05-14-2013 09:01 AM
Forgive the almost matching repost of a question I had last week, but I wanted to be sure about something.
I now have a Sonicwall overseas that has a dynamic outside address. I'm going to configure a tunnel to my ASA which has a static address.
Obviously the Sonicwall is initiating the connection.
Just so I'm clear:
On the ASA can I configure a tunnel group to accept the *dynamic* connection from the remote Sonicwall? Or is my only option to use the DefaultL2LGroup (main mode) or DefaultRAGroup (agressive mode)?
Thanks!
Solved! Go to Solution.
05-15-2013 08:20 AM
Hi,
You can do the following:
crypto dynamic-map cisco 1 set transform-set ESP-3DES-MD5 ESP-3DES-SHA
Regards,
-Gustavo
05-14-2013 09:04 AM
Hello,
Please refer to the following doc and let me know if you have any questions:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc7d13.shtml
05-14-2013 09:07 AM
Thanks for the fast response! Guess I was not searching properly, I'll have a look at this asap.
05-14-2013 12:23 PM
OK that was a huge help and I have the tunnel up using aggressive mode, i created a "tunnel-group HOME type ipsec-l2l" and used the key identifier on the Sonicwall of HOME and it negotiates and lands on my "crypto dynamic-map cisco 1" you'll see in the following config:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map cisco 1 set transform-set ESP-3DES-MD5
crypto dynamic-map cisco 1 set security-association lifetime seconds 28800
crypto dynamic-map cisco 1 set security-association lifetime kilobytes 4608000
crypto map Outside_map 99 ipsec-isakmp dynamic cisco
crypto map Outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 4
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group HOME type ipsec-l2l
tunnel-group HOME ipsec-attributes
pre-shared-key *******
It matches my isakmp policy 5, phase 1 comes up. Phase 2 negotiates, comes up. No problem there.
What I don't seem to be able to do is create another dynamic crypto now...I have dynamic-map cisco 1, shouldn't I be able to create:
crypto dynamic-map cisco 2 set transform-set ESP-3DES-SHA (based on the above transform set) ?
Thanks.
05-14-2013 02:00 PM
Glad it helped you! and yes you should be able to configure that line but why do you want another dynamic entry?
05-14-2013 07:28 PM
different customer encryption requirements. not my call, i just need to get it working.
with the above config i'm looking along this line:
crypto dynamic-map cisco 1 set transform-set ESP-3DES-MD5
crypto dynamic-map cisco 1 set security-association lifetime seconds 28800
crypto dynamic-map cisco 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map cisco 2 set transform-set ESP-3DES-SHA
crypto dynamic-map cisco 2 set security-association lifetime seconds 28800
crypto dynamic-map cisco 2 set security-association lifetime kilobytes 4608000
CustomerA with dynamic ISP address has a tunnel configured to use 3des and md5 would land on their tunnel group and it would negotiate because of cisco 1.
CustomerB has to use 3des and sha1 for a business requirement, but still has a dynamically assigned outside address, they wouldnt be able to connect if cisco 1 was the only option.
Short of telling one customer or the other they have to change their requirements, I dont see a way around it.
05-15-2013 08:20 AM
Hi,
You can do the following:
crypto dynamic-map cisco 1 set transform-set ESP-3DES-MD5 ESP-3DES-SHA
Regards,
-Gustavo
05-15-2013 08:32 AM
Oh snap! Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide