I'm trying to move VPN termination from a Cisco ASA 5520 to a 1921 router. The Main site has a static IP, all other remote sites are dynamic. The remote sites are a mix of ASAs and IOS routers. All ASA's currently authenticate with PKI Certs, I'd like to authenticate with pre-shared key for ease.
Question 1: At the central site, can I terminate remote ASA's using legacy policy based tunnels as well as IOS routers using VTI/DMVPN tunnels at the same time?
Question 2: If the answer to question 1 is yes, for the love of God, can someone please provide the correct mix of components needed for that? I can't find any examples anywhere of that configuration.
I keep getting auth mismatches and so many errors in debug, it's not worth posting.
Here's some pieces from the HUB IOS I have (trying to terminate an dynamic IP ASA):
crypto ikev2 proposal IKEV2-PROPOSAL_1
crypto ikev2 proposal IKEV2-PROPOSAL_2
crypto ikev2 policy IKEV2-POLICY
crypto ikev2 profile IKEV2-PROFILE_S2S_DYNAMIC
description ** Allows dynamic tunnels **
match identity remote any
authentication remote pre-share key XXX
authentication local pre-share key XXX
no crypto ikev2 http-url cert
crypto ipsec transform-set TRANSFORMSET-IPSEC_S2S-DYNAMIC esp-aes 256 esp-sha-hmac
crypto dynamic-map CRYPTOMAP-DYNAMIC_S2S 1
description ** CANDIAMANTICS DYNAMIC TUNNELS **
set transform-set TRANSFORMSET-IPSEC_S2S-DYNAMIC
set pfs group24
set ikev2-profile IKEV2-PROFILE_S2S_DYNAMIC
crypto map CRYPTOMAP_OUTSITE 65001 ipsec-isakmp dynamic CRYPTOMAP-DYNAMIC_S2S
(cyrpto map added to interface)
Anyone done this before?
Solved! Go to Solution.
below some excerpts from the guidelines linked below:
--> • VTI and crypto map configurations can co-exist on the same physical interface, provided the peer address
configured in the crypto map and the tunnel destination for the VTI are different
Guidelines for Virtual Tunnel Interfaces
Question #1 answered by both replies, thanks guys.
"--> • VTI and crypto map configurations can co-exist on the same physical interface, provided the peer address
configured in the crypto map and the tunnel destination for the VTI are different"
By this, you mean something like:
Interface tunnel 1 <---create VTI like usual
tunnel source gi 0/0 <-- link it to physical like usual
lots of other stuff... like IKEv2 proposal and IPSEC profile, etc.
crypto map dynamic name and stuff <----create the dynamic map
crypto map NAME dynamic name ... <----- link dynamic map in crypto map
- interface gi 0/0
standard interface stuff
crypto map NAME <--- link crypto map to same physical interface as tunnel source interface above?
I'll try to post the actual config if this is correct.
I need a (static route/ACL) VTI to Azure, a DMVPN interface with (EIGRP), and a dynamic (policy based) VPN for the ASA, all in the same 1921. It's like an omelet with every topping.
Policy and route based VPN can coexist together on the same device, and there is no specific mix configuration for that to happen. I've never tried to configure both on IOS, I've always done it on ASA, but I think you can easily treat them as two separate configuration, using the same crypto map, that should work.