PIX uses static IPSec instead of dynamic

tato386 · ‎09-29-2003

I have some IOS routers that have two interfaces connected to two different ISPs. One interface is a T1 and has a static IP. The other is ADSL, dynamic IP. The idea is that these routers use the T1 interface to connect to HQ via a static/permanent IOS-to-PIX tunnel. The other interface is used as a backup and will be brought up only if the T1 fails. In order to do this I setup the PIX as below.

My problem is that the IOS router comes in on a different IP but the ACL that defines the subnet is still the same whether it connects via the static or dynamic link. After many hours of troubleshooting I found that because there is a matching subnet ACL in a static crypto map sequence the dynamic tunnel will not work. I see the PIX trying to send packets on the static sequence even though the peer and transform do not match.

This seems like some bug. Is there a way around it? I am running 6.2.2 on the PIX.

Thanks,

Diego

crypto dynamic-map dynmap 1 set transform-set vpnset-backup

crypto map vpnmap 10 ipsec-isakmp

crypto map vpnmap 10 match address 101

crypto map vpnmap 10 set peer 1.1.1.1

crypto map vpnmap 10 set transform-set vpnset

crypto map vpnmap 20 ipsec-isakmp

crypto map vpnmap 20 match address 102

crypto map vpnmap 20 set peer 2.2.2.2

crypto map vpnmap 20 set transform-set vpnset

crypto map vpnmap 100 ipsec-isakmp dynamic dynmap

crypto map vpnmap interface outside

drolemc · ‎10-03-2003

The interesting traffic as defined by the access-list will remain the same regardless of which link is being used. The ACL's will specify the IP's behind the devices. These IP's will get natted to a global address depending on the global pool associated with the interface in use. The key here is to ensure that NAT is configured properly.