Solved: Multiple dynamic map entries (phase 2 policies) on ASA

babanonyme · ‎06-16-2011

Hi all,

I have a setup where I implemented remote VPN on my ASA. I came to a situation where I wanted to allow both IPSEC client using cisco VPN client and android phone using L2TP/IPSEC

What is happening is that I want to use PFS for IPSEC clients, but my android phone doesn't handle this. Then I tried to create two sequence in my dynamic crypto map, but the first sequence is always matched and thus ike phase2 fails. If I put the sequence without PFS in first, it will be matched first, and my IPSEC client won't use PFS as well...

If I remove PFS, everything is fine.

So is there a way either for the ASA to match for multiple phase 2 policies, I mean not only multiple transform set in the same sequence, but as well for pfs settings in my case.

My L2TP client are using rsa-sig authentication and are dynamically mapped to a tunnel-group, so I thought maybe we can specify different crypto map entries depending on auth method, but it seems the only option we have related to this is for legacy crypto map where we can choose the trustpoint for outgoing connections.

So if anyone have an idea, i'd be interested, otherwise, I guess I can leave without PFS...

Jennifer Halim · ‎06-16-2011

Unfortunately not with PFS, if it's part of the transform set (eg: ESP-3DES, etc) then you can define multiple transform set under 1 dynamic map. However, not for PFS as you only have 1 option to either turn it on or off as PFS is optional.

View solution in original post

Jennifer Halim · ‎06-16-2011

Unfortunately not with PFS, if it's part of the transform set (eg: ESP-3DES, etc) then you can define multiple transform set under 1 dynamic map. However, not for PFS as you only have 1 option to either turn it on or off as PFS is optional.

babanonyme · ‎06-17-2011

Ok, that's what I thought. Thanks for confirmation