Cisco ASA multiple dynamic VPN support (defaultRAGroup-defaultl2lGroup)

Question (short)

How to set up 2 totally different dynamic l2l vpn tunnels on an ASA5506

Question (extended)

We have a Cisco ASA5506 Security Appliance and we want to set up 2 dynamic VPN setups.

  • Tunnel for various windows clients;
  • Tunnel to a branch office with dynamic ip using DynDNS.

We can set up the tunnels individually without a problem but cant get them working both at once.

VPN 1 (windows clients)

Cisco ASA5506 config

group-policy l2tp-ipsec_policy internal

group-policy l2tp-ipsec_policy attributes
  dns-server value 10.100.3.1
  vpn-tunnel-protocol l2tp-ipsec            
  default-domain value vbv.local

  banner value U bent nu aangemeld op het netwerk, zet uw VPN verbinding uit wanneer u klaar bent.
  wins-server value 10.100.3.1
  dns-server value 10.100.3.1
  vpn-filter value VBV_VPN_CLIENT_FILTER
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value VBV_VPN_CLIENTS  
exit

tunnel-group DefaultRAGroup general-attributes
  default-group-policy l2tp-ipsec_policy
  address-pool POOL-VPN_VBVLOCAL        
  authentication-server-group VBV_LDAP LOCAL
  password-management
  strip-realm
exit    

tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *****
exit

tunnel-group DefaultRAGroup ppp-attributes
  authentication pap
  no authentication chap
  no authentication ms-chap-v1
  no authentication ms-chap-v2
exit

crypto ipsec transform-set winClient esp-3des esp-sha-hmac
crypto ipsec transform-set winClient mode transport

crypto dynamic-map dynWinVPN 500 set ikev1 transform-set winClient

crypto map cmap_WAN-GLASVEZEL 500 ipsec-isakmp dynamic dynWinVPN


crypto isakmp enable WAN-GLASVEZEL

crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
exit

access-list VBV_VPN_CLIENT_FILTER extended permit object-group obj-VBVLOCAL_VPN_AllowedServices any any log notifications
access-list VBV_VPN_CLIENTS extended permit ip object-group obj-VBVLOCAL_VPN_AllowedNetworks any

Above on itself working perfectly, i know about the PAP auth but the reason is the LDAP verification. (cant get that working with mschapv2 and is of later concern).

VPN 2 (site to site to branch office)

Cisco ASA5506 config

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map ***.dyndns.org 100 set pfs group1
crypto dynamic-map ***.dyndns.org 100 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map ***.dyndns.org 100 set security-association lifetime seconds 86400
crypto dynamic-map ***.dyndns.org 100 set security-association lifetime kilobytes 9216000

crypto map cmap_WAN-GLASVEZEL 100 ipsec-isakmp dynamic ***.dyndns.org

crypto ikev1 policy 2
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!

tunnel-group ***.dyndns.org type ipsec-l2l
tunnel-group ***.dyndns.org general-attributes
 default-group-policy grpPol_vbvjb
tunnel-group ***.dyndns.org ipsec-attributes
 ikev1 pre-shared-key *****
 peer-id-validate nocheck
!

Branch office Cisco 881 router

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ****** address ***
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 15
!
crypto ipsec security-association lifetime kilobytes 9216000
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP-***_BACKUP 1 ipsec-isakmp
 description TUNNEL-***_BACKUP_****
 set peer *****
 set transform-set ESP-3DES-SHA
 set pfs group1
 match address 171
!
access-list 171 remark VPN-IPSEC-***_BACKUP
access-list 171 permit ip 192.168.10.0 0.0.0.255 10.100.0.0 0.0.3.255 log
access-list 177 permit icmp any host 10.100.3.1

Same story here, fully working on its own but can't combine with the setup from above.

So in short, i can set up both VPN setups and get them working but i cannot get them working in one configuration.

Keynotes

  • Works seperately but not toghether;
  • Branch office uses dynDNS because it has no static IP;
  • Windows VPN Clients use 2l2 with ldap server verification;
  • Strange this i see is site2site uses defaultRAGroup and clients defaultl2lgroup.
  • How can i check catch correct crypto dynamic map?

Hope someone in here can help so we do not have to call Cisco TAC.

Leave Your Comment

Leave a Reply