurations if needed for VPN Client connections on the same time SHOULD ALWAYS be configured at a very low priority in the "crypto map" configurations.


In your configuration they are listed as 1 and 2. I typically go with the default that even the ASDM uses which is 65535 that is the lowest priority/sequence number.


Though you didnt answer yet (or I didnt notice) if you were using any VPN Client connections on the ASA? If not then you should probably remove ALL dynamic-map related configurations from the ASA as they should not be needed for these L2L VPN configurations. They are more likely to cause problems when configured the wrong way.


More detailed information on the connection when its actually up can be gotten with the following commands for example


show vpn-sessiondb detail l2l filter ipaddress


show crypto ipsec sa peer


First one lists a lot of information


Second one tells you which "crypto map" section was matched.


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jouni Forss Mon, 07/08/2013 - 02:54
User Badges:
  • Super Bronze, 10000 points or more

Hi,


If you are configuring L2L VPN connections you wont need any dynamic-map configurations at all.


I presume that both the remote branch and the new connection are both L2L VPN where the VPN peer has a static public IP address also?


Are you using IPsec VPN client connections on this ASA?


- Jouni

STYLIANOS DEMETRIOU Mon, 07/08/2013 - 03:01
User Badges:

Hi again Jouni,


Yes i am using also IPsec Vpn connections, honestly i've created these ipsec connections using ASDM so i don't know if dynamic-map was created that time.


Do you want me to provide more details ? (object groups, access-lists)

Jouni Forss Mon, 07/08/2013 - 03:03
User Badges:
  • Super Bronze, 10000 points or more

Essentially, your basic "crypto map" configuration might be as simply as the following


crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route


crypto ipsec transform-set CONNECTION-1 esp-aes-256 esp-sha-hmac

crypto ipsec transform-set CONNECTION-2 esp-aes-256 esp-sha-hmac


crypto map CRYPTOMAP 10 match address CONNECTION-1

crypto map CRYPTOMAP 10 set peer 1.1.1.1

crypto map CRYPTOMAP 10 set transform-set CONNECTION-1

crypto map CRYPTOMAP 10 set reverse-route

crypto map CRYPTOMAP 20 match address CONNECTION-2

crypto map CRYPTOMAP 20 set peer 2.2.2.2

crypto map CRYPTOMAP 20 set transform-set CONNECTION-2

crypto map CRYPTOMAP 20 set reverse-route


crypto map CRYPTOMAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map CRYPTOMAP interface outside



Naturally the above configuration doesnt match your configurations but its just an example how simple the "crypto map" section could be. You seem to have a lot of configurations that are not needed.


EDIT: Also as you can see I have not provided any ACL configurations or the actual transform-set configurations. The above is simply giving an example of the configuration format on the command line interface.


- Jouni

STYLIANOS DEMETRIOU Mon, 07/08/2013 - 03:36
User Badges:

Thanks Jouni,


Also could you please let me know if i have any error on DYNMAP and maybe this is the reason that i am not able to establish azure connection to this..


I forgot to mentioned that when i use the command show isakmp sa sometimes i see azure connections and sometimes it dissapears.


Could you please give me some troubleshooting commands in order to find out the following


Which crypto map is applied?

Which ikev1 policy is applied?

Correct Answer
Jouni Forss Mon, 07/08/2013 - 03:56
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Well since we are talking about L2L VPN / Site to Site VPN we shouldnt be using Dynamic Map at all.


Also Dynamic Map configurations if needed for VPN Client connections on the same time SHOULD ALWAYS be configured at a very low priority in the "crypto map" configurations.


In your configuration they are listed as 1 and 2. I typically go with the default that even the ASDM uses which is 65535 that is the lowest priority/sequence number.


Though you didnt answer yet (or I didnt notice) if you were using any VPN Client connections on the ASA? If not then you should probably remove ALL dynamic-map related configurations from the ASA as they should not be needed for these L2L VPN configurations. They are more likely to cause problems when configured the wrong way.


More detailed information on the connection when its actually up can be gotten with the following commands for example


show vpn-sessiondb detail l2l filter ipaddress


show crypto ipsec sa peer


First one lists a lot of information


Second one tells you which "crypto map" section was matched.


- Jouni

Actions

This Discussion