cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

FMC Dynamic VPN configuration and some Cisco Funk?

357
Views
0
Helpful
1
Comments

Setting up some 3rd party devices for my Fire and Rescue trucks that will VPN back to our FPR-2110.

 

I can blatantly see what's going on with the IKEv2 platform and protocol debugs on.  It's selecting the wrong dynamic map!

IKEv2-PLAT-4: (32): Crypto Map: match on dynamic map CSM_TW-OUTSIDE_map_dynamic seq 1

 

Should be sequence 3?  I sure as hell didn't create sequence 1!  Here's the config

 

This is the output of the running crypto map configuration

crypto ipsec ikev2 ipsec-proposal CSM_TS2_1
protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcm
protocol esp integrity null
crypto ipsec ikev2 ipsec-proposal CSM_IP_2
protocol esp encryption aes-256 aes
protocol esp integrity sha-512 sha-384 sha-256
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map CSM_TW-OUTSIDE_map_dynamic 1 set ikev2 ipsec-proposal CSM_TS2_1
crypto dynamic-map CSM_TW-OUTSIDE_map_dynamic 1 set reverse-route
crypto dynamic-map CSM_TW-OUTSIDE_map_dynamic 3 match address CSM_IPSEC_ACL_1
crypto dynamic-map CSM_TW-OUTSIDE_map_dynamic 3 set pfs group5
crypto dynamic-map CSM_TW-OUTSIDE_map_dynamic 3 set ikev2 ipsec-proposal CSM_IP_2
crypto dynamic-map CSM_TW-OUTSIDE_map_dynamic 3 set reverse-route
crypto map CSM_TW-OUTSIDE_map 30000 ipsec-isakmp dynamic CSM_TW-OUTSIDE_map_dynamic
crypto map CSM_TW-OUTSIDE_map interface TW-OUTSIDE

 

So running 6.4.0.7 on both my FCM and the FPR.

 

Looking at a bone stock device and I see the same dynamic-map config on it with seq 1?  What the heck am I doing wrong?  How do I get rid of seq 1?  Tried a flex config and that worked but there is got to be a better way to do this?

TAC's even scratching their heads!

 

Help, thanks all! 

 

 

Comments
Beginner

TAC and I figured it out, I had remote access VPN configured with IPsec-IKEv2 check and that was generating the mystery dynamic map.