Cisco ASA Site-to-Site IKEv1 IPsec VPN Dynamic Peers

In a previous lesson, I explained how to configure a site-to-site IPsec VPN between an ASA with a static IP and one with a dynamic IP address. What if you have multiple peers with dynamic IP addresses?

If you want, you can land all these VPN connections on a single tunnel-group, but it might be a better idea to use different tunnel-groups. This allows you to use different pre-shared keys and policies.

In this lesson, you will learn how to configure site-to-site IPsec VPNs with multiple dynamic peers. Here’s the topology we will use:

ASA1 ASA2 ASA3 Site-to-site Dynamic IP

We will configure two VPN tunnels:

  • Between ASA1 and ASA2.
  • Between ASA1 and ASA3.

ASA1 will use a static IP address, and ASA2/ASA3 have dynamic IP addresses. Let’s look at the configuration…



Most of our work will be on ASA1. Let’s start there.

ASA1 – Static IP

First, we have to configure the IKEv1 policy:

ASA1(config)# crypto ikev1 policy 10
ASA1(config-ikev1-policy)# authentication pre-share 
ASA1(config-ikev1-policy)# encryption aes-256
ASA1(config-ikev1-policy)# hash sha
ASA1(config-ikev1-policy)# group 2

It doesn’t matter what we use here, just make sure it’s the same on all ASAs. Since ASA1 is using a static IP address, we can use its address as the identity:

ASA1(config)# crypto isakmp identity address 
ASA1(config)# crypto ikev1 enable OUTSIDE

Make sure you enable this policy on the outside interface. Now we can configure the tunnel-groups, one for each ASA:

ASA1(config)# tunnel-group ASA1_ASA2 type ipsec-l2l
ASA1(config)# tunnel-group ASA1_ASA2 ipsec-attributes
ASA1(config-tunnel-ipsec)# ikev1 pre-shared-key ASA1_ASA2_KEY
ASA1(config)# tunnel-group ASA1_ASA3 type ipsec-l2l
ASA1(config)# tunnel-group ASA1_ASA3 ipsec-attributes
ASA1(config-tunnel-ipsec)#  ikev1 pre-shared-key ASA1_ASA3_KEY

We will use a different pre-shared key for each ASA. When you configure the tunnel-groups, you’ll get a warning like this:

WARNING: For IKEv1, L2L tunnel-groups that have names which are not an IP
address may only be used if the tunnel authentication
method is Digital Certificates and/or The peer is 
configured to use Aggressive Mode

This is something you need to keep in mind. Since we are using dynamic IP addresses and pre-shared keys on ASA2 and ASA3, we’ll have to use aggressive mode.

Let’s continue; we’ll have to create a transform-set. It doesn’t matter what security parameters we pick as long as it matches with ASA2 and ASA3:

ASA1(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac

Let’s add two access-lists that define the traffic that we want to encrypt:

ASA1(config)# access-list LAN1_LAN2 extended permit ip
ASA1(config)# access-list LAN1_LAN3 extended permit ip

We can only attach a single crypto map to the outside interface, so when we have multiple dynamic peers, we’ll have to use multiple dynamic maps. Let’s create two, one of each ASA:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 660 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

507 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Forum Replies

  1. Hi Rene,

    I am using GNS3 ASAv for above lab. configuration is perfectly fine however vpn would not come up. There is a warning message I see on GNS3 as below. Not sure if that is reason or something else. Can you assiste?

    Warning: ASAv platform license state is Unlicensed.
    Install ASAv platform license for full functionality.

  2. Hi Rene
    Is this topology is the peering IP of IPsec must be in the same network ?

  3. After adding: crypto map Outside_map 1 set ikev1 phase1-mode aggressive
    My tunnel dropped and stopped working.


    HomeASA(config)# show version
    Cisco Adaptive Security Appliance Software Version 9.1(7)16
    Device Manager Version 7.7(1)150
    Compiled on Thu 30-Mar-17 17:39 by builders
    System image file is "disk0:/asa917-16-k8.bin"
    Config file at boot was "startup-config"
    HomeASA up 2 hours 10 mins
    Hardware: ASA5520-K8, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz,
    Internal ATA Compact Flash, 256MB
    BIOS Flash AT49LW080 @ 0xfff00000, 1024KB
    Encryption hardware de
    ... Continue reading in our forum

  4. Hi Adrian,

    What do you use to identify your ASA with the dynamic IP to the remote ASA with static IP? Take a look at this example:

    I use this on my dynamic pee

    ... Continue reading in our forum

  5. Hello Maciej

    If you are getting the “There is no valid IKE proposal available, check IPSec SA configuration!” message then this means that there is a mismatch in the configuration of the peers. Verify that your config does indeed match on both ends.

    I hope this has been helpful!


14 more replies! Ask a question or join the discussion by visiting our Community Forum