Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4993
Views
15
Helpful
5
Replies

2900 router to ASA - L2L VPN with router side dynamic IP

Go to solution
treimers1
Level 1
Level 1

‎07-23-2012 02:05 PM

Hi everyone -

I need to do an L2L VPN between two devices.

The VPN needs to pass traffic for several subnets.

There are routers behind all the equipment, so routing isn't a problem, and I understand how to do the traffic matching ACLs so that

we get the correct traffic sent over the link.

For sake of background info, this is a CME router that's portable in a case, and is designed to operate either off a satellite

link or a direct Ethernet link to some public Internet access.

The router does an IPSec L2L VPN back to home, and allows an H.323 trunk to permit calling between the phones on the remote system and the main phone system at the head end site.

Equipment:

Main site is an ASA 5505 with a static public IP.

Remote site is a 2911 router

The router has a fixed IP address on a satellite link (FastEthernet 0/1)

That link is connected to a satellite modem.

The router also has FastEthernet 0/0 set up as DHCP.

I have a VPN config in the ASA and in the router that works for the satellite link, using the DefaultL2L tunnel group.

At one time, that worked OK for the initial setup.

Now, I'm trying to use the same router, connected to the FastEthernet0/0 interface, with it getting a dynamic IP from an ISP.

The satellite would be shut down.

The same crypto map is applied to both the FastEthernet 0/0 and FastEthernet0/1 interfaces - so the same VPN tunnel should

try to come up over whichever interface is available.

Based on this:

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml

The Cisco document states that the IPSec L2L tunnels require static IP addressing on each end -

"

tunnel-group 172.17.1.1 type ipsec-l2l

!--- In order to create and manage the database of connection-specific
!--- records for ipsec-l2l—IPsec (LAN-to-LAN) tunnels, use the command
!--- tunnel-group in global configuration mode.
!--- For L2L connections the name of the tunnel group MUST be the IP
!--- address of the IPsec peer.

tunnel-group 172.17.1.1 ipsec-attributes

pre-shared-key *

!--- Enter the pre-shared-key in order to configure the
!--- authentication method".

I asked the vendor for the CME equipment about just using EasyVPN in NEM mode, since I know that would route networks, but he said that won't work for multiple subnets behind routers behind the VPN-endpoints.

Is it in fact possible to establish an IPSec L2L VPN tunnel between an ASA with a fixed IP and a remote 29XX router

with a dynamic IP address, and route several subnets over that link?

I can post bits of config, but some of this is proprietary to that vendor, so I can't post entire configs..

Thanks

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎07-23-2012 02:23 PM

You can have multiple subnets behind the inside interface of an EasyVPN remote. The feature is named "Multiple Subnet Support" and is described in the configuration-guide:

http://www.cisco.com/en/US/partner/docs/ios-xml/ios/sec_conn_esyvpn/configuration/15-0m/sec-easy-vpn-rem.html#GUID-D7DBF82F-FC4C-4A04-A060-21A10647DB7B

View solution in original post

Go to solution
Javier Portuguez
Level 9
Level 9
In response to treimers1

‎07-26-2012 09:57 PM

Hi,

I would like to say something if you dont mind, but first 5 stars for Karsten's post, because it initially answered your question with the EzVPN scenario

Well actually to establish a L2L from a unknown IP address, you have two options:

1- Use the DefaultL2LGroup.

2- Use certificate authentication.

If a connection arrives as a L2L and the ASA does not have either a crypto map or a tunnel-group, the connection will be landed on the DefaultL2LGroup and the correct dynamic-map.

So, please check this out:

Dynamic IPsec Tunnel Between a Statically Addressed ASA and a Dynamically Addressed Cisco IOS Router

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b3d511.shtml

Let us know if you have any questions.

Thanks.

Please rate any post that you find helpful.

View solution in original post

5 Replies 5

Go to solution
Karsten Iwen
VIP
VIP

‎07-23-2012 02:23 PM

You can have multiple subnets behind the inside interface of an EasyVPN remote. The feature is named "Multiple Subnet Support" and is described in the configuration-guide:

http://www.cisco.com/en/US/partner/docs/ios-xml/ios/sec_conn_esyvpn/configuration/15-0m/sec-easy-vpn-rem.html#GUID-D7DBF82F-FC4C-4A04-A060-21A10647DB7B

Go to solution
treimers1
Level 1
Level 1
In response to Karsten Iwen

‎07-26-2012 08:11 PM

Hi Karsten -

I'm afraid I cannot use the EasyVPN feature at all.

The vendor informs me that there is another IPSec  VPN tunnel which connects back to their office to provide other capabilities.

So I have to use L2L IPSec -- and do it with a dynamic IP from the router side, to a fixed IP on the ASA side.

Is it possible to build the tunnel-group on the ASA side so that it doesn't require a known IP for the remote side of the tunnel?

I'm using DefaultL2L tunnel group (on the ASA) at the moment to terminate the VPN when the router is using the satellite connection via FA90/1, with a fixed IP address.

But the DefaultL2L group doesn't have the IP of the router -- yet it works...

The same VPN config, used from the FA0/0 interface of the router with the same crypto map

just gives the traditional "No match, deleting SA" message..

I can see the router trying to establish the VPN, but it's just not able to negotiate, and the only reason I could think of was that the FA0/0 interface had a DHCP address instead of a static IP.

Strange that it works OK with the ASA's DefaultL2L tunnel group, with no mention of the router's FA0/1 static IP, yet the FA0/0 with a dynamic IP won't work.

We did just hook up the satellite and used FA0/1 to test it -- vpn came up instantly...

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to treimers1

‎07-26-2012 09:57 PM

Hi,

I would like to say something if you dont mind, but first 5 stars for Karsten's post, because it initially answered your question with the EzVPN scenario

Well actually to establish a L2L from a unknown IP address, you have two options:

1- Use the DefaultL2LGroup.

2- Use certificate authentication.

If a connection arrives as a L2L and the ASA does not have either a crypto map or a tunnel-group, the connection will be landed on the DefaultL2LGroup and the correct dynamic-map.

So, please check this out:

Dynamic IPsec Tunnel Between a Statically Addressed ASA and a Dynamically Addressed Cisco IOS Router

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b3d511.shtml

Let us know if you have any questions.

Thanks.

Please rate any post that you find helpful.

Go to solution
suhas_syndrome
Level 1
Level 1
In response to Javier Portuguez

‎04-02-2014 09:41 PM

hi,

my scenario is different than above. My ios router is behind my local asa and i need to tunnel from router to remote asa.

will this configuration work in this scenario?

 

 

please help..

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to suhas_syndrome

‎04-03-2014 07:17 AM

Hi there,

 

One thing you should do is to open IPSec pass-through inspection on the ASA and setup one-to-one NAT (if NAT control is enabled), otherwise just opened an ACL on the outside interface to allow traffic from the remote ASA to the LOCAL Router on ESP, ISAKMP and NAT-T.

 

HTH.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents