cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2570
Views
0
Helpful
44
Replies

Dyanmic crypto map

whiteford
Level 1
Level 1

Hello,

I have a VPN that will connect using one of 3 public IP addresses, is it possibel to setup a VPN like this? Normally I setup VPN's with a peer having a single static IP not a pool of IP's?

Thanks

44 Replies 44

Andrew,

Sorry I'm confused (does take much does it)

I simply tried to add:

crypto ipsec transform-set dynset1 esp-AES 128 esp-sha-hmac

crypto dynamic-map cisco 1 set transform-set dynset1

crypto map dyn-map 1 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

crypto map dyn-map 1 set pfs group 5

;) no issues

Here is the thing, you can only have ONE crypto map configured on ONE interface at any one time.

Soooooo if you already have a crypto map configured and attached to the outside interface - then you just amend it, giving your dynamic crypto map and higher sequence number; hope this clears it up.

If not - see an example of one of my crypto maps:-

crypto ipsec transform-set ESP-3DES-SHA1

crypto dynamic-map dyno-map 10 set transform-set ESP-3DES-SHA1

crypto map vpntunnel-outside 1 match address vpn1

crypto map vpntunnel-outside 1 set peer 1.1.1.1

crypto map vpntunnel-outside 1 set transform-set ESP-3DES-SHA1

crypto map vpntunnel-outside 26 match address vpn2

crypto map vpntunnel-outside 26 set peer 2.2.2.2

crypto map vpntunnel-outside 26 set transform-set ESP-3DES-SHA1

crypto map vpntunnel-outside 60 match address vpn3

crypto map vpntunnel-outside 60 set peer 3.3.3.3

crypto map vpntunnel-outside 60 set transform-set ESP-3DES-SHA1

crypto map vpntunnel-outside 65535 ipsec-isakmp dynamic dyno-map

crypto map vpntunnel-outside interface outside

HTH>

I think I do. All my VPN's went down, when I compared the config with last night, I soon realised I had to add back:

"crypto map outside_map interface outside"

so when I added

"crypto map dyn-map interface outside"

bang! They all went down

If I get it I must leave "crypto map outside_map interface outside" as it is?

based on my example in the previous post how should that look? That way it shoudl click for me.

Thanks again Andrew.

Post your current config, remove sensitive info

Hi Andrew, sorry for the delay.

Hopefully I haven't taken out too much for you to work with.

Well from your config - you already have config for dynamic maps, so just add the below and it should work ok:-

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

default-group-policy AW-L2L

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key <>

HTH>

Thanks I take it I can call the "DefaultL2LGroup" anything?

Also to remove this if I have to I can just use:

no tunnel-group DefaultL2LGroup type ipsec-l2l

no tunnel-group DefaultL2LGroup general-attributes

no default-group-policy AW-L2L no

tunnel-group DefaultL2LGroup ipsec-attributes

no pre-shared-key <>

Nope - it has to be the same name, as this is the "default" for all unkown VPN's - as you cannot create a specific tunnel group, as you don't know the IP address of the source.

I understand that part, I'm just not sure where you got "DefaultL2LGroup" from, whether it is a system default "word" itself or you made up this?

I was thinking of just copying you code into my ASA tomorrow (out of hours) and testing?

It's the system default!

Sounds like a plan.

Great stuff!

I will try adding just those 4 lines tomorrow and let you know how it goes.

1.) The great thing now is (well tomorrow) I can setup VPN's without knowing the customers IP address. I guess as long as the pre-shared key, and the IKE and IPsec phases match then I should be ok? Although I will use the IP if they have knowledge of it.

2.) Is having a dynamic VPN quite common?

OK - cool

1) Yep - makes things a little easier

2) Yes - as most buisness ADSL prices are still quite high (in the UK at least) and bundling a static IP on top, increases the cost. I have seen a sharp increase in dynamic VPN's. It also makes bringing a new remote site on-line much easier....just pre-configure the pix/asa and send out!!

Nice.

If I decide to turn this dynamic feature off, how would I achieve this?

c'mon mate - you either remove the whole DefaultL2LGroup config or change the psk

Thanks, sorry for the simple questions.

I'm only a CCNA, forced in to the ASA world. Hopefully some training soon.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: