Solved: LAN-to-LAN IPsec VPN not working simultaneously with L2TP/IPsec VPN

seokjinjohn · ‎01-27-2022

Hi everyone,

I'm configuring L2TP/IPsec and LAN-to-LAN IPsec VPN on my Cisco FirePower 1010 via CLI.
Separately, both are working fine. (By separately, I mean I tested L2TP/IPsec without LAN-to-LAN configured, and vice versa).

However, when both configurations are applied, only one is working.

I use IKEv1 for L2TP phase1 and IKEv2 for L2L phase1.

Below are my settings.

##################################################################
[L2TP/IPsec settings]
!
crypto ipsec ikev1 transform-set L2TP_transform-set esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set L2TP_transform-set mode transport
!
crypto dynamic-map L2TP-map-dynamic 10 set ikev1 transform-set L2TP_transform-set
crypto map L2TP-map 20 ipsec-isakmp dynamic L2TP-map-dynamic
crypto map L2TP-map interface outside
!
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
group-policy L2TP-policy internal
group-policy L2TP-policy attributes
vpn-tunnel-protocol l2tp-ipsec
intercept-dhcp enable
username <user> password <password> mschap
!
tunnel-group DefaultRAGroup general-attributes
address-pool L2TP-Pool
default-group-policy L2TP-Policy
!
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key myciscopsk
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
!

[LAN-to-LAN IPsec settings]

!
crypto ipsec ikev2 ipsec-proposal L2L-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-256

!
crypto map L2L-map 1 match address <my acl>
crypto map L2L-map 1 set pfs group2
crypto map L2L-map 1 set peer <remote site IP>
crypto map L2L-map 1 set ikev2 ipsec-proposal L2L-PROPOSAL
crypto map L2L-map 1 set security-association lifetime seconds 3600
crypto map L2L-map interface outside
!
tunnel-group <remote site IP> type ipsec-l2l
tunnel-group <remote site IP> ipsec-attributes
ikev2 local-authentication pre-shared-key <tunnel psk>
ikev2 remote-authentication pre-shared-key <tunnel psk>
isakmp keepalive threshold 10 retry 3
#############################################################

I only included relevant configuration.

I noticed that there could only be one "crypto map <map> interface <interface>" setting. When I configure both "crypto map L2L-map interface outside" and "crypto map L2TP-map interface outside", only one will be accepted (whichever is configured last).

Is this an expected behavior for ASA/Firepower devices?

Appreciate your help.

Milos_Jovanovic · ‎01-27-2022

Hi @seokjinjohn,

You can have only one crypto map applied to one interface at one moment, so yes, this is expected behavior. If you need to have multiple connections, you are supposed to define them into same crypto map, with different parameters.

Regarding IKEv2, I can notice that you are missing (or you haven't included here):

you have to enable IKEv2 too on outside - crypto ikev2 enable outside
you have to define IKEv2 policies for phase 1 too, here is an example:

crypto ikev2 policy 5
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400

you have to define new group-policy, where you'll define that IKEv2 should be used:

group-policy L2L-Group-Policy internal
group-policy L2L-Group-Policy attributes
vpn-tunnel-protocol ikev2

you have to actually tell ASA that it should use IKEv2 for specific peer

tunnel-group <remote site IP> general-attributes
default-group-policy L2L-Group-Policy

I don't see relevant routing, but I'm assuming you already covered that.

BR,

Milos

View solution in original post

Milos_Jovanovic · ‎01-27-2022

Hi @seokjinjohn,

You can have only one crypto map applied to one interface at one moment, so yes, this is expected behavior. If you need to have multiple connections, you are supposed to define them into same crypto map, with different parameters.

Regarding IKEv2, I can notice that you are missing (or you haven't included here):

you have to enable IKEv2 too on outside - crypto ikev2 enable outside
you have to define IKEv2 policies for phase 1 too, here is an example:

crypto ikev2 policy 5
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400

you have to define new group-policy, where you'll define that IKEv2 should be used:

group-policy L2L-Group-Policy internal
group-policy L2L-Group-Policy attributes
vpn-tunnel-protocol ikev2

you have to actually tell ASA that it should use IKEv2 for specific peer

tunnel-group <remote site IP> general-attributes
default-group-policy L2L-Group-Policy

I don't see relevant routing, but I'm assuming you already covered that.

BR,

Milos

seokjinjohn · ‎01-28-2022

Hi Milos,

Thank you for the prompt response.

you have to enable IKEv2 too on outside - crypto ikev2 enable outside
you have to define IKEv2 policies for phase 1 too, here is an example:
crypto ikev2 policy 5
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400

Yes, I do have IKEv2 policy and I enabled/mapped ikev2 on the outside interface. I just forgot to include here.

you have to define new group-policy, where you'll define that IKEv2 should be used:
group-policy L2L-Group-Policy internal
group-policy L2L-Group-Policy attributes
vpn-tunnel-protocol ikev2
you have to actually tell ASA that it should use IKEv2 for specific peer
tunnel-group <remote site IP> general-attributes
default-group-policy L2L-Group-Policy

Oh, I think this was what I missed. I didn't create group policy for L2L. I gotta try this out and check.

For the routing, yes, I have them defined as well.

Thank you!

seokjinjohn · ‎01-28-2022

Hi Milos,

I applied everything you said and everything is OK now.

Thank you so much!

Milos_Jovanovic · ‎01-28-2022

Great, glad to hear that.

BR,

Milos