×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA L2L VPN with dynamic crypto assigning to tunnelgroup

Unanswered Question
Feb 20th, 2014
User Badges:

Hello,


my setup is straigthforward nothing special ... l2l vpn tunnel between ASA5520 (static ip)  as hub

and Cisco RV215w (dynamic ip) as spoke.


setup-20feb14.jpg


The setup is working fine ... asa terminates l2l ipsec vpn coming from rv215w.

The tunnels are stable. As attachment you can find my config.


We are planing about 300 locations terminating on ASA which should be fine for a ASA5520

as long as you terminate all sessions on defaultl2lgroup. But we would like to terminate each

session on a different tunnel group in order to block each location/rv215w in case of theft.


The problem is;

as soon as i am configuring a tunnelgroup for each spoke ASA is not able to assign

vpn session to spoke. Here is the error message:


4|Feb 20 2014|16:13:11|713903|||||Group = DefaultRAGroup, IP = 192.168.2.251, Error, peer has indicated that something is wrong with our message.  This could indicate a pre-shared key mismatch.

4|Feb 20 2014|16:13:11|713255|||||IP = 192.168.2.251, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name '192.168.2.251'.


When I create the tunnelgroup with ip address there is no problem. ASA is able to assign the ip to tunnelgroup and everything is fine.

As the rv215w has dynamic ip on outside interface this is not an option. The problem is that RV215w is sending its outside ip as ike key.

I was not able to change the ike key from ip to something else ... e.g. hostname


I  found a good solution for ASA and IOS as spoke but no way for rv215w. ASA and IOS you can configure the ike key:

crypto isakmp identity key-id SPOKE1

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113573-sol-tunnels-groups.html?referring_site=smartnavRD


Would be glad to here if there is another solution how we can solve the problem to block each rv215w in case of theft.


Hope i was clear in my problem description. Looking forward to here from you.


Cengiz

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion

Related Content