Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Dyanmic crypto map

Hello,

I have a VPN that will connect using one of 3 public IP addresses, is it possibel to setup a VPN like this? Normally I setup VPN's with a peer having a single static IP not a pool of IP's?

Thanks

44 REPLIES

Re: Dyanmic crypto map

crypto map <> <> set peer 0.0.0.0 - will allow ANY VPN to connect.

HTH>

New Member

Re: Dyanmic crypto map

Thanks Andrew,

I was thinking this must be a bit of a security risk allowing any IP, but I guess it isn't any different to the Cisco VPN client as the public IP for our user can be any IP really?

Also I just tried setting up a VPn via the wizard in the ASDM and it says 0.0.0.0 can't be used. Is this a CLI option only?

Re: Dyanmic crypto map

New Member

Re: Dyanmic crypto map

I think this is the only article related to my situation:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

Normally to add a VPN to the ASA I would add something like this:

access-list outside_MYcryptomap_15 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.18.1.0 255.255.255.0

crypto map outside_map 17 match address outside_MYcryptomap_1

crypto map outside_map 17 set pfs group5

crypto map outside_map 17 set security-association lifetime seconds 86400

crypto map outside_map 17 set peer 81.14.1.1

crypto map outside_map 17 set transform-set ESP-AES-256-SHA

tunnel-group 81.14.1.1 type ipsec-l2l

tunnel-group 81.14.1.1 general-attributes

default-group-policy My-L2L

tunnel-group 81.149.1.1 ipsec-attributes

pre-shared-key 123456789

isakmp keepalive threshold 10 retry 2

Possible to manipulate the above to be dynamic?

Re: Dyanmic crypto map

If you read the config, the dynamic L2L is:-

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

authentication-server-group none

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

no IP address - just a psk.

And a normal crypto map - but no IP.

HTH>

New Member

Re: Dyanmic crypto map

This is what I'm going to add to the ASA:

crypto ipsec transform-set dynset1 esp-AES 128 esp-sha-hmac

crypto dynamic-map cisco 1 set transform-set dynset1

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

authentication-server-group none

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key 123456789

Does it look ok to you?

Re: Dyanmic crypto map

I would

1) Set the PSK tom something a little more secure

2) Enable PFS and set the time to about an hour or so

3) Enable reverse route injection (require if you don't know what the remote end IP subnet will be

New Member

Re: Dyanmic crypto map

Thanks for spending some of you time on this btw.

1) Sorry that was just an example psk (123456789) normally I use 10 chars leters,numbers, symbols, uppercase.

2) Where would I put this in my config example? I guess I would use "set pfs group5" somewhere and what about the timeout?

3) I will be setting the remote IP subnets so will will no, so I guess I can miss this out?

Thanks

Re: Dyanmic crypto map

Sure - no problem

1) ;) I would for a "dyanamic" used something a little longer, the likely hood that someone would guess or capture it is low - but just to be sure 32 or 64 charactures.

2) crypto map <> set pfs group5

3) You can miss it out, or have it in - belt a braces approach!

HTH>

New Member

Re: Dyanmic crypto map

I will try this after lunch. My boss is worried it's insecure, but I said it's the same as VPN client really as we don't know their public IP to lock the tunnel down with, would you agree?

New Member

Re: Dyanmic crypto map

Can you check this (not sure if my maps are right) and see what you think before I add?

crypto ipsec transform-set dynset1 esp-AES 128 esp-sha-hmac

crypto dynamic-map aw-dyn-map 1 set transform-set dynset1

crypto map dyn-map 1 ipsec-isakmp dynamic aw-dyn-map

crypto map dyn-map interface outside

crypto map dyn-map 1 set pfs group 5

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

authentication-server-group none

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key <64 char key here>

Re: Dyanmic crypto map

No jumps out at me, configuring this will not affect any current VPN's if you want to do during production hours.

But you can always do it out of hours!

New Member

Re: Dyanmic crypto map

Andrew,

The first problem I got was:

crypto map dyn-map 1 set pfs group5

WARNING: This map entry is linked to dynamic-map: aw-dyn-map.

This attribute will be inactive!

please help

Re: Dyanmic crypto map

Bob,

You are creating another crypto map - you should be amending to your existing policy!

New Member

Re: Dyanmic crypto map

Andrew,

Sorry I'm confused (does take much does it)

I simply tried to add:

crypto ipsec transform-set dynset1 esp-AES 128 esp-sha-hmac

crypto dynamic-map cisco 1 set transform-set dynset1

crypto map dyn-map 1 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

crypto map dyn-map 1 set pfs group 5

Re: Dyanmic crypto map

;) no issues

Here is the thing, you can only have ONE crypto map configured on ONE interface at any one time.

Soooooo if you already have a crypto map configured and attached to the outside interface - then you just amend it, giving your dynamic crypto map and higher sequence number; hope this clears it up.

If not - see an example of one of my crypto maps:-

crypto ipsec transform-set ESP-3DES-SHA1

crypto dynamic-map dyno-map 10 set transform-set ESP-3DES-SHA1

crypto map vpntunnel-outside 1 match address vpn1

crypto map vpntunnel-outside 1 set peer 1.1.1.1

crypto map vpntunnel-outside 1 set transform-set ESP-3DES-SHA1

crypto map vpntunnel-outside 26 match address vpn2

crypto map vpntunnel-outside 26 set peer 2.2.2.2

crypto map vpntunnel-outside 26 set transform-set ESP-3DES-SHA1

crypto map vpntunnel-outside 60 match address vpn3

crypto map vpntunnel-outside 60 set peer 3.3.3.3

crypto map vpntunnel-outside 60 set transform-set ESP-3DES-SHA1

crypto map vpntunnel-outside 65535 ipsec-isakmp dynamic dyno-map

crypto map vpntunnel-outside interface outside

HTH>

New Member

Re: Dyanmic crypto map

I think I do. All my VPN's went down, when I compared the config with last night, I soon realised I had to add back:

"crypto map outside_map interface outside"

so when I added

"crypto map dyn-map interface outside"

bang! They all went down

If I get it I must leave "crypto map outside_map interface outside" as it is?

based on my example in the previous post how should that look? That way it shoudl click for me.

Thanks again Andrew.

Re: Dyanmic crypto map

Post your current config, remove sensitive info

New Member

Re: Dyanmic crypto map

Hi Andrew, sorry for the delay.

Hopefully I haven't taken out too much for you to work with.

Re: Dyanmic crypto map

Well from your config - you already have config for dynamic maps, so just add the below and it should work ok:-

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

default-group-policy AW-L2L

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key <>

HTH>

New Member

Re: Dyanmic crypto map

Thanks I take it I can call the "DefaultL2LGroup" anything?

Also to remove this if I have to I can just use:

no tunnel-group DefaultL2LGroup type ipsec-l2l

no tunnel-group DefaultL2LGroup general-attributes

no default-group-policy AW-L2L no

tunnel-group DefaultL2LGroup ipsec-attributes

no pre-shared-key <>

Re: Dyanmic crypto map

Nope - it has to be the same name, as this is the "default" for all unkown VPN's - as you cannot create a specific tunnel group, as you don't know the IP address of the source.

New Member

Re: Dyanmic crypto map

I understand that part, I'm just not sure where you got "DefaultL2LGroup" from, whether it is a system default "word" itself or you made up this?

I was thinking of just copying you code into my ASA tomorrow (out of hours) and testing?

Re: Dyanmic crypto map

It's the system default!

Sounds like a plan.

New Member

Re: Dyanmic crypto map

Great stuff!

I will try adding just those 4 lines tomorrow and let you know how it goes.

1.) The great thing now is (well tomorrow) I can setup VPN's without knowing the customers IP address. I guess as long as the pre-shared key, and the IKE and IPsec phases match then I should be ok? Although I will use the IP if they have knowledge of it.

2.) Is having a dynamic VPN quite common?

Re: Dyanmic crypto map

OK - cool

1) Yep - makes things a little easier

2) Yes - as most buisness ADSL prices are still quite high (in the UK at least) and bundling a static IP on top, increases the cost. I have seen a sharp increase in dynamic VPN's. It also makes bringing a new remote site on-line much easier....just pre-configure the pix/asa and send out!!

New Member

Re: Dyanmic crypto map

Nice.

If I decide to turn this dynamic feature off, how would I achieve this?

Re: Dyanmic crypto map

c'mon mate - you either remove the whole DefaultL2LGroup config or change the psk

New Member

Re: Dyanmic crypto map

Thanks, sorry for the simple questions.

I'm only a CCNA, forced in to the ASA world. Hopefully some training soon.

676
Views
0
Helpful
44
Replies
CreatePlease to create content