Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

L2TP and IPSEC RA on CRYPTO MAP

Hi , 

I' m facing to a problem , i have an ASA 8.4  and i nee to configure on the same outside interface 2 kind of Remote Access VPN 

L2tp and Ipsec VPN.

The Problem is , Both use the same crypto map, and strangely,  it appear that when one have a high priority order example crypto map for l2tp the Ipsec client doesn't work.

 

Here is the configuration 

crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2      
 lifetime 86400
crypto ikev1 policy 2
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400

crypto ipsec ikev1 transform-set myset esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set myset mode transport
crypto ipsec ikev1 transform-set MyRA esp-3des esp-md5-hmac 


crypto dynamic-map dynmap 1 set ikev1 transform-set myset
crypto dynamic-map MapRAvpn 1 set ikev1 transform-set MyRA
crypto dynamic-map MapRAvpn 1 set reverse-route


crypto map mymap 1 ipsec-isakmp dynamic dynmap
crypto map mymap 10 ipsec-isakmp dynamic MapRAvpn
crypto map mymap interface outside

 

So All my Phase 1 are correct that's why, i haven' t  mention the configuration for Phase 1

 

The Crypto map mymap 1 is related to L2tp Client 

The Crypto map mymap 10 is related to IPsec Ra Client,

 

With this order, only the L2tp clients are able to connect  , but if i change the order of the mymap 1 to 15 example , only the Ipsec client are able to connect

Is it possible to run the 2 type client on the same crypto ? 

 

 

 

 

4 REPLIES
Cisco Employee

Hi,yes both L2TP and remote

Hi,

yes both L2TP and remote access are supported at the same time. 

You don't need two dynamic map just one map would suffice in that you will call both the transform sets.

crypto dynamic-map dynmap 1 set ikev1 transform-set MyRA myset 

crypto map mymap 1 ipsec-isakmp dynamic dynmap

 

Try this out.

 

 

New Member

Hi  Again thank you for your

Hi 

 

Again thank you for your answer, i have try to change the crypto map, but when i do this just the Ipsec VPN work, when i back to the previous config , the L2tp VPN work but not the Ipsec !

 

 

Cisco Employee

hi, Try this thencrypto

hi,

 

Try this then

crypto dynamic-map dynmap 1 set ikev1 transform-set MyRA

crypto dynamic-map dynmap 2 set ikev1 transform-set myset 

 

This should do it for you.

 

Regards,

Nitish Emmanuel

 

New Member

Hia similar problem.crypto

Hi

a similar problem.

crypto dynamic-map dynmap 1 set ikev1 transform-set MyRA

crypto dynamic-map dynmap 2 set ikev1 transform-set myset

works only ipsec

 

If changing sequence...

crypto dynamic-map dynmap 2 set ikev1 transform-set MyRA

crypto dynamic-map dynmap 1 set ikev1 transform-set myset

works only l2tp

198
Views
5
Helpful
4
Replies
CreatePlease login to create content