06-13-2013 12:57 AM - edited 03-11-2019 06:57 PM
Hi,
I just managed to completely screw all our tunnels when trying to configure l2l to allow a remote peer with dynamic address to form a tunnel with me.
I'm pretty confident that my dyn map kicked in on every tunnel, and then the phase 2 would fail because I use different parameters for the tunnels.
Question is, how can I safely combine normal config (peers with static addresses) AND allowing a few to hit the dyn maps?
This is the working config prior to my tests:
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 3 set peer 1.2.3.4
crypto map outside_map 3 set transform-set ESP-AES-128-SHA
crypto map outside_map interface wan
crypto map dynamic-map 20 ipsec-isakmp dynamic itinteg-slott
And then, I configured the dynamic map:
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA,
I then proceeded to accept incomming connections for 'dynamic-map' on interface 'wan'
crypto map dynamic-map interface wan
This obviously faulted everything, because the last applied rule removed the 'crypto map outside_map interface wan', which led to all other tunnels being matched ONLY to the dynamic-map.
Oh, one question more, I'm not sure how to configure the tunnel-group when I dont know the peer IP?
Solved! Go to Solution.
06-13-2013 02:32 AM
Hi,
Yes, the point is that the specific L2L VPN configurations are matched first and then rest falls to the dynamic map configurations.
Did you manage to get the L2L VPN configuration corrected and working?
If your question has been answered, please mark the reply as the correct answer
Though naturally ask more if needed
- Jouni
06-13-2013 01:31 AM
Hi,
Maybe this document might help you out
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc7d13.shtml
The problem in your case at the moment would be that the "outside_map" is not attached to any interface anymore so the L2L VPN wont work anymore.
The "dynamic-map" should be part of the "outside_map" configurations
You could for example have the following base configuration
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 3 set peer 1.2.3.4
crypto map outside_map 3 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface wan
Though seems your above L2L VPN example configuration is lacking the "match address" which would also mean it wouldnt be a complete configuration for a L2L VPN
Hope this helps
- Jouni
06-13-2013 02:27 AM
Ah, I think I see it now. The dynamic map is part of the outside map, but with the highest possible identifier so it is evaluated last. Right?
Yep, the match address got lost when I removed a lot of other config to boil it down to the essence. The match address is obviously present in all my tunnel configs.
06-13-2013 02:32 AM
And additionally, the proposed solution for dynamic peers (with no PKI) is aggresive mode:
crypto isakmp peer address 10.198.16.141 set aggressive-mode password cisco456 set aggressive-mode client-endpoint fqdn SPOKE2
The remote peer is 7.2 and it doesnt swallow that syntax. I kind of remember from somewhere in the back of my head that aggressiveness is not supported wildly (on older versions, or something). If so, what are my options besied upgrading the remote peer?
Thanks
06-13-2013 02:34 AM
Hi,
It seems to me you are trying to insert a Cisco Router configuration format into the firewall
Notice that the SPOKE1 in the example is an Cisco Firewall. Use its configuration formats as an example
The SPOKE2 configurations use an Cisco Router configuration format.
I guess the document want to give examples of implementing the setup with both Routers and actual firewalls which is ofcourse nice.
- Jouni
06-13-2013 02:32 AM
Hi,
Yes, the point is that the specific L2L VPN configurations are matched first and then rest falls to the dynamic map configurations.
Did you manage to get the L2L VPN configuration corrected and working?
If your question has been answered, please mark the reply as the correct answer
Though naturally ask more if needed
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide