05-08-2019 10:09 PM
Hi there!
Currently I have a tunnel IPSec between Router 899/887 and ASA 5545, it's works, but I need create a second tunnel on the same link with different traffic, and differents security parameters.
Can I have two crypto maps in the same outside ASA interface?
05-08-2019 10:41 PM
Yes each tunnel can have its on encruption and authentication parameters even if its on the same outside interface
05-09-2019 08:33 AM - edited 05-09-2019 08:42 AM
How can do that?
Because I have this configuration on the ASA:
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ipsec ikev1 transform-set myset esp-3des esp-sha-hmac
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
crypto dynamic-map mymap 1 set ikev1 transform-set myset
crypto dynamic-map mymap 1 set reverse-route
crypto map dyn-map 5 match address outside_cryptomap
crypto map dyn-map 10 ipsec-isakmp dynamic mymapcrypto map dyn-map interface outside
crypto ikev1 enable outside
My doubt is, I must create two crypto dynamic or two crypto map on the outside interface? I mean,for create other policy and others encryption parameters.
05-09-2019 11:38 AM
Hi,
You would use sequence numbers on the crypto map to distinguish between the different peers, you can then reference the different Transform Set. E.g:-
crypto map CRYPTO-MAP 1 match address R1_VPN
crypto map CRYPTO-MAP 1 set peer 1.1.1.1
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM-1
crypto map CRYPTO-MAP 2 match address R2_VPN
crypto map CRYPTO-MAP 2 set peer 2.2.2.1
crypto map CRYPTO-MAP 2 set ikev1 transform-set VPN-TRANSFORM-2
HTH
05-09-2019 03:22 PM
But my crypto map must be dynamic, because my other side has with many devices, I mean, my crypto map must done the tunnel only with the key. Can I do one crypto map dynamic with secuencial ID?
I mean, Can I do this? on the same link and the same outside asa interface?
This for the first condition.---------
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ipsec ikev1 transform-set myset1 esp-3des esp-sha-hmac
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key password1
crypto dynamic-map mymap 1 set ikev1 transform-set myset1
crypto dynamic-map mymap 1 set reverse-route
crypto map dyn-map 1 match address outside_acl1
crypto map dyn-map 1 ipsec-isakmp dynamic mymap
crypto map dyn-map interface outside
This for the second condition.---------
crypto ikev1 policy 20
authentication pre-share
encryption des
hash sha
group 2
lifetime 1400
crypto ipsec ikev1 transform-set myset2 esp-des esp-sha-hmac
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key password2
crypto dynamic-map mymap 2 set ikev1 transform-set myset2
crypto dynamic-map mymap 2 set reverse-route
crypto map dyn-map 2 match address outside_acl2
crypto map dyn-map 2 ipsec-isakmp dynamic mymap
crypto map dyn-map interface outside
Regards!
05-10-2019 12:00 PM
Hi,
You can define multiple transform sets under a crypto map, the remote peer intiating the VPN tunnel will negotiate.
crypto ipsec ikev1 transform-set myset1 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set myset2 esp-des esp-sha-hmac
crypto dynamic-map mymap 1 set ikev1 transform-set myset1 myset2
Define a tunnel-group for each peer IP address
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key password1
tunnel-group 2.2.2.2 ipsec-attributes
ikev1 pre-shared-key password2
You can only have one crypto map attached to an interface.
HTH
05-10-2019 12:47 PM
Hi RJI,
But in my case I have 598 peers, I mean, 598 Routers connect to outside ASA interface, So, isn't there way to create a crypto dynamic-map in ASA for connect to my many peers? I mean, for not l put 598 times the router peers.
Regards!
05-10-2019 01:04 PM
05-10-2019 04:57 PM
Currently I have this configuration :
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
With this configuration Can I have success?
05-11-2019 01:07 AM
05-11-2019 09:50 AM
For your example:
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key password1
tunnel-group 2.2.2.2 ipsec-attributes
ikev1 pre-shared-key password2
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key password1
tunnel-group 2.2.2.2 ipsec-attributes
ikev1 pre-shared-key password2
How can difference my keys if I don't set my peers because I will put DefaultL2LGroup on my configuration for the reason that I have dynamic peers?
05-11-2019 10:23 AM
05-11-2019 11:04 AM
This is my topology.
In my topology 598 routers comunicating with the same ASA, and I have "DefaultL2LGroup" on the ASA for two reasons.
1.- Because I have many peers.
2.- Because the IP isn't static.
(This tunnel IPSec already works). So, in the LAN of the all routers only exist one VLAN, I mean all traffic belong to one VLAN (VLAN2), now I try to divide this traffic in two VLANs (VLAN2) and (VLAN3), but I need to create one tunnel for each vlan, I mean create others security parameters for the "new tunnel" for the VLAN3.
But it must has conditions:
1.-I must use the same link
2.-I must use the same interfaces (Router and ASA).
Now, How can to that? for each tunnel create different security parameters and different keys?
Regards!
05-11-2019 11:25 AM
05-11-2019 11:56 AM
Because for company standard, new traffic it must be in other tunnel ipsec, but they want use the same link and the same interfaces, so it's impossible do that?
I was thinking if I create new statement in the same ACL for this new VLAN also it could works?
When I'll check the configuration with this command I'll see two local-remote for each vlan?
Router#show crypto ipsec sa peer 172.16.1.1
interface: GigabitEthernet0/0
Crypto map tag: outside_map, local addr 172.17.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.20.10.0/255.255.255.0/0/0)---------------VLAN 2
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)---------------VLAN 2
current_peer 172.16.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2024, #pkts encrypt: 2024, #pkts digest: 2024
#pkts decaps: 2015, #pkts decrypt: 2015, #pkts verify: 2015
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 26, #recv errors 0
In conclusion I cannot create two security parameters for my case? Because ASA not support it? If I would want to do that I need use new interfaces on the ASA and Router?
Regards!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: