06-16-2011 01:05 PM
Hi all,
I have a setup where I implemented remote VPN on my ASA. I came to a situation where I wanted to allow both IPSEC client using cisco VPN client and android phone using L2TP/IPSEC
What is happening is that I want to use PFS for IPSEC clients, but my android phone doesn't handle this. Then I tried to create two sequence in my dynamic crypto map, but the first sequence is always matched and thus ike phase2 fails. If I put the sequence without PFS in first, it will be matched first, and my IPSEC client won't use PFS as well...
If I remove PFS, everything is fine.
So is there a way either for the ASA to match for multiple phase 2 policies, I mean not only multiple transform set in the same sequence, but as well for pfs settings in my case.
My L2TP client are using rsa-sig authentication and are dynamically mapped to a tunnel-group, so I thought maybe we can specify different crypto map entries depending on auth method, but it seems the only option we have related to this is for legacy crypto map where we can choose the trustpoint for outgoing connections.
So if anyone have an idea, i'd be interested, otherwise, I guess I can leave without PFS...
Solved! Go to Solution.
06-16-2011 10:23 PM
Unfortunately not with PFS, if it's part of the transform set (eg: ESP-3DES, etc) then you can define multiple transform set under 1 dynamic map. However, not for PFS as you only have 1 option to either turn it on or off as PFS is optional.
06-16-2011 10:23 PM
Unfortunately not with PFS, if it's part of the transform set (eg: ESP-3DES, etc) then you can define multiple transform set under 1 dynamic map. However, not for PFS as you only have 1 option to either turn it on or off as PFS is optional.
06-17-2011 03:47 AM
Ok, that's what I thought. Thanks for confirmation
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide