Question (short)
How to set up 2 totally different dynamic l2l vpn tunnels on an ASA5506
Question (extended)
We have a Cisco ASA5506 Security Appliance and we want to set up 2 dynamic VPN setups.
- Tunnel for various windows clients;
- Tunnel to a branch office with dynamic ip using DynDNS.
We can set up the tunnels individually without a problem but cant get them working both at once.
VPN 1 (windows clients)
Cisco ASA5506 config
group-policy l2tp-ipsec_policy internal
group-policy l2tp-ipsec_policy attributes
dns-server value 10.100.3.1
vpn-tunnel-protocol l2tp-ipsec
default-domain value vbv.local
banner value U bent nu aangemeld op het netwerk, zet uw VPN verbinding uit wanneer u klaar bent.
wins-server value 10.100.3.1
dns-server value 10.100.3.1
vpn-filter value VBV_VPN_CLIENT_FILTER
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VBV_VPN_CLIENTS
exit
tunnel-group DefaultRAGroup general-attributes
default-group-policy l2tp-ipsec_policy
address-pool POOL-VPN_VBVLOCAL
authentication-server-group VBV_LDAP LOCAL
password-management
strip-realm
exit
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
exit
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication chap
no authentication ms-chap-v1
no authentication ms-chap-v2
exit
crypto ipsec transform-set winClient esp-3des esp-sha-hmac
crypto ipsec transform-set winClient mode transport
crypto dynamic-map dynWinVPN 500 set ikev1 transform-set winClient
crypto map cmap_WAN-GLASVEZEL 500 ipsec-isakmp dynamic dynWinVPN
crypto isakmp enable WAN-GLASVEZEL
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
exit
access-list VBV_VPN_CLIENT_FILTER extended permit object-group obj-VBVLOCAL_VPN_AllowedServices any any log notifications
access-list VBV_VPN_CLIENTS extended permit ip object-group obj-VBVLOCAL_VPN_AllowedNetworks any
Above on itself working perfectly, i know about the PAP auth but the reason is the LDAP verification. (cant get that working with mschapv2 and is of later concern).
VPN 2 (site to site to branch office)
Cisco ASA5506 config
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map ***.dyndns.org 100 set pfs group1
crypto dynamic-map ***.dyndns.org 100 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map ***.dyndns.org 100 set security-association lifetime seconds 86400
crypto dynamic-map ***.dyndns.org 100 set security-association lifetime kilobytes 9216000
crypto map cmap_WAN-GLASVEZEL 100 ipsec-isakmp dynamic ***.dyndns.org
crypto ikev1 policy 2
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group ***.dyndns.org type ipsec-l2l
tunnel-group ***.dyndns.org general-attributes
default-group-policy grpPol_vbvjb
tunnel-group ***.dyndns.org ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
!
Branch office Cisco 881 router
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ****** address ***
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 15
!
crypto ipsec security-association lifetime kilobytes 9216000
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP-***_BACKUP 1 ipsec-isakmp
description TUNNEL-***_BACKUP_****
set peer *****
set transform-set ESP-3DES-SHA
set pfs group1
match address 171
!
access-list 171 remark VPN-IPSEC-***_BACKUP
access-list 171 permit ip 192.168.10.0 0.0.0.255 10.100.0.0 0.0.3.255 log
access-list 177 permit icmp any host 10.100.3.1
Same story here, fully working on its own but can't combine with the setup from above.
So in short, i can set up both VPN setups and get them working but i cannot get them working in one configuration.
Keynotes
- Works seperately but not toghether;
- Branch office uses dynDNS because it has no static IP;
- Windows VPN Clients use 2l2 with ldap server verification;
- Strange this i see is site2site uses defaultRAGroup and clients defaultl2lgroup.
- How can i check catch correct crypto dynamic map?
Hope someone in here can help so we do not have to call Cisco TAC.
Best Answer
Try changing the crypto map sequence number for the dynamic entry to a higher one (e.g. >500), see this note:
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46242-lan-to-lan-vpn-client.html#crypto