Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

2900 router to ASA - L2L VPN with router side dynamic IP

Hi everyone -

I need to do an L2L VPN between two devices.

The VPN needs to pass traffic for several subnets.

There are routers behind all the equipment, so routing isn't a problem, and I understand how to do the traffic matching ACLs so that

we get the correct traffic sent over the link.

For sake of background info, this is a CME router that's portable in a case, and is designed to operate either off a satellite

link or a direct Ethernet link to some public Internet access.

The router does an IPSec L2L VPN back to home, and allows an H.323 trunk to permit calling between the phones on the remote system and the main phone system at the head end site.

Equipment:

Main site is an ASA 5505 with a static public IP.

Remote site is a 2911 router

The router has a fixed IP address on a satellite link (FastEthernet 0/1)

That link is connected to a satellite modem.

The router also has FastEthernet 0/0 set up as DHCP.

I have a VPN config in the ASA and in the router that works for the satellite link, using the DefaultL2L tunnel group.

At one time, that worked OK for the initial setup.

Now, I'm trying to use the same router, connected to the FastEthernet0/0 interface, with it getting a dynamic IP from an ISP.

The satellite would be shut down.

The same crypto map is applied to both the FastEthernet 0/0 and FastEthernet0/1 interfaces - so the same VPN tunnel should

try to come up over whichever interface is available.

Based on this:

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml

The Cisco document states that the IPSec L2L tunnels require static IP addressing on each end -

"

tunnel-group 172.17.1.1 type ipsec-l2l

!--- In order to create and manage the database of connection-specific
!--- records for ipsec-l2l—IPsec (LAN-to-LAN) tunnels, use the command
!--- tunnel-group in global configuration mode.
!--- For L2L connections the name of the tunnel group MUST be the IP
!--- address of the IPsec peer.

tunnel-group 172.17.1.1 ipsec-attributes

pre-shared-key *

!--- Enter the pre-shared-key in order to configure the
!--- authentication method".

I asked the vendor for the CME equipment about just using EasyVPN in NEM mode, since I know that would route networks, but he said that won't work for multiple subnets behind routers behind the VPN-endpoints.

Is it in fact possible to establish an IPSec L2L VPN tunnel between an ASA with a fixed IP and a remote 29XX router

with a dynamic IP address, and route several subnets over that link?

I can post bits of config, but some of this is proprietary to that vendor, so I can't post entire configs..

Thanks

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Purple

2900 router to ASA - L2L VPN with router side dynamic IP

You can have multiple subnets behind the inside interface of an EasyVPN remote. The feature is named "Multiple Subnet Support" and is described in the configuration-guide:

http://www.cisco.com/en/US/partner/docs/ios-xml/ios/sec_conn_esyvpn/configuration/15-0m/sec-easy-vpn-rem.html#GUID-D7DBF82F-FC4C-4A04-A060-21A10647DB7B


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Re: 2900 router to ASA - L2L VPN with router side dynamic IP

Hi,

I would like to say something if you dont mind, but first 5 stars for Karsten's post, because it initially answered your question with the EzVPN scenario

Well actually to establish a L2L from a unknown IP address, you have two options:

1- Use the DefaultL2LGroup.

2- Use certificate authentication.

If a connection arrives as a L2L and the ASA does not have either a crypto map or a tunnel-group, the connection will be landed on the DefaultL2LGroup and the correct dynamic-map.

So, please check this out:

Dynamic IPsec Tunnel Between a Statically Addressed ASA and a Dynamically Addressed Cisco IOS Router

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b3d511.shtml

Let us know if you have any questions.

Thanks.

Please rate any post that you find helpful.

5 REPLIES
VIP Purple

2900 router to ASA - L2L VPN with router side dynamic IP

You can have multiple subnets behind the inside interface of an EasyVPN remote. The feature is named "Multiple Subnet Support" and is described in the configuration-guide:

http://www.cisco.com/en/US/partner/docs/ios-xml/ios/sec_conn_esyvpn/configuration/15-0m/sec-easy-vpn-rem.html#GUID-D7DBF82F-FC4C-4A04-A060-21A10647DB7B


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: 2900 router to ASA - L2L VPN with router side dynamic IP

Hi Karsten -

I'm afraid I cannot use the EasyVPN feature at all.

The vendor informs me that there is another IPSec  VPN tunnel which connects back to their office to provide other capabilities.

So I have to use L2L IPSec -- and do it with a dynamic IP from the router side, to a fixed IP on the ASA side.

Is it possible to build the tunnel-group on the ASA side so that it doesn't require a known IP for the remote side of the tunnel?

I'm using DefaultL2L tunnel group (on the ASA) at the moment to terminate the VPN when the router is using the satellite connection via FA90/1, with a fixed IP address.

But the DefaultL2L group doesn't have the IP of the router -- yet it works...

The same VPN config, used from the FA0/0 interface of the router with the same crypto map

just gives the traditional "No match, deleting SA" message..

I can see the router trying to establish the VPN, but it's just not able to negotiate, and the only reason I could think of was that the FA0/0 interface had a DHCP address instead of a static IP.

Strange that it works OK with the ASA's DefaultL2L tunnel group, with no mention of the router's FA0/1 static IP, yet the FA0/0 with a dynamic IP won't work.

We did just hook up the satellite and used FA0/1 to test it -- vpn came up instantly...

Re: 2900 router to ASA - L2L VPN with router side dynamic IP

Hi,

I would like to say something if you dont mind, but first 5 stars for Karsten's post, because it initially answered your question with the EzVPN scenario

Well actually to establish a L2L from a unknown IP address, you have two options:

1- Use the DefaultL2LGroup.

2- Use certificate authentication.

If a connection arrives as a L2L and the ASA does not have either a crypto map or a tunnel-group, the connection will be landed on the DefaultL2LGroup and the correct dynamic-map.

So, please check this out:

Dynamic IPsec Tunnel Between a Statically Addressed ASA and a Dynamically Addressed Cisco IOS Router

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b3d511.shtml

Let us know if you have any questions.

Thanks.

Please rate any post that you find helpful.

New Member

hi,my scenario is different

hi,

my scenario is different than above. My ios router is behind my local asa and i need to tunnel from router to remote asa.

will this configuration work in this scenario?

 

 

please help..

Hi there, One thing you

Hi there,

 

One thing you should do is to open IPSec pass-through inspection on the ASA and setup one-to-one NAT (if NAT control is enabled), otherwise just opened an ACL on the outside interface to allow traffic from the remote ASA to the LOCAL Router on ESP, ISAKMP and NAT-T.

 

HTH.

3578
Views
15
Helpful
5
Replies
CreatePlease login to create content