cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3263
Views
0
Helpful
44
Replies

Dyanmic crypto map

whiteford
Level 1
Level 1

Hello,

I have a VPN that will connect using one of 3 public IP addresses, is it possibel to setup a VPN like this? Normally I setup VPN's with a peer having a single static IP not a pool of IP's?

Thanks

44 Replies 44

andrew.prince
Level 10
Level 10

crypto map <> <> set peer 0.0.0.0 - will allow ANY VPN to connect.

HTH>

Thanks Andrew,

I was thinking this must be a bit of a security risk allowing any IP, but I guess it isn't any different to the Cisco VPN client as the public IP for our user can be any IP really?

Also I just tried setting up a VPn via the wizard in the ASDM and it says 0.0.0.0 can't be used. Is this a CLI option only?

I think this is the only article related to my situation:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

Normally to add a VPN to the ASA I would add something like this:

access-list outside_MYcryptomap_15 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.18.1.0 255.255.255.0

crypto map outside_map 17 match address outside_MYcryptomap_1

crypto map outside_map 17 set pfs group5

crypto map outside_map 17 set security-association lifetime seconds 86400

crypto map outside_map 17 set peer 81.14.1.1

crypto map outside_map 17 set transform-set ESP-AES-256-SHA

tunnel-group 81.14.1.1 type ipsec-l2l

tunnel-group 81.14.1.1 general-attributes

default-group-policy My-L2L

tunnel-group 81.149.1.1 ipsec-attributes

pre-shared-key 123456789

isakmp keepalive threshold 10 retry 2

Possible to manipulate the above to be dynamic?

If you read the config, the dynamic L2L is:-

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

authentication-server-group none

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

no IP address - just a psk.

And a normal crypto map - but no IP.

HTH>

This is what I'm going to add to the ASA:

crypto ipsec transform-set dynset1 esp-AES 128 esp-sha-hmac

crypto dynamic-map cisco 1 set transform-set dynset1

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

authentication-server-group none

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key 123456789

Does it look ok to you?

andrew.prince
Level 10
Level 10

I would

1) Set the PSK tom something a little more secure

2) Enable PFS and set the time to about an hour or so

3) Enable reverse route injection (require if you don't know what the remote end IP subnet will be

Thanks for spending some of you time on this btw.

1) Sorry that was just an example psk (123456789) normally I use 10 chars leters,numbers, symbols, uppercase.

2) Where would I put this in my config example? I guess I would use "set pfs group5" somewhere and what about the timeout?

3) I will be setting the remote IP subnets so will will no, so I guess I can miss this out?

Thanks

Sure - no problem

1) ;) I would for a "dyanamic" used something a little longer, the likely hood that someone would guess or capture it is low - but just to be sure 32 or 64 charactures.

2) crypto map <> set pfs group5

3) You can miss it out, or have it in - belt a braces approach!

HTH>

I will try this after lunch. My boss is worried it's insecure, but I said it's the same as VPN client really as we don't know their public IP to lock the tunnel down with, would you agree?

Can you check this (not sure if my maps are right) and see what you think before I add?

crypto ipsec transform-set dynset1 esp-AES 128 esp-sha-hmac

crypto dynamic-map aw-dyn-map 1 set transform-set dynset1

crypto map dyn-map 1 ipsec-isakmp dynamic aw-dyn-map

crypto map dyn-map interface outside

crypto map dyn-map 1 set pfs group 5

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

authentication-server-group none

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key <64 char key here>

No jumps out at me, configuring this will not affect any current VPN's if you want to do during production hours.

But you can always do it out of hours!

Andrew,

The first problem I got was:

crypto map dyn-map 1 set pfs group5

WARNING: This map entry is linked to dynamic-map: aw-dyn-map.

This attribute will be inactive!

please help

Bob,

You are creating another crypto map - you should be amending to your existing policy!

Review Cisco Networking for a $25 gift card