Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1093
Views
0
Helpful
1
Replies

L2L VPN, question on seq numbers, dynamic/static map

kbyrd
Level 2
Level 2

‎02-15-2011 12:17 PM

My customer has a remote ASA5505 with a static crypto map that needs to set up an IPSEC tunnel with a central ASA5505 that is configured with dynamic maps. The central ASA5505 already has a L2L with an IOS router from "Hondo", will soon have one from Canada, and I'm working on a set of ASA5505 for telecommuters.

Please refer to the following configuration snip from the central ASA5505:

crypto dynamic-map Hondo-dynmap 1 match address Hondo-remote-ACL
crypto dynamic-map Hondo-dynmap 1 set transform-set Hondo-router-set
crypto dynamic-map Hondo-dynmap 1 set reverse-route
crypto dynamic-map Hondo-dynmap 21 set pfs group1
crypto dynamic-map Hondo-dynmap 21 set transform-set ESP-AES-128-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto dynamic-map Canada-dynmap 1 match address Canada-remote-ACL
crypto dynamic-map Canada-dynmap 1 set transform-set Canada-router-set
crypto dynamic-map Canada-dynmap 1 set reverse-route
crypto dynamic-map L2L-dynmap 1 match address L2L-remote-ACL
crypto dynamic-map L2L-dynmap 1 set transform-set L2L-router-set
crypto dynamic-map L2L-dynmap 1 set reverse-route
crypto map outside_map 10 ipsec-isakmp dynamic Hondo-dynmap
crypto map outside_map 20 ipsec-isakmp dynamic Canada-dynmap
crypto map outside_map 30 ipsec-isakmp dynamic L2L-dynmap
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

I'm trying to set this configuration up so the customer can easily replicate my settings for additional telecommuters or additional remote sites like Hondo and Canada.

What is happening is that I get a successful Phase 1, and then Phase 2 ends with "No SPI to identify Phase 2 SA!". I realize this means my Crypto-map ACLs are not matching.

Remember, Hondo is working. I know the telecommuter ASA5505 matches the L2L-remote-ACL above in the dynamic-map L2L-dynmap. I was thinking that bringing together the dynamic-maps with the 10,20,30 sequence numbers in the "crypto map outside_map" and then applying to the "crypto map outside_map interface outside" would be the correct approach, but it looks like the logic is not failling through the sequence numbers on the "crypto map outside_map".

My workaround was to combine the L2L-remote-ACL with the Hondo-remote-ACL...and that works.

My next attempt was to structure the dynamic-map with additional sequence numbers like this:

crypto dynamic-map Hondo-dynmap 1 match address Hondo-remote-ACL
crypto dynamic-map Hondo-dynmap 1 set transform-set Hondo-router-set
crypto dynamic-map Hondo-dynmap 1 set reverse-route
crypto dynamic-map Hondo-dynmap 11 match address L2L-remote-ACL
crypto dynamic-map Hondo-dynmap 11 set transform-set L2L-router-set
crypto dynamic-map Hondo-dynmap 11 set reverse-route
crypto dynamic-map Hondo-dynmap 21 set pfs group1
crypto dynamic-map Hondo-dynmap 21 set transform-set ESP-AES-128-SHA

and I still get the "No SPI to identify Phase 2 SA!".

None of the Crypto Map ACLs have a deny. What am I missing as far as how the sequence number matching logic works? Thanks.

Labels:
0 Helpful
1 Reply 1

kbyrd
Level 2
Level 2

‎02-15-2011 12:40 PM

Correction: I was able to get the single crypto-map with sequence number to work:

crypto dynamic-map Hondo-dynmap 1 match address Hondo-remote-ACL
crypto dynamic-map Hondo-dynmap 1 set transform-set Hondo-router-set
crypto dynamic-map Hondo-dynmap 1 set reverse-route
crypto dynamic-map Hondo-dynmap 11 match address L2L-remote-ACL
crypto dynamic-map Hondo-dynmap 11 set transform-set L2L-router-set
crypto dynamic-map Hondo-dynmap 11 set reverse-route
crypto dynamic-map Hondo-dynmap 15 match address Canada-remote-ACL
crypto dynamic-map Hondo-dynmap 15 set transform-set Canada-router-set
crypto dynamic-map Hondo-dynmap 15 set reverse-route
crypto map outside_map 10 ipsec-isakmp dynamic Hondo-dynmap
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

I'm still wondering why this doesn't work as an alternative approach:

crypto dynamic-map Hondo-dynmap 1 match address Hondo-remote-ACL
crypto dynamic-map Hondo-dynmap 1 set transform-set Hondo-router-set
crypto dynamic-map Hondo-dynmap 1 set reverse-route
crypto dynamic-map Canada-dynmap 1 match address Canada-remote-ACL
crypto dynamic-map Canada-dynmap 1 set transform-set Canada-router-set
crypto dynamic-map Canada-dynmap 1 set reverse-route
crypto dynamic-map L2L-dynmap 1 match address L2L-remote-ACL
crypto dynamic-map L2L-dynmap 1 set transform-set L2L-router-set
crypto dynamic-map L2L-dynmap 1 set reverse-route
crypto map outside_map 10 ipsec-isakmp dynamic Hondo-dynmap
crypto map outside_map 20 ipsec-isakmp dynamic Canada-dynmap
crypto map outside_map 30 ipsec-isakmp dynamic L2L-dynmap
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

0 Helpful
Customers Also Viewed These Support Documents