02-09-2011 11:28 AM
I've deployed L2L VPN between ASA's dynamic to static in a hub and spoke format.
Everything works great if you are on a spoke ASA and you need to go to the hub but you can not go from the hub to spoke.
I'm using ASA code version 8.4(1) ... Below is what I have so far...
HUB
crypto ipsec ikev1 transform-set ts-dyna esp-aes-256 esp-sha-hmac
crypto dynamic-map dm-dyna 65000 set ikev1 transform-set ts-dyna
crypto dynamic-map dm-dyna 65000 set reverse-route
crypto map cr-vpn 65000 ipsec-isakmp dynamic dm-dyna
crypto map cr-vpn interface outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
!
object network obj-jbrooks-l2l
subnet 10.55.55.0 255.255.255.0
!
nat (inside,any) source static ng-networks-internal ng-networks-internal destination static obj-jbrooks-l2l obj-jbrooks-l2l
SPOKE
crypto ipsec ikev1 transform-set ts-dyna esp-aes-256 esp-sha-hmac
crypto map cr-l2l 10 match address acl-ipsec-l2l
crypto map cr-l2l 10 set peer 1.1.1.1
crypto map cr-l2l 10 set ikev1 transform-set ts-dyna
crypto map cr-l2l interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
!
access-list acl-ipsec-l2l remark ------------------------------------------------------------
access-list acl-ipsec-l2l remark --- ACL for L2L VPN ---
access-list acl-ipsec-l2l remark ------------------------------------------------------------
access-list acl-ipsec-l2l extended permit ip 10.55.55.0 255.255.255.0 object-group ng-networks-internal
!
nat (inside,any) source static obj-10.55.55.0 obj-10.55.55.0 destination static ng-networks-internal ng-networks-internal
Is there any way to apply a crypto map on the Hub side to encrypt the traffic to the spokes?
Please let me know if you need any more information.
Solved! Go to Solution.
02-09-2011 05:21 PM
"reverse route injection" only add the route in the table when tunnel is up.
So crypto engine still don't know to which spoke IP it should establish a vpn tunnel for the related vpn traffic.
02-09-2011 03:25 PM
In HUB -spoke setup, the vpn can only be initiated from spoke side.
When HUB receives a traffic which need go throught the vpn tunnel, it does not know which spoke it should forward the traffic.
02-09-2011 03:52 PM
Yeah I figured that but I have a route for it from the ASA using reverse route injection but not sure how to encrypt the traffic back to the spoke ASA
02-09-2011 05:21 PM
"reverse route injection" only add the route in the table when tunnel is up.
So crypto engine still don't know to which spoke IP it should establish a vpn tunnel for the related vpn traffic.
02-09-2011 05:34 PM
I totally agree I just wanted to see if there was some way of getting traffic from the Hub ASA to the Spoke ASA's
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide