- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2011 11:28 AM
I've deployed L2L VPN between ASA's dynamic to static in a hub and spoke format.
Everything works great if you are on a spoke ASA and you need to go to the hub but you can not go from the hub to spoke.
I'm using ASA code version 8.4(1) ... Below is what I have so far...
HUB
crypto ipsec ikev1 transform-set ts-dyna esp-aes-256 esp-sha-hmac
crypto dynamic-map dm-dyna 65000 set ikev1 transform-set ts-dyna
crypto dynamic-map dm-dyna 65000 set reverse-route
crypto map cr-vpn 65000 ipsec-isakmp dynamic dm-dyna
crypto map cr-vpn interface outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
!
object network obj-jbrooks-l2l
subnet 10.55.55.0 255.255.255.0
!
nat (inside,any) source static ng-networks-internal ng-networks-internal destination static obj-jbrooks-l2l obj-jbrooks-l2l
SPOKE
crypto ipsec ikev1 transform-set ts-dyna esp-aes-256 esp-sha-hmac
crypto map cr-l2l 10 match address acl-ipsec-l2l
crypto map cr-l2l 10 set peer 1.1.1.1
crypto map cr-l2l 10 set ikev1 transform-set ts-dyna
crypto map cr-l2l interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
!
access-list acl-ipsec-l2l remark ------------------------------------------------------------
access-list acl-ipsec-l2l remark --- ACL for L2L VPN ---
access-list acl-ipsec-l2l remark ------------------------------------------------------------
access-list acl-ipsec-l2l extended permit ip 10.55.55.0 255.255.255.0 object-group ng-networks-internal
!
nat (inside,any) source static obj-10.55.55.0 obj-10.55.55.0 destination static ng-networks-internal ng-networks-internal
Is there any way to apply a crypto map on the Hub side to encrypt the traffic to the spokes?
Please let me know if you need any more information.
Solved! Go to Solution.
- Labels:
-
VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2011 05:21 PM
"reverse route injection" only add the route in the table when tunnel is up.
So crypto engine still don't know to which spoke IP it should establish a vpn tunnel for the related vpn traffic.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2011 03:25 PM
In HUB -spoke setup, the vpn can only be initiated from spoke side.
When HUB receives a traffic which need go throught the vpn tunnel, it does not know which spoke it should forward the traffic.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2011 03:52 PM
Yeah I figured that but I have a route for it from the ASA using reverse route injection but not sure how to encrypt the traffic back to the spoke ASA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2011 05:21 PM
"reverse route injection" only add the route in the table when tunnel is up.
So crypto engine still don't know to which spoke IP it should establish a vpn tunnel for the related vpn traffic.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2011 05:34 PM
I totally agree I just wanted to see if there was some way of getting traffic from the Hub ASA to the Spoke ASA's
