Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA - Multiple dynamic maps

I have working configs for both a Cisco IPSec remote access VPN + L2TP-IPSec remote access VPN, however I can only get one to work at a time (depending on whatever dynamic map has a lower sequence number defined in my crypto map).  

I get Phase 2 errors either way (when Cisco IPSec works L2TP clients fail w/ Phase 2 errors and vice versa).

Is there a way to accommodate both remote access VPN types at the same time?

 

ASA Version 9.2(1)

crypto ipsec ikev1 transform-set home esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set home-l2tp esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set home-l2tp mode transport
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map home_dyn_map 10 set ikev1 transform-set home
crypto dynamic-map home_dyn_map 10 set security-association lifetime seconds 288000
crypto dynamic-map home_dyn_map 10 set reverse-route
crypto dynamic-map home-l2tp_dyn_map 10 set ikev1 transform-set home-l2tp
crypto map home_map 10 ipsec-isakmp dynamic home_dyn_map
crypto map home_map 20 ipsec-isakmp dynamic home-l2tp_dyn_map
crypto map home_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200

group-policy home internal
group-policy home attributes
 dns-server value 192.168.10.2
 vpn-tunnel-protocol ikev1
group-policy home-l2tp internal
group-policy home-l2tp attributes
 dns-server value 192.168.10.2
 vpn-tunnel-protocol l2tp-ipsec

tunnel-group home type remote-access
tunnel-group home general-attributes
 address-pool vpnpool
 default-group-policy home
tunnel-group home ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group home-l2tp type remote-access
tunnel-group home-l2tp general-attributes
 address-pool vpnpool
 default-group-policy home-l2tp
tunnel-group home-l2tp ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group home-l2tp ppp-attributes
 authentication ms-chap-v2

 

 

Currently the Cisco IPSec VPN is working but if I lower the sequence number and change:

crypto map home_map 20 ipsec-isakmp dynamic home-l2tp_dyn_map

to

crypto map home_map 5 ipsec-isakmp dynamic home-l2tp_dyn_map

 

The L2TP VPN will work instead (then Cisco IPSec clients will fail w/ Phase 2 errors). 

Any advice on how to accommodate both remote access VPN types at the same time?

92
Views
0
Helpful
0
Replies
CreatePlease to create content