10-28-2014 08:56 AM - edited 02-21-2020 07:54 PM
Hi ,
I' m facing to a problem , i have an ASA 8.4 and i nee to configure on the same outside interface 2 kind of Remote Access VPN
L2tp and Ipsec VPN.
The Problem is , Both use the same crypto map, and strangely, it appear that when one have a high priority order example crypto map for l2tp the Ipsec client doesn't work.
Here is the configuration
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ipsec ikev1 transform-set myset esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set myset mode transport
crypto ipsec ikev1 transform-set MyRA esp-3des esp-md5-hmac
crypto dynamic-map dynmap 1 set ikev1 transform-set myset
crypto dynamic-map MapRAvpn 1 set ikev1 transform-set MyRA
crypto dynamic-map MapRAvpn 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dynmap
crypto map mymap 10 ipsec-isakmp dynamic MapRAvpn
crypto map mymap interface outside
So All my Phase 1 are correct that's why, i haven' t mention the configuration for Phase 1
The Crypto map mymap 1 is related to L2tp Client
The Crypto map mymap 10 is related to IPsec Ra Client,
With this order, only the L2tp clients are able to connect , but if i change the order of the mymap 1 to 15 example , only the Ipsec client are able to connect
Is it possible to run the 2 type client on the same crypto ?
10-31-2014 01:50 PM
Hi,
yes both L2TP and remote access are supported at the same time.
You don't need two dynamic map just one map would suffice in that you will call both the transform sets.
crypto dynamic-map dynmap 1 set ikev1 transform-set MyRA myset
crypto map mymap 1 ipsec-isakmp dynamic dynmap
Try this out.
11-03-2014 12:16 AM
Hi
Again thank you for your answer, i have try to change the crypto map, but when i do this just the Ipsec VPN work, when i back to the previous config , the L2tp VPN work but not the Ipsec !
11-16-2014 01:39 PM
hi,
Try this then
crypto dynamic-map dynmap 1 set ikev1 transform-set MyRA
crypto dynamic-map dynmap 2 set ikev1 transform-set myset
This should do it for you.
Regards,
Nitish Emmanuel
03-25-2015 07:34 AM
Hi
a similar problem.
crypto dynamic-map dynmap 1 set ikev1 transform-set MyRA
crypto dynamic-map dynmap 2 set ikev1 transform-set myset
works only ipsec
If changing sequence...
crypto dynamic-map dynmap 2 set ikev1 transform-set MyRA
crypto dynamic-map dynmap 1 set ikev1 transform-set myset
works only l2tp
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide