Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco ASA Site-to-Site VPN with Dynamic Peer

Posted on 2013-12-16
1
Medium Priority
?
2,206 Views
Last Modified: 2013-12-18
Ok so we have  an ASA that we use for 20 or so VPN sites, and when there is a static IP at the  other end all is well. But in order to save some $$ we have a new site that wants to use a dynamic address.

From reading I should be able to setup a dynamic crypto map. I use ASDM exclusively, so try to keep the CLI to a minimum. I went in to ASDM and created a new entry. Below is the warning I get.

[OK] access-list outside_cryptomap_8 line 1 extended permit ip 192.168.0.0 255.255.254.0 object VPN-KERMIT 
[WARNING] tunnel-group KermitDynamic type ipsec-l2l
	 L2L tunnel-groups that have names which are not an IP
address may only be used if the tunnel authentication
method is Digital Certificates and/or The peer is 
configured to use Aggressive Mode

[OK] tunnel-group KermitDynamic ipsec-attributes
      tunnel-group KermitDynamic ipsec-attributes
[OK] ikev1 pre-shared-key **********
[OK] isakmp keepalive threshold 10 retry 2
[OK] crypto dynamic-map KermitDynamic 8 match address outside_cryptomap_8
[OK] crypto dynamic-map KermitDynamic 8 set  pfs group1
[OK] crypto dynamic-map KermitDynamic 8 set  ikev1 transform-set  ESP-3DES-SHA
[OK] crypto map forsberg 8 ipsec-isakmp dynamic KermitDynamic

Open in new window


So from reading the warning it looks like the dynamic peer needs to be using Aggressive, and it is. However,what group should it be using, usually in ASDM on a staic map I can set the mode (aggressive/main) and the group (group 1, 2, ...). However on ASDM I don't get those options at all.

I cannot get the tunnel to come up. The dynamic peer log shows, Aggressive mode started...Initiate new phase 1 negotiation...IPsec SA request queued due to no phase 1 found.

Any thoughts?
0
Comment
Question by:bhieb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 

Accepted Solution

by:
bhieb earned 0 total points
ID: 39727474
Opened a ticket with cisco. Turns out there was a port forward for port 500 to one of my internal IP's. So the ASA was never handling the packet, killed that and it worked.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question