Jan is absolutely correct, your config has different PFS for phase 2 .

please share the output of following commands from your ASA:

1. show crypto debug-condition

2. show crypto ipsec df-bit

3. show crypto ipsec fragmentation

4. show crypto ipsec sa

5. show crypto ipsec stats

6. show crypto isakmp stats

7. show crypto isakmp sa

8. show crypto isakmp stats

9. show crypto protocol statistics

Also you are using transport mode for all your transform sets and so many transform sets will slow down the phase 2 negotiation :

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

2. Please share the output of the running configuration of router.

3. Please sahre the output of commands from your router:

show  crypto  ipsec  sa

show crypto ipsec sa

show crypto ipsec summary

show crypto ipsec transform-set

show crypto engine connections active

show crypto engine brief

show crypto engine connections

Best Regards

Sachin Garg

Hi Cengiz,

Dynamic CRYPTO maps mostly used in a Remote Access or Client to site VPN because end users working from home can have IP address new every time or like different whcn connect from home or from Internet cafe , hence ASA cant make a fix IP as Peer.

But for site to site also Dynamic Crypto Map can be used but only at one side , else if you use Dynamic crypto map at both ends , both peer will wait for each other to initiate a tunnel Request as the device n this case ASA) configured with Dynamic Crypto map can only REPLY for a tunnel initiation , it can never send tunned initilaization request as it never know the IP address of the peer. Hence never make both device as dynamic crypto map or else they both never initiate and wait for each pther and tunnel will never happen.

The main steps to be configured on the ASA end in order to establish dynamic tunnel:

    Phase 1 ISAKMP related configuration

    Nat exemption configuration

    Dynamic crypto map configuration

The Cisco IOS router has a static crypto map configured because the ASA is assumed to have a static public IP address. Now this is the list of main steps to be configured on the Cisco IOS Router end to establish dynamic IPSEC tunnel.

    Phase 1 ISAKMP related configuration

    Static crypto map related configuration

!---1. Configure the IPsec transform-set

crypto ipsec transform-set myset esp-des esp-md5-hmac

!

!

!--- 2. Configure the dynamic crypto map. Always rememeber to bind a dynamic crypto map to a blank static crypto map and then call that static crypto map to a ASA OUTSIDE Interface as Dynamic Crypto maps cannot be bind directly to ASA OUTSIDE Interface or say any interface.

crypto dynamic-map MY_DYNAMIC_MAP 1 set transform-set myset

crypto dynamic-map MY_DYNAMIC_MAP 1 set reverse-route

!--- Enable Reverse Route Injection (RRI), which allows the ASA

!--- to learn routing information for connected clients hence the static route will come above defaut route and hence

!... will make the routing decision fast else every time for the other side router dynamic IP , default route have to get a hit but only after checking the entire routing table and when no match then use default route , so to save this entire route matchin process always good to use reverse route enjection so that other side non dynamic crypt peer can insert a static route enrty in ASA.

!--- 2A. Always Bind dynamic crypto map named MY_DYNAMIC_MAP to a static crypto map named STATIC_MAP_CALLING_DYMANIC_MAP using a keyword dynamic in the last 

crypto map STATIC_MAP_CALLING_DYMANIC_MAP 10 IPSec-isakmp dynamic MY_DYNAMIC_MAP

!--- 2B.now apply static map on ASA OUTSIDE Interface

crypto map STATIC_MAP_CALLING_DYMANIC_MAP interface outside

!

!--- 3. Configure the phase I ISAKMP policy

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

!

!

!--- 4. Configure the default L2L tunnel group parameters

tunnel-group DefaultL2LGroup IPSec-attributes

pre-shared-key *

Plase rate if you like my post.

Best Regards

Sachin Garg

Hi Sachin,

thanks a lot for you detailed answer ... but you probably din'T check my setup what i have send in my last post.

There is no IOS device in my setup.

So my setup is between a Cisco ASA5520 (headend) and a RV215w which is the remote office.

I need config support for the headend (ASA5520) with static IP which has to terminate a site2site connection

coming from RV215w (remote) with a dynamic IP.

Cengiz

Hi Cengiz,

please read Sachin reply properly. He just guide you how to configure ASA for dynamic L2L tunnel and it is correct. Because as you say you have DHCP on router side so outside IP of router can change in time and then ASA tunnel have to be configured dynamically to accept IPSEC connection from any IP address(outside interface).

Regards,

Jan

Jan,

your are right man ... I was missing the important part. My mistake

I will try to configure it and let you guys know how i proceed !!!

Sorry again.

Cengiz

Hi Sachin,

sorry again for the confusion  

Your post was really helpful ... I configured everything as you posted, but i am still missing the last part of the puzzle

I am getting following error message on ASDM logging site:

4     Feb 12 2014     17:24:03     713903                         Group = 192.168.2.249, IP = 192.168.2.249, Can't find a valid tunnel group, aborting...!

The asa-config and "debug crypto ikev1 255" is attached to this post. I haven't changed the RV215w config its still the same.

I   only configured dynamic crypto map on ASA. With static crypto map on ASA the connection was working. I probably have a misconfiguration

and not able to find  it  out. Would be great if you check the config and debugs.

Thanks in advance,

Cengiz

On the end with the static ip, assign the pre-shared key to the DefaultL2L group

Hi Sachin

the pre-shared key is assigned to the group:

tunnel-group test02 type ipsec-l2l

tunnel-group test02 general-attributes

default-group-policy GroupPolicy1

tunnel-group test02 ipsec-attributes

ikev1 pre-shared-key *****

Maybe i misunderstood what you mean.

Cengiz

Have you tried testing the tunnel.

Yes i did but its not working ... i have sent you the debugs in my post before

Seems like ASA is not able to fid the tunnel group. Here is another debug output:

ON-asa5520# Feb 13 10:13:20 [IKEv1]Group = 192.168.2.249, IP = 192.168.2.249, Can't find a valid tunnel group, aborting...!

Feb 13 10:13:30 [IKEv1]IP = 192.168.2.249, Header invalid, missing SA payload! (next payload = 4)

I fixed the problem !!!

After enabling reverse route injection everything was fine : )

I have a last question regarding scalability ... how many l2l session can i terminate on one dynamic cryptomap/tunnelgroup?

Are there any limits?

Thanks in advance.

Cengiz