12-28-2010 08:30 AM
Dear all,
I have the following configuration:
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *************
This configuration is working for a single dynamic peer, and it actually works also if I add peers with the same pre-shared-key.
However I would like to add different tunnel groups for many different dynamic peers in order to have different preshared keys for each one; I tried many times but I can't see neither phase 1 working.
Can someone help me with this?
Many thanks.
Solved! Go to Solution.
12-29-2010 02:37 AM
If it's dynamic to static LAN-to-LAN IPSec tunnel, then the answer is no, you can't define different pre-shared-key for dynamic lan-to-lan tunnels because the peer ip address could be different. However, if the peer address is static, then you can create static crypto map (however, that requires static configuration for each remote peer).
12-28-2010 02:53 PM
You would only need to configure 1 dynamic map for all the different groups to connect.
To configure different pre-share key, you can create multiple tunnel-group.
Example:
tunnel-group
tunnel-group
pre-shared-key
So to put it into context:
tunnel-group group-A type remote-access
tunnel-group group-A ipsec-attributes
pre-shared-key group-A-password
tunnel-group group-B type remote-access
tunnel-group group-B ipsec-attributes
pre-shared-key group-B-password
So for group-A, the groupname that you enter into the vpn client will be group-A, and the preshared key is group-A-password.
Hope that helps.
12-28-2010 09:36 PM
Hi Jennifer,
thanks for the reply.
Maybe I explained myself in a bad way: the multiple dynamic peers aren't users but soho routers (like zyxel, netgear); it's not possible to use the vpn client with them.
My doubt is if it's possible to do this kind of configuration.
Many thanks.
Luca
12-29-2010 02:37 AM
If it's dynamic to static LAN-to-LAN IPSec tunnel, then the answer is no, you can't define different pre-shared-key for dynamic lan-to-lan tunnels because the peer ip address could be different. However, if the peer address is static, then you can create static crypto map (however, that requires static configuration for each remote peer).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide