Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
588
Views
0
Helpful
1
Replies

Dynamic Site to Site VPN Tunnel

Go to solution
pprinz001
Beginner
Beginner

‎11-20-2013 12:06 PM

I have spent the last 2 days trying to configure a dynamic site to site VPN tunnel from a Cisco 5510 to a Cisco SA540. The 540 is on a dynamic provider that can not be changed. It has a dyndns account.

I have been lucky that the other 10 sites are all static and the wizard through ADSM is creating these tunnels without problems.

What I am trying to do is:

Is this possible to do VIA ADSM?

If not can someone please in detail help out with the commands.

Regards,

PP

Labels:
Preview file
35 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
elialope
Beginner
Beginner

‎11-20-2013 12:41 PM

Hello Paul,

This is possible through ASDM but you will need to use some advanced settings:

Configuration > Site-to-Site VPN > Advanced > Tunnel Groups

There edit the group called "DefaultL2LGroup" and add the pre-shard key from the SA540 (note: all your sites with dynamic IP addresses will need to have the same pre-shared key, if you have IPSec VPN clients, it will be a good idea to use a different key).

Clic ok and then apply.

Then go to Configuration > Site-to-Site VPN > Advanced > Crypto Maps and add a new dynamic entry


Make sure that you match the phase 2 settings that are on your SA540 (pictured ESP-AES-128-SHA), select dynamic policy, and make it the last sequence number (65535) then ok, apply.

Then go to Configuration > Site-to-Site VPN > Advanced > IKE Policies and make sure that you have matching phase 1 policies.

If no matching policies are found, add them.

Through CLI:

      crypto ikev1 policy 1

        authentication pre-shared

        encryption aes

        hash sha

        group 2

      crypto dynamic-map outside_dyn_map 65535 set  ikev1 transform-set  ESP-AES-128-SHA

      crypto map MAP 65535 ipsec-isakmp dynamic outside_dyn_map

      tunnel-group DefaultL2LGroup ipsec-attributes

        ikev1 pre-shared-key **********

Hope this helps.


View solution in original post

0 Helpful
1 Reply 1

Go to solution
elialope
Beginner
Beginner

‎11-20-2013 12:41 PM

Hello Paul,

This is possible through ASDM but you will need to use some advanced settings:

Configuration > Site-to-Site VPN > Advanced > Tunnel Groups

There edit the group called "DefaultL2LGroup" and add the pre-shard key from the SA540 (note: all your sites with dynamic IP addresses will need to have the same pre-shared key, if you have IPSec VPN clients, it will be a good idea to use a different key).

Clic ok and then apply.

Then go to Configuration > Site-to-Site VPN > Advanced > Crypto Maps and add a new dynamic entry


Make sure that you match the phase 2 settings that are on your SA540 (pictured ESP-AES-128-SHA), select dynamic policy, and make it the last sequence number (65535) then ok, apply.

Then go to Configuration > Site-to-Site VPN > Advanced > IKE Policies and make sure that you have matching phase 1 policies.

If no matching policies are found, add them.

Through CLI:

      crypto ikev1 policy 1

        authentication pre-shared

        encryption aes

        hash sha

        group 2

      crypto dynamic-map outside_dyn_map 65535 set  ikev1 transform-set  ESP-AES-128-SHA

      crypto map MAP 65535 ipsec-isakmp dynamic outside_dyn_map

      tunnel-group DefaultL2LGroup ipsec-attributes

        ikev1 pre-shared-key **********

Hope this helps.


0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents