Ok so we have an ASA that we use for 20 or so VPN sites, and when there is a static IP at the other end all is well. But in order to save some $$ we have a new site that wants to use a dynamic address.
From reading I should be able to setup a dynamic crypto map. I use ASDM exclusively, so try to keep the CLI to a minimum. I went in to ASDM and created a new entry. Below is the warning I get.
[OK] access-list outside_cryptomap_8 line 1 extended permit ip 192.168.0.0 255.255.254.0 object VPN-KERMIT [WARNING] tunnel-group KermitDynamic type ipsec-l2l L2L tunnel-groups that have names which are not an IPaddress may only be used if the tunnel authenticationmethod is Digital Certificates and/or The peer is configured to use Aggressive Mode[OK] tunnel-group KermitDynamic ipsec-attributes tunnel-group KermitDynamic ipsec-attributes[OK] ikev1 pre-shared-key **********[OK] isakmp keepalive threshold 10 retry 2[OK] crypto dynamic-map KermitDynamic 8 match address outside_cryptomap_8[OK] crypto dynamic-map KermitDynamic 8 set pfs group1[OK] crypto dynamic-map KermitDynamic 8 set ikev1 transform-set ESP-3DES-SHA[OK] crypto map forsberg 8 ipsec-isakmp dynamic KermitDynamic
So from reading the warning it looks like the dynamic peer needs to be using Aggressive, and it is. However,what group should it be using, usually in ASDM on a staic map I can set the mode (aggressive/main) and the group (group 1, 2, ...). However on ASDM I don't get those options at all.
I cannot get the tunnel to come up. The dynamic peer log shows, Aggressive mode started...Initiate new phase 1 negotiation...IPsec SA request queued due to no phase 1 found.