Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1013
Views
0
Helpful
7
Replies

Dynamic crypto maps - ASA5500

Go to solution
Rafael Jimenez
Level 4
Level 4

‎09-24-2018 09:39 AM

Hello experts,

I need to know how use crypto dynamic-map with only ikev1 in a site to site vpn with two ASA5500.

Thanks.

RJB

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Rafael Jimenez

‎09-24-2018 12:46 PM

Hi,

I don't believe you can load balance over 2 crypto maps, you can with VTI. With a crypto map you can configure active/standby to define 2 peers in the crypto map and use ip sla/tracking to failover to the secondary ISP connection if the primary fails. Example here.

 

HTH

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Rob Ingram
VIP
VIP

‎09-24-2018 10:42 AM

Hi,

Here are a few examples:-

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119007-config-asa9x-ike-ipsec-00.html

https://www.youtube.com/watch?v=jN0XM_YO0mE

 

Or is there something in particular you need help with regarding the configuration?

0 Helpful

Go to solution
Rafael Jimenez
Level 4
Level 4
In response to Rob Ingram

‎09-24-2018 12:20 PM

Thanks RJI,

 

Well I just created an previous post, but I dont know why was clasified as spam. I'm trying to see if dynamic crypto map solve my issue.
I have one hub with two spokes working fine since long time ago. Now I got a second ISP for one of the spoke (BR1). The hub continues with only one ISP.
After setup the second tunnel (site2site vpn) I got both tunnels up. Both tunnels pass the PHASE 1 and PHASE 2 proccess but only the old tunnel pass encapsulated and encrypted traffic, the new one does not. I discover that only one crypto map works at the time.
That is I think the dynamic crypto map may work.
But I need the IKE1 because in a near future I will replace one of the spoke with a Meraki MX.

 

RJB.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Rafael Jimenez

‎09-24-2018 12:46 PM

Hi,

I don't believe you can load balance over 2 crypto maps, you can with VTI. With a crypto map you can configure active/standby to define 2 peers in the crypto map and use ip sla/tracking to failover to the secondary ISP connection if the primary fails. Example here.

 

HTH

0 Helpful

Go to solution
Rafael Jimenez
Level 4
Level 4
In response to Rob Ingram

‎09-24-2018 01:05 PM

It really is not for load balancing. I want is a backup when at BR fails the main link.

I not sure if I had to use sla and track.

RJB

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Rafael Jimenez

‎09-24-2018 01:10 PM

That's fine, then that example should help
0 Helpful

Go to solution
Rafael Jimenez
Level 4
Level 4
In response to Rob Ingram

‎09-24-2018 01:59 PM

looks good. I will do some test... thanks.

RJB.

0 Helpful

Go to solution
Rafael Jimenez
Level 4
Level 4
In response to Rob Ingram

‎09-25-2018 12:08 PM

Hello RJI,

I solve the issue changing the preferred peer behaviour just adding the second ip to the peer list.

!

crypto map VPN 1 match address VPN-HQ-TO-BR1

crypto map VPN 1 set peer 203.7.113.2 198.55.100.2

crypto map VPN 1 set ikev1 transform-set ESP-AES256-SHA

crypto map VPN interface outside (same interface for both)

..

..

your post was helpful, thanks..

0 Helpful
Customers Also Viewed These Support Documents