Hello. We're trying to make a S2S VPN between an IOS router with a dynamic IP address, and an old ASA with a static IP address. Both the ASA and the router use hairpinning. There's a number of static VPNs on the ASA that all work OK, and this is the first dynamic S2S VPN we're trying to establish.
On the ASA, we're using DefaultL2LGroup and a dynamic crypto map entry for this VPN. VPN comes up as soon as the router boots due to IP SLA. Debug on ASA shows that the connection lands on correct tunnel group and crypto map entry. But traffic goes from router to ASA only: show crypto ipsec sa shows there are #pkts encrypt on router and decrypt on ASA, but zeros for the other direction on both devices.
While running packet tracer on ASA, debug shows that IPSec skips dynamic crypto map entries when selecting ACL for encryption!?!
IPSEC(crypto_map_check)-5: Checking crypto map inside_map 65534: skipping dynamic_link.
Consequently, it finds no matching ACL and drops the traffic.
Here are relevant parts of the configurations. Router:
---
version 15.7
crypto keyring test_keyring
pre-shared-key address x.x.x.x key xyz
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
! "hash sha" and "lifetime 86400" are by default
crypto isakmp profile test_profile
keyring test_keyring
match identity address x.x.x.x 255.255.255.255
crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
crypto map test_map 10 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-AES-256-SHA
set isakmp-profile test_profile
match address test_acl
interface Vlan1
ip address 10.10.23.1 255.255.255.0
crypto map test_map
ip access-list extended test_acl
permit ip 10.10.23.0 0.0.0.255 10.2.0.0 0.0.255.255
ip sla 10
icmp-echo 10.2.0.3 source-ip 10.10.23.1
frequency 30
ip sla schedule 10 life forever start-time now
---
ASA:
ASA Version 8.2(5)
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address x.x.x.x 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_dyn_test_acl extended permit ip 10.2.0.0 255.255.0.0 10.10.23.0 255.255.255.0
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map inside_dyn_test_map 10 match address inside_dyn_test_acl
crypto dynamic-map inside_dyn_test_map 10 set transform-set ESP-AES-256-SHA
crypto map inside_map 65534 ipsec-isakmp dynamic inside_dyn_test_map
crypto map inside_map interface inside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
ipsec-udp enable
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
customization value DfltCustomization
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key xyz
---
Are we missing something? We must have a dynamic crypto map entry on the ASA, but how to make IPSec use it when encrypting traffic? Please help. Thanks and best regards.