Solved: How to Bind Multiple l2l connections in a single crypto map

STYLIANOS DEMETRIOU · ‎07-08-2013

Hello guys,

I was wondering if someone can assist me solving my issue.

I had one vpn connection on asa (created a while ago by someone else) and now i want also to create a second connection to azure cloud.

I am really confused since when i use the command "crypto map dyn-map interface outside" the <remote branch ip> connection is working properly

but azure connection is not.

If i use the command " crypto map outside-map interface outside" Azure l2l is working but Remote branch is not.

What am i doing wrong?

FW# show run | include crypto

access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.21.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 192.168.21.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.12.0 255.255.255.0 192.168.21.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.21.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 host 192.168.22.1

access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 host 192.168.20.1

access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 host 192.168.22.1

access-list outside_2_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.30.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.30.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 192.168.6.0 255.255.255.0 192.168.30.0 255.255.255.0

access-list russia_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list russia_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.21.0 255.255.255.0

access-list russia_cryptomap extended permit ip 192.168.6.0 255.255.255.0 192.168.21.0 255.255.255.0

access-list russia_cryptomap extended permit ip 192.168.12.0 255.255.255.0 192.168.21.0 255.255.255.0

access-list russia_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.21.0 255.255.255.0

access-list russia_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set TRANSFORMSET-NEOCLOUD esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set TRANSET esp-aes esp-sha-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map DYNMAP 1 set ikev1 transform-set TRANSET

crypto dynamic-map DYNMAP 1 set security-association lifetime seconds 28800

crypto dynamic-map DYNMAP 1 set security-association lifetime kilobytes 4608000

crypto dynamic-map DYNMAP 1 set reverse-route

crypto dynamic-map DYNMAP 2 match address ACCESSLISTNEOCLOUD

crypto dynamic-map DYNMAP 2 set peer <azure ip>

crypto dynamic-map DYNMAP 2 set ikev1 transform-set TRANSFORMSET-CLOUD

crypto dynamic-map DYNMAP 2 set security-association lifetime seconds 3600

crypto dynamic-map DYNMAP 2 set security-association lifetime kilobytes 102400000

crypto dynamic-map DYNMAP 2 set reverse-route

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 2 match address outside_1_cryptomap

crypto map outside_map 2 set peer <remote branch ip>

crypto map outside_map 2 set security-association lifetime seconds 28800

crypto map outside_map 2 set security-association lifetime kilobytes 4608000

crypto map outside_map 11 match address ACCESSLISTNEOCLOUD

crypto map outside_map 11 set peer <azure ip>

crypto map outside_map 11 set ikev1 transform-set TRANSFORMSET-CLOUD

crypto map outside_map 11 set security-association lifetime seconds 3600

crypto map outside_map 11 set security-association lifetime kilobytes 102400000

crypto map dyn-map 10 ipsec-isakmp dynamic DYNMAP

crypto map dyn-map interface outside

crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map dmz_map interface dmz

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto ca trustpool policy

crypto ikev1 enable outside

crypto ikev1 enable inside

crypto ikev1 enable dmz

crypto ikev1 policy 5

crypto ikev1 policy 9

crypto ikev1 policy 10

crypto ikev1 policy 20

crypto ikev1 policy 30

crypto ikev1 policy 50

crypto ikev1 policy 70

crypto ikev1 policy 65535

Jouni Forss · ‎07-08-2013

Hi,

Well since we are talking about L2L VPN / Site to Site VPN we shouldnt be using Dynamic Map at all.

Also Dynamic Map configurations if needed for VPN Client connections on the same time SHOULD ALWAYS be configured at a very low priority in the "crypto map" configurations.

In your configuration they are listed as 1 and 2. I typically go with the default that even the ASDM uses which is 65535 that is the lowest priority/sequence number.

Though you didnt answer yet (or I didnt notice) if you were using any VPN Client connections on the ASA? If not then you should probably remove ALL dynamic-map related configurations from the ASA as they should not be needed for these L2L VPN configurations. They are more likely to cause problems when configured the wrong way.

More detailed information on the connection when its actually up can be gotten with the following commands for example

show vpn-sessiondb detail l2l filter ipaddress

show crypto ipsec sa peer

First one lists a lot of information

Second one tells you which "crypto map" section was matched.

- Jouni

View solution in original post

Jouni Forss · ‎07-08-2013

Hi,

If you are configuring L2L VPN connections you wont need any dynamic-map configurations at all.

I presume that both the remote branch and the new connection are both L2L VPN where the VPN peer has a static public IP address also?

Are you using IPsec VPN client connections on this ASA?

- Jouni

STYLIANOS DEMETRIOU · ‎07-08-2013

Hi again Jouni,

Yes i am using also IPsec Vpn connections, honestly i've created these ipsec connections using ASDM so i don't know if dynamic-map was created that time.

Do you want me to provide more details ? (object groups, access-lists)

Jouni Forss · ‎07-08-2013

Essentially, your basic "crypto map" configuration might be as simply as the following

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route

crypto ipsec transform-set CONNECTION-1 esp-aes-256 esp-sha-hmac

crypto ipsec transform-set CONNECTION-2 esp-aes-256 esp-sha-hmac

crypto map CRYPTOMAP 10 match address CONNECTION-1

crypto map CRYPTOMAP 10 set peer 1.1.1.1

crypto map CRYPTOMAP 10 set transform-set CONNECTION-1

crypto map CRYPTOMAP 10 set reverse-route

crypto map CRYPTOMAP 20 match address CONNECTION-2

crypto map CRYPTOMAP 20 set peer 2.2.2.2

crypto map CRYPTOMAP 20 set transform-set CONNECTION-2

crypto map CRYPTOMAP 20 set reverse-route

crypto map CRYPTOMAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map CRYPTOMAP interface outside

Naturally the above configuration doesnt match your configurations but its just an example how simple the "crypto map" section could be. You seem to have a lot of configurations that are not needed.

EDIT: Also as you can see I have not provided any ACL configurations or the actual transform-set configurations. The above is simply giving an example of the configuration format on the command line interface.

- Jouni

STYLIANOS DEMETRIOU · ‎07-08-2013

Thanks Jouni,

Also could you please let me know if i have any error on DYNMAP and maybe this is the reason that i am not able to establish azure connection to this..

I forgot to mentioned that when i use the command show isakmp sa sometimes i see azure connections and sometimes it dissapears.

Could you please give me some troubleshooting commands in order to find out the following

Which crypto map is applied?

Which ikev1 policy is applied?

Jouni Forss · ‎07-08-2013

Hi,

Well since we are talking about L2L VPN / Site to Site VPN we shouldnt be using Dynamic Map at all.

Also Dynamic Map configurations if needed for VPN Client connections on the same time SHOULD ALWAYS be configured at a very low priority in the "crypto map" configurations.

In your configuration they are listed as 1 and 2. I typically go with the default that even the ASDM uses which is 65535 that is the lowest priority/sequence number.

Though you didnt answer yet (or I didnt notice) if you were using any VPN Client connections on the ASA? If not then you should probably remove ALL dynamic-map related configurations from the ASA as they should not be needed for these L2L VPN configurations. They are more likely to cause problems when configured the wrong way.

More detailed information on the connection when its actually up can be gotten with the following commands for example

show vpn-sessiondb detail l2l filter ipaddress

show crypto ipsec sa peer

First one lists a lot of information

Second one tells you which "crypto map" section was matched.

- Jouni

STYLIANOS DEMETRIOU · ‎07-08-2013

Thanks a lot Jouni, if i need anything else i will let you know.