cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
320
Views
0
Helpful
5
Replies

Combining dynamic l2l peers

3moloz123
Level 1
Level 1

Hi,

I just managed to completely screw all our tunnels when trying to configure l2l to allow a remote peer with dynamic address to form a tunnel with me.

I'm pretty confident that my dyn map kicked in on every tunnel, and then the phase 2 would fail because I use different parameters for the tunnels.

Question is, how can I safely combine normal config (peers with static addresses) AND allowing a few to hit the dyn maps?

This is the working config prior to my tests:

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 3 set peer 1.2.3.4

crypto map outside_map 3 set transform-set ESP-AES-128-SHA

crypto map outside_map interface wan

crypto map dynamic-map 20 ipsec-isakmp dynamic itinteg-slott

And then, I configured the dynamic map:

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA,

I then proceeded to accept incomming connections for 'dynamic-map' on interface 'wan'

crypto map dynamic-map interface wan

This obviously faulted everything, because the last applied rule removed the 'crypto map outside_map interface wan', which led to all other tunnels being matched ONLY to the dynamic-map.

Oh, one question more, I'm not sure how to configure the tunnel-group when I dont know the peer IP?

1 Accepted Solution

Accepted Solutions

Hi,

Yes, the point is that the specific L2L VPN configurations are matched first and then rest falls to the dynamic map configurations.

Did you manage to get the L2L VPN configuration corrected and working?

If your question has been answered, please mark the reply as the correct answer

Though naturally ask more if needed

- Jouni

View solution in original post

5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Maybe this document might help you out

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc7d13.shtml

The problem in your case at the moment would be that the "outside_map" is not attached to any interface anymore so the L2L VPN wont work anymore.

The "dynamic-map" should be part of the "outside_map" configurations

You could for example have the following base configuration

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route

crypto map outside_map 3 set peer 1.2.3.4

crypto map outside_map 3 set transform-set ESP-AES-128-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface wan

Though seems your above L2L VPN example configuration is lacking the "match address" which would also mean it wouldnt be a complete configuration for a L2L VPN

Hope this helps

- Jouni

Ah, I think I see it now. The dynamic map is part of the outside map, but with the highest possible identifier so it is evaluated last. Right?

Yep, the match address got lost when I removed a lot of other config to boil it down to the essence. The match address is obviously present in all my tunnel configs.

And additionally, the proposed solution for dynamic peers (with no PKI) is aggresive mode:

crypto isakmp peer address 10.198.16.141
 set aggressive-mode password cisco456
 set aggressive-mode client-endpoint fqdn SPOKE2

The remote peer is 7.2 and it doesnt swallow that syntax. I kind of remember from somewhere in the back of my head that aggressiveness is not supported wildly (on older versions, or something). If so, what are my options besied upgrading the remote peer?

Thanks

Hi,

It seems to me you are trying to insert a Cisco Router configuration format into the firewall

Notice that the SPOKE1 in the example is an Cisco Firewall. Use its configuration formats as an example

The SPOKE2 configurations use an Cisco Router configuration format.

I guess the document want to give examples of implementing the setup with both Routers and actual firewalls which is ofcourse nice.

- Jouni

Hi,

Yes, the point is that the specific L2L VPN configurations are matched first and then rest falls to the dynamic map configurations.

Did you manage to get the L2L VPN configuration corrected and working?

If your question has been answered, please mark the reply as the correct answer

Though naturally ask more if needed

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: