09-24-2018 09:39 AM
Hello experts,
I need to know how use crypto dynamic-map with only ikev1 in a site to site vpn with two ASA5500.
Thanks.
RJB
Solved! Go to Solution.
09-24-2018 12:46 PM
Hi,
I don't believe you can load balance over 2 crypto maps, you can with VTI. With a crypto map you can configure active/standby to define 2 peers in the crypto map and use ip sla/tracking to failover to the secondary ISP connection if the primary fails. Example here.
HTH
09-24-2018 10:42 AM
Hi,
Here are a few examples:-
https://www.youtube.com/watch?v=jN0XM_YO0mE
Or is there something in particular you need help with regarding the configuration?
09-24-2018 12:20 PM
Thanks RJI,
Well I just created an previous post, but I dont know why was clasified as spam. I'm trying to see if dynamic crypto map solve my issue.
I have one hub with two spokes working fine since long time ago. Now I got a second ISP for one of the spoke (BR1). The hub continues with only one ISP.
After setup the second tunnel (site2site vpn) I got both tunnels up. Both tunnels pass the PHASE 1 and PHASE 2 proccess but only the old tunnel pass encapsulated and encrypted traffic, the new one does not. I discover that only one crypto map works at the time.
That is I think the dynamic crypto map may work.
But I need the IKE1 because in a near future I will replace one of the spoke with a Meraki MX.
RJB.
09-24-2018 12:46 PM
Hi,
I don't believe you can load balance over 2 crypto maps, you can with VTI. With a crypto map you can configure active/standby to define 2 peers in the crypto map and use ip sla/tracking to failover to the secondary ISP connection if the primary fails. Example here.
HTH
09-24-2018 01:05 PM
It really is not for load balancing. I want is a backup when at BR fails the main link.
I not sure if I had to use sla and track.
RJB
09-24-2018 01:10 PM
09-24-2018 01:59 PM
looks good. I will do some test... thanks.
RJB.
09-25-2018 12:08 PM
Hello RJI,
I solve the issue changing the preferred peer behaviour just adding the second ip to the peer list.
!
crypto map VPN 1 match address VPN-HQ-TO-BR1
crypto map VPN 1 set peer 203.7.113.2 198.55.100.2
crypto map VPN 1 set ikev1 transform-set ESP-AES256-SHA
crypto map VPN interface outside (same interface for both)
..
..
your post was helpful, thanks..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide