cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2481
Views
0
Helpful
4
Replies
jan.b.brooks
Beginner

L2L VPN between ASA's dynamic to static

I've deployed L2L VPN between ASA's dynamic to static in a hub and spoke format.

Everything works great if you are on a spoke ASA and you need to go to the hub but you can not go from the hub to spoke.

I'm using ASA code version 8.4(1) ... Below is what I have so far...

HUB

crypto ipsec ikev1 transform-set ts-dyna esp-aes-256 esp-sha-hmac
crypto dynamic-map dm-dyna 65000 set ikev1 transform-set ts-dyna
crypto dynamic-map dm-dyna 65000 set reverse-route
crypto map cr-vpn 65000 ipsec-isakmp dynamic dm-dyna
crypto map cr-vpn interface outside

crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****

!

object network obj-jbrooks-l2l
subnet 10.55.55.0 255.255.255.0

!

nat (inside,any) source static ng-networks-internal ng-networks-internal destination static obj-jbrooks-l2l obj-jbrooks-l2l

SPOKE

crypto ipsec ikev1 transform-set ts-dyna esp-aes-256 esp-sha-hmac
crypto map cr-l2l 10 match address acl-ipsec-l2l
crypto map cr-l2l 10 set peer 1.1.1.1
crypto map cr-l2l 10 set ikev1 transform-set ts-dyna
crypto map cr-l2l interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****

!

access-list acl-ipsec-l2l remark ------------------------------------------------------------
access-list acl-ipsec-l2l remark ---              ACL for L2L VPN               ---
access-list acl-ipsec-l2l remark ------------------------------------------------------------
access-list acl-ipsec-l2l extended permit ip 10.55.55.0 255.255.255.0 object-group ng-networks-internal

!
nat (inside,any) source static obj-10.55.55.0 obj-10.55.55.0 destination static ng-networks-internal ng-networks-internal

Is there any way to apply a crypto map on the Hub side to encrypt the traffic to the spokes?

Please let me know if you need any more information.

1 ACCEPTED SOLUTION

Accepted Solutions

"reverse route injection" only add the route in the table when tunnel is up.

So crypto engine still don't know to which spoke IP it should establish a vpn tunnel for the related vpn traffic.

View solution in original post

4 REPLIES 4
Yudong Wu
Rising star

In HUB -spoke setup, the vpn can only be initiated from spoke side.

When HUB receives a traffic which need go throught the vpn tunnel, it does not know which spoke it should forward the traffic.

Yeah I figured that but I have a route for it from the ASA using reverse route injection but not sure how to encrypt the traffic back to the spoke ASA

"reverse route injection" only add the route in the table when tunnel is up.

So crypto engine still don't know to which spoke IP it should establish a vpn tunnel for the related vpn traffic.

View solution in original post

I totally agree I just wanted to see if there was some way of getting traffic from the Hub ASA to the Spoke ASA's