I have working configs for both a Cisco IPSec remote access VPN + L2TP-IPSec remote access VPN, however I can only get one to work at a time (depending on whatever dynamic map has a lower sequence number defined in my crypto map).
I get Phase 2 errors either way (when Cisco IPSec works L2TP clients fail w/ Phase 2 errors and vice versa).
Is there a way to accommodate both remote access VPN types at the same time?
ASA Version 9.2(1)
crypto ipsec ikev1 transform-set home esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set home-l2tp esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set home-l2tp mode transport
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map home_dyn_map 10 set ikev1 transform-set home
crypto dynamic-map home_dyn_map 10 set security-association lifetime seconds 288000
crypto dynamic-map home_dyn_map 10 set reverse-route
crypto dynamic-map home-l2tp_dyn_map 10 set ikev1 transform-set home-l2tp
crypto map home_map 10 ipsec-isakmp dynamic home_dyn_map
crypto map home_map 20 ipsec-isakmp dynamic home-l2tp_dyn_map
crypto map home_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
group-policy home internal
group-policy home attributes
dns-server value 192.168.10.2
vpn-tunnel-protocol ikev1
group-policy home-l2tp internal
group-policy home-l2tp attributes
dns-server value 192.168.10.2
vpn-tunnel-protocol l2tp-ipsec
tunnel-group home type remote-access
tunnel-group home general-attributes
address-pool vpnpool
default-group-policy home
tunnel-group home ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group home-l2tp type remote-access
tunnel-group home-l2tp general-attributes
address-pool vpnpool
default-group-policy home-l2tp
tunnel-group home-l2tp ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group home-l2tp ppp-attributes
authentication ms-chap-v2
Currently the Cisco IPSec VPN is working but if I lower the sequence number and change:
crypto map home_map 20 ipsec-isakmp dynamic home-l2tp_dyn_map
to
crypto map home_map 5 ipsec-isakmp dynamic home-l2tp_dyn_map
The L2TP VPN will work instead (then Cisco IPSec clients will fail w/ Phase 2 errors).
Any advice on how to accommodate both remote access VPN types at the same time?