Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1342
Views
0
Helpful
0
Replies

Site-to-site VPN with dynamic IP on one side: traffic goes in one direction only

sasha
Level 1
Level 1

‎12-02-2019 01:21 AM - edited ‎02-21-2020 09:44 AM

Hello. We're trying to make a S2S VPN between an IOS router with a dynamic IP address, and an old ASA with a static IP address. Both the ASA and the router use hairpinning. There's a number of static VPNs on the ASA that all work OK, and this is the first dynamic S2S VPN we're trying to establish.

On the ASA, we're using DefaultL2LGroup and a dynamic crypto map entry for this VPN. VPN comes up as soon as the router boots due to IP SLA. Debug on ASA shows that the connection lands on correct tunnel group and crypto map entry. But traffic goes from router to ASA only: show crypto ipsec sa shows there are #pkts encrypt on router and decrypt on ASA, but zeros for the other direction on both devices.

While running packet tracer on ASA, debug shows that IPSec skips dynamic crypto map entries when selecting ACL for encryption!?!

IPSEC(crypto_map_check)-5: Checking crypto map inside_map 65534: skipping dynamic_link.

Consequently, it finds no matching ACL and drops the traffic.

Here are relevant parts of the configurations. Router:

---

version 15.7

crypto keyring test_keyring
  pre-shared-key address x.x.x.x key xyz

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
! "hash sha" and "lifetime 86400" are by default

crypto isakmp profile test_profile
 keyring test_keyring
 match identity address x.x.x.x 255.255.255.255

crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac
 mode tunnel

crypto ipsec df-bit clear

crypto map test_map 10 ipsec-isakmp
 set peer x.x.x.x
 set transform-set ESP-AES-256-SHA
 set isakmp-profile test_profile
 match address test_acl

interface Vlan1
 ip address 10.10.23.1 255.255.255.0
 crypto map test_map

ip access-list extended test_acl
 permit ip 10.10.23.0 0.0.0.255 10.2.0.0 0.0.255.255

ip sla 10
 icmp-echo 10.2.0.3 source-ip 10.10.23.1
 frequency 30
ip sla schedule 10 life forever start-time now

---

ASA:

ASA Version 8.2(5)

interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address x.x.x.x 255.255.255.0

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list inside_dyn_test_acl extended permit ip 10.2.0.0 255.255.0.0 10.10.23.0 255.255.255.0

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map inside_dyn_test_map 10 match address inside_dyn_test_acl
crypto dynamic-map inside_dyn_test_map 10 set transform-set ESP-AES-256-SHA

crypto map inside_map 65534 ipsec-isakmp dynamic inside_dyn_test_map

crypto map inside_map interface inside

crypto isakmp identity address
crypto isakmp enable inside

crypto isakmp policy 50
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec webvpn
 ipsec-udp enable
 nac-settings value DfltGrpPolicy-nac-framework-create
 webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
  customization value DfltCustomization

tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key xyz

---

Are we missing something? We must have a dynamic crypto map entry on the ASA, but how to make IPSec use it when encrypting traffic? Please help. Thanks and best regards.

 

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card