Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
854
Views
0
Helpful
4
Replies

L2L multiple policy - Static VPN and dynamic 3G VPN (pepwave)

Joel Johnson
Level 1
Level 1

‎03-18-2014 10:29 AM

Hi,

I have a cisco 861 that needs to run two L2L tunnels, one to a peplink 3G device and another to a cisco ASA:


Peplink HD2 <----3G VPN Tunnel----> Cisco 861 <---VPN Tunnel----> Cisco ASA
 

http://www.cloud-distribution.com/_CDL/files/ipsec_guide.pdf 

using crypto keyring dynkey (aggressive mode).

 

I can establish the Cisco 861 and ASA VPN tunnel without a problem. But as soon as i add the 3G dynamic policy to the config for the peplink HD2. The policies seem to clash. 

 

crypto keyring dynkey
  pre-shared-key hostname vpn@peplink key ***************
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
!
crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key 2kSc89723Lkndv90K address 46.183.191.1
crypto isakmp profile dynprofile
   keyring dynkey
   self-identity user-fqdn vpn@cisco
   match identity user-fqdn vpn@peplink
   initiate mode aggressive
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
crypto ipsec transform-set 3desset esp-3des esp-sha-hmac
!
 set security-association lifetime seconds 3600
!
!
!
crypto dynamic-map dynmap 20
 set transform-set 3desset
 set pfs group2
 set isakmp-profile dynprofile
 match address VPN-TRAFFIC
!
!
crypto map CMAP_CF 1 ipsec-isakmp
 description Tunnel to46.183.191.1
 set peer 46.183.191.1
 set transform-set TS
 set pfs group5
 match address VPN-TRAFFIC
crypto map CMAP_CF 20 ipsec-isakmp dynamic dynmap

 

 

Is there a way to put these into seperate policies/profiles or am i doing something completely wrong? Both tunnels work okay independantly.

 

Thanks,

Joel 

Labels:
0 Helpful
4 Replies 4

Santhosha Shetty
Cisco Employee
Cisco Employee

‎03-19-2014 09:18 AM

Hi Joel,

I see you have applied the same ACL -VPN-TRAFFIC under both static and dynamic map:

 

crypto dynamic-map dynmap 20
 set transform-set 3desset
 set pfs group2
 set isakmp-profile dynprofile
 match address VPN-TRAFFIC
!
!
crypto map CMAP_CF 1 ipsec-isakmp
 description Tunnel to46.183.191.1
 set peer 46.183.191.1
 set transform-set TS
 set pfs group5
 match address VPN-TRAFFIC
crypto map CMAP_CF 20 ipsec-isakmp dynamic dynmap

 

Why would you need match address for dynamic-map ?

 

Regards,

Shetty

 

0 Helpful

Joel Johnson
Level 1
Level 1
In response to Santhosha Shetty

‎03-20-2014 06:29 AM

Hi Shetty.

I've attached a PDF with diagram to help explain. (Red traffic failover route, blue traffic normal data)

Basically traffic from 192.168.40.xxx needs to be able to talk to devices at 10.21.1.71 - traveling from cisco 861 to Cisco HQ via the VPN. In normal operation the satellite network passes traffic to the 861 for encryption. BUT when the Sat is Down the pepwave can failover to the Cisco via 3G. 

The VPN ACL for the cisco to Cisco is already 192.168.40.xxx to 10.21.1.71.

So would the VPN ACL for the 3G (dynamic) to cisco be 192.168.40.xxx to 10.21.1.71. as well as the inteded destination is 10.21.1.71 and the source is 192.168.40.xxx? 

Or would i need to route traffic differently? 

And i assume the best way to do this is to use one Crypto map with different proirities? 

 

Thanks,

 

 

Preview file
213 KB
0 Helpful

Santhosha Shetty
Cisco Employee
Cisco Employee
In response to Joel Johnson

‎03-29-2014 07:05 AM

Hi Joel,

So if I understand right with static map you are trying to build site to site vpn over satellite link and as a back up you have configured dynamic-map to accept dynamic connection from peplink 3G device over same WAN connection ?

If both the  tunnels are built over same WAN interface , do note that if suppose both peers try to build tunnel at same time  with router its going to keep only one ( since both peers presents same vpn network/proxy-id).

 

What exactly does happen whe you add dynamic profile? Lets say you have tunnel working fine with ASA and you add dynamic profile, does tunnel with ASA go down?

Debug logs should tell us why a tunnel is torn down.

debug crypto condition peer ipv4 <remote peer public IP> //** set the condition for both ASA and peplink device one by one.

 

collect following debugs:

 

debug cry isa

debug cry ipsec

 

After collecting the debugs turn it off using "undebug all"

 

Thanks,

Shetty

 

 

0 Helpful

Joel Johnson
Level 1
Level 1
In response to Santhosha Shetty

‎03-30-2014 04:10 AM

Hi Shetty,

your comments about the network are correct. The Satellite passes traffic to the cisco at a ground station to be encrypted to the cisco at HQ, once the sate is down the 3G tunnel needs to pass traffic to the ground station cisco for routing down the same tunnel to HQ

So both the pepwave and cisco 86X use the same ACL to access the HQ cisco via VPN. Would that cause both peers to present the same vpn network/proxy-id on same wan.

Only part of the pepwave 3G tunnel comes up (the part that doesnt include the same addresses as in the satellite link in the ACL. 


Would you know of a way to get around this?

I only have access to the cisco 86X (on IOS) and pepwave so cant run the ASA commands. ill post what i have from the IOS though ASAP. 

 

Thanks!

Joel
 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents