Solved: VPN crypto map

Ivan Marinovic · ‎07-12-2023

Hi,

I have Cisco ASA5545 and Anyconnect is configured and working. I need to create a new IPSEC ikev2 s2s VPN and when I configured it my AnyConnetct is stop working.

it stops working when I apply a new crypto map on interface outside:

crypto map outside_cryptomap interface outside

crypto map outside_cryptomap 1 match address outside_cryptomap
crypto map outside_cryptomap 1 set peer x.x.x.x
crypto map outside_cryptomap 1 set ikev2 ipsec-proposal AES
crypto map outside_cryptomap 1 set reverse-route

and then only new VPN is working.

if I remove and replay this AnyConnect is working again:

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

So is there any way to apply multiple crypto maps to the outside interface?

Or can I combine these two crypto maps into one? or create new outside interface? what is your recommendation/best practice?

Best regards,
Ivan

Jeet Kumar · ‎07-12-2023

You can apply only one crypto map per interface. you should use one of the following names:

crypto map outside_cryptomap 1 match address outside_cryptomap

crypto map outside_cryptomap 1 set peer x.x.x.x

crypto map outside_cryptomap 1 set ikev2 ipsec-proposal AES

crypto map outside_cryptomap 1 set reverse-route

crypto map outside_cryptomap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_cryptomap interface outside

====================================

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer x.x.x.x

crypto map outside_map 1 set ikev2 ipsec-proposal AES

crypto map outside_map 1 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

View solution in original post

Jeet Kumar · ‎07-12-2023

You can apply only one crypto map per interface. you should use one of the following names:

crypto map outside_cryptomap 1 match address outside_cryptomap

crypto map outside_cryptomap 1 set peer x.x.x.x

crypto map outside_cryptomap 1 set ikev2 ipsec-proposal AES

crypto map outside_cryptomap 1 set reverse-route

crypto map outside_cryptomap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_cryptomap interface outside

====================================

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer x.x.x.x

crypto map outside_map 1 set ikev2 ipsec-proposal AES

crypto map outside_map 1 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

Jeet Kumar · ‎07-12-2023

Let me know if it worked for you.

Ivan Marinovic · ‎07-12-2023

Thank you Jeet it is working.

MHM Cisco World · ‎07-12-2023

Never mind.

I confuse here.

Ivan Marinovic · ‎07-12-2023

hi, new issue for me. yes on mobile phone anyconnect was working since it use SSL but on PC didn't work because it was using IPSEC.

when I combine crypto map into one it is working on both.
Thanks!