cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
453
Views
15
Helpful
7
Replies
Highlighted
Beginner

IPSEC Site to Site Static IOS (1921) and dynamic ASA (5505)

 

I'm trying to move VPN termination from a Cisco ASA 5520 to a 1921 router.  The Main site has a static IP, all other remote sites are dynamic.  The remote sites are a mix of ASAs and IOS routers.  All ASA's currently authenticate with PKI Certs, I'd like to authenticate with pre-shared key for ease.

 

Question 1:  At the central site, can I terminate remote ASA's using legacy policy based tunnels as well as IOS routers using VTI/DMVPN tunnels at the same time?

 

Question 2:  If the answer to question 1 is yes, for the love of God, can someone please provide the correct mix of components needed for that?  I can't find any examples anywhere of that configuration.

 

I keep getting auth mismatches and so many errors in debug, it's not worth posting.

 

---------------------------------------

Here's some pieces from the HUB IOS I have (trying to terminate an dynamic IP ASA):

 

crypto ikev2 proposal IKEV2-PROPOSAL_1
encryption aes-cbc-256
integrity sha512
group 24
crypto ikev2 proposal IKEV2-PROPOSAL_2
encryption aes-cbc-256
integrity sha256
group 24
!
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL_1
proposal IKEV2-PROPOSAL_2
!

crypto ikev2 profile IKEV2-PROFILE_S2S_DYNAMIC
description ** Allows dynamic tunnels **
match identity remote any
authentication remote pre-share key XXX
authentication local pre-share key XXX
!
no crypto ikev2 http-url cert
!

crypto ipsec transform-set TRANSFORMSET-IPSEC_S2S-DYNAMIC esp-aes 256 esp-sha-hmac
mode tunnel

crypto dynamic-map CRYPTOMAP-DYNAMIC_S2S 1
description ** CANDIAMANTICS DYNAMIC TUNNELS **
set transform-set TRANSFORMSET-IPSEC_S2S-DYNAMIC
set pfs group24
set ikev2-profile IKEV2-PROFILE_S2S_DYNAMIC
!

crypto map CRYPTOMAP_OUTSITE 65001 ipsec-isakmp dynamic CRYPTOMAP-DYNAMIC_S2S

!

(cyrpto map added to interface)

 

------------------------------

 

Anyone done this before?

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Yeah that should work.

View solution in original post

7 REPLIES 7
Highlighted
VIP Expert

Hello,

 

below some excerpts from the guidelines linked below:

 

--> • VTI and crypto map configurations can co-exist on the same physical interface, provided the peer address
configured in the crypto map and the tunnel destination for the VTI are different

 

Guidelines for Virtual Tunnel Interfaces

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-vti.pdf

Highlighted

Question #1 answered by both replies, thanks guys.

 

"--> • VTI and crypto map configurations can co-exist on the same physical interface, provided the peer address
configured in the crypto map and the tunnel destination for the VTI are different"

By this, you mean something like:

 

 

Interface tunnel 1   <---create VTI like usual

tunnel source gi 0/0 <-- link it to physical like usual

lots of other stuff... like IKEv2 proposal and IPSEC profile, etc.

 

-and-

 

crypto map dynamic name and stuff  <----create the dynamic map

crypto map NAME dynamic name ...  <----- link dynamic map in crypto map

 

- interface gi 0/0

standard interface stuff

crypto map NAME  <--- link crypto map to same physical interface as tunnel source interface above?

 

I'll try to post the actual config if this is correct.

 

I need a (static route/ACL) VTI to Azure, a DMVPN interface with (EIGRP), and a dynamic (policy based) VPN for the ASA, all in the same 1921.  It's like an omelet with every topping.

 

Highlighted

Yeah that should work.

View solution in original post

Highlighted

Hello,

 

the guidelines say something about VTI working only with IKEv1, curious to know if you get it ti=o work with v2.

Highlighted

It did work.  The connection to Azure is solid with IKEv2.

Highlighted
Rising star

Policy and route based VPN can coexist together on the same device, and there is no specific mix configuration for that to happen. I've never tried to configure both on IOS, I've always done it on ASA, but I think you can easily treat them as two separate configuration, using the same crypto map, that should work.

Highlighted
Enthusiast

IKEv1 not compatible with IKEv2.
so config IKEv2 in router and ASA