Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
542
Views
0
Helpful
3
Replies

VPN on ASA5510 from Static to Multiple Dynamic peers.

Go to solution
Lybra1983
Level 1
Level 1

‎12-28-2010 08:30 AM

Dear all,

I have the following configuration:

crypto ipsec transform-set myset esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400

tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *************

This configuration is working for a single dynamic peer, and it actually works also if I add peers with the same pre-shared-key.

However I would like to add different tunnel groups for many different dynamic peers in order to have different preshared keys for each one; I tried many times but I can't see neither phase 1 working.

Can someone help me with this?

Many thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Lybra1983

‎12-29-2010 02:37 AM

If it's dynamic to static LAN-to-LAN IPSec tunnel, then the answer is no, you can't define different pre-shared-key for dynamic lan-to-lan tunnels because the peer ip address could be different. However, if the peer address is static, then you can create static crypto map (however, that requires static configuration for each remote peer).

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎12-28-2010 02:53 PM

You would only need to configure 1 dynamic map for all the different groups to connect.

To configure different pre-share key, you can create multiple tunnel-group.

Example:

tunnel-group type remote-access

tunnel-group ipsec-attributes

     pre-shared-key

So to put it into context:

tunnel-group group-A type remote-access

tunnel-group group-A ipsec-attributes

     pre-shared-key group-A-password

tunnel-group group-B type remote-access

tunnel-group group-B ipsec-attributes

     pre-shared-key group-B-password

So for group-A, the groupname that you enter into the vpn client will be group-A, and the preshared key is group-A-password.

Hope that helps.

0 Helpful

Go to solution
Lybra1983
Level 1
Level 1
In response to Jennifer Halim

‎12-28-2010 09:36 PM

Hi Jennifer,

thanks for the reply.

Maybe I explained myself in a bad way: the multiple dynamic peers aren't users but soho routers (like zyxel, netgear); it's not possible to use the vpn client with them.

My doubt is if it's possible to do this kind of configuration.

Many thanks.

Luca

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Lybra1983

‎12-29-2010 02:37 AM

If it's dynamic to static LAN-to-LAN IPSec tunnel, then the answer is no, you can't define different pre-shared-key for dynamic lan-to-lan tunnels because the peer ip address could be different. However, if the peer address is static, then you can create static crypto map (however, that requires static configuration for each remote peer).

0 Helpful
Customers Also Viewed These Support Documents