Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
407
Views
0
Helpful
2
Replies

Quick Question: Dynamic L2L

WStoffel1
Level 1
Level 1

‎05-16-2013 07:05 AM

Quick I promise. 

If you have two remote clients with DHCP outside addresses, connecting to your ASA which is static, so both tunnels are initiated on the remote end, with your dynamic crypto, one requires PFS one does not.  How do you do it?

And yes I've had several posts along this line as I'm hammering out some issues that I've inherited, but I believe this to be the last hurdle.  Thanks everyone for your input.

Thank you!

PS: Is there a "best practices" white paper for L2L tunnels that anyone knows of?

Labels:
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎05-16-2013 09:08 AM

I have not done this or tested it, but I believe that you should be able to configure two instances within the dynamic crypto map and one would specify PFS and the other would not.

HTH

Rick

HTH

Rick
0 Helpful

WStoffel1
Level 1
Level 1
In response to Richard Burts

‎05-16-2013 09:18 AM

I tried it and it would only connect to one.  In other words in the debug log i would see both remotes connect in and run through all the crypto, landing at the newly created pfs enabled dynamic crypto, which worked for the pfs enabled one.

The expected behavior was for the non-pfs enabled to continue to the next (dynamic) crypto, but it does not.

Prompting me to ask here since Im starting to think you can have a single dynamic entry...?

0 Helpful
Customers Also Viewed These Support Documents