I've deployed L2L VPN between ASA's dynamic to static in a hub and spoke format.
Everything works great if you are on a spoke ASA and you need to go to the hub but you can not go from the hub to spoke.
I'm using ASA code version 8.4(1) ... Below is what I have so far...
HUB
crypto ipsec ikev1 transform-set ts-dyna esp-aes-256 esp-sha-hmac
crypto dynamic-map dm-dyna 65000 set ikev1 transform-set ts-dyna
crypto dynamic-map dm-dyna 65000 set reverse-route
crypto map cr-vpn 65000 ipsec-isakmp dynamic dm-dyna
crypto map cr-vpn interface outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
!
object network obj-jbrooks-l2l
subnet 10.55.55.0 255.255.255.0
!
nat (inside,any) source static ng-networks-internal ng-networks-internal destination static obj-jbrooks-l2l obj-jbrooks-l2l
SPOKE
crypto ipsec ikev1 transform-set ts-dyna esp-aes-256 esp-sha-hmac
crypto map cr-l2l 10 match address acl-ipsec-l2l
crypto map cr-l2l 10 set peer 1.1.1.1
crypto map cr-l2l 10 set ikev1 transform-set ts-dyna
crypto map cr-l2l interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
!
access-list acl-ipsec-l2l remark ------------------------------------------------------------
access-list acl-ipsec-l2l remark --- ACL for L2L VPN ---
access-list acl-ipsec-l2l remark ------------------------------------------------------------
access-list acl-ipsec-l2l extended permit ip 10.55.55.0 255.255.255.0 object-group ng-networks-internal
!
nat (inside,any) source static obj-10.55.55.0 obj-10.55.55.0 destination static ng-networks-internal ng-networks-internal
Is there any way to apply a crypto map on the Hub side to encrypt the traffic to the spokes?
Please let me know if you need any more information.
