Cisco ASA Site-to-Site IKEv1 IPsec VPN Dynamic Peer

In a previous lesson, I explained how to configure a site-to-site IPsec IKEv1 VPN between two Cisco ASA firewalls. What if one of the ASA firewalls has a dynamic IP address?

You could take a gamble and configure the IP address manually but as soon as your ISP gives you another IP address, your VPN will collapse.

In this lesson, I’ll show you how to configure a site-to-site IPsec VPN but we’ll use a dynamic IP address on one of the ASAs. Here’s the topology we will use:

ASA1 ASA2 R1 R2 IPSEC site to site VPN

ASA1 will use a static IP, ASA2 will use a dynamic IP address.

Configuration

test


We’ll have to configure phase 1 and 2. I’ll show you the similarities and differences between the two ASA firewalls.

Phase 1 Configuration

We will start with the IKEv1 policy. This will be the same on both ASAs so let’s create a policy:

ASA1 & ASA2
(config)# crypto ikev1 policy 10
(config-ikev1-policy)# authentication pre-share
(config-ikev1-policy)# encryption aes
(config-ikev1-policy)# hash sha
(config-ikev1-policy)# group 2
(config-ikev1-policy)# lifetime 3600

And we will enable it on both firewalls:

ASA1 & ASA2
(config)# crypto isakmp identity address 
(config)# crypto ikev1 enable OUTSIDE

Now we have to configure a tunnel-group. This will be different…

Tunnel-Group Static Peer ASA1

Normally we configure an IP address of the remote peer in our tunnel-group. Since the remote peer is using a dynamic IP address, this is no option. One option is to use the “DefaultL2LGroup” tunnel-group for this. This is a built-in tunnel-group and all connections that don’t match another tunnel-group will belong to this group:

ASA1(config)# tunnel-group DefaultL2LGroup ipsec-attributes 
ASA1(config-tunnel-ipsec)# ikev1 pre-shared-key MY_SHARED_KEY

The advantage of using the DefaultL2LGroup is that it’s simple to configure. We add a pre-shared key and that’s it. The downside is that you can only configure a single pre-shared key for all dynamic peers. If you have more than one dynamic peer then it’s probably a better idea to create multiple tunnel-groups. This is something I will explain in another lesson.

Tunnel-Group ASA2 Dynamic Peer

On ASA2 we can use a “normal” tunnel-group where we specify our IP address:

ASA2(config)# tunnel-group 10.10.10.1 type ipsec-l2l
ASA2(config)# tunnel-group 10.10.10.1 ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev1 pre-shared-key MY_SHARED_KEY

This completes the phase 1 configuration. Let’s work on phase 2…

Phase 2 configuration

We will start with the transform-set. We can use the same on both ASAs:

ASA1 & ASA2
(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac

Our next step is to create some access-lists that define what traffic should be encrypted:

ASA1(config)# access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
ASA2(config)# access-list LAN2_LAN1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

Now we should configure the crypto map. This part will be different.

Crypto Map Static Peer ASA1

Normally we have to specify the remote peer IP address in the crypto map but that’s something we can’t do on ASA1. We have to use a dynamic map:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 660 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

507 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,


Forum Replies

  1. Hi Mark,

    It sounds like your ASA isn’t configured correctly for NAT. It should be configured to translate all traffic from the 192.168.2.0/24 subnet that exits the outside interface UNLESS the destination is 192.168.39.0/24 (the other end of the VPN).

    You can use this example for PAT:

    Cisco ASA PAT configuration

    The only thing left to do is to create an exception for your VPN traffic, like this:

    object network LOCAL_SUBNET
     subnet 192.168.2.0 255.255.255.0
    
     object network REMOTE_SUBNET
     subnet 192.168.39.0 255.255.255.0
    
    nat (LOCAL_SUBNET,OUTSIDE) source stati
    ... Continue reading in our forum

  2. Hi Zaman,

    Aggressive mode can be configured in the crypto map:

    ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 phase1-mode aggressive

    And transport mode in the transform set:

    ASA1(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET mode ?         
    
    configure mode commands/options:
      transport  mode transport
    

    The first lifetime (ikev1 policy) is for phase 1 and the lifetime in the crypto map is for phase 2.

    Rene

  3. Hello Rene,

    What do the following two commands mean for IKE phase-1 and IKE Phase-2 :

    IKE phase-1:

    ASA1(config-ikev1-policy)# lifetime 4800

    IKE Phase-2:

    ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3000

    I think IKE phase-1 will be deleted after 4800(If no traffic on tunnel) and IKE phase-2 will be delete after 3000(If no traffic on tunnel ).If continue traffic flows on the tunnel then what will happen, IKE phase-1 & IKE phase-2 will be re-negotiate after expiration or not??Please explain.

    Many Thanks

    br//
    zaman

  4. We have firewall 5505 where I have created site to site VPN. First time I have created crypto policy with group 2 and then changed to below.

    Phase 1 failure: Mismatched attribute types for class Group Description: Rcv’d: Group 5 Cfg’d: Group 2Group
    192.168.1.1, IP = 192.168.1.1, Received non-routine Notify message: No proposal chosen (14)

    Phase 1 (Main mode)
    Lifetime: 86400s (1 day)
    Encryption: AES256
    Hash: SHA1 Key-Ex:
    Group5
    Phase 2
    Lifetime: 3600s (1 hour)
    Encryption: AES256
    Hash: SHA1
    PFS: Group5
    Below is my firewall config.

    crypto ikev1 policy 170
    authenti

    ... Continue reading in our forum

  5. Hi Rene,

    I modified the network in your example with a few more nodes on each site. The network diagram is attached.

    The IPSec tunnel is up. Ping from end node 1 to end node 2 is working.
    Ping and wget from End Node 1 to Web Server 1 is working and from End Node 2 to Web Server 2 is also working.

    However, the ping/wget from End node in one site to the web server on the other site is not working in either direction. When checked with ASA logs, the tunnel is set up and the ping is getting delivered to the web server, but the web server is not responding to the pi

    ... Continue reading in our forum

74 more replies! Ask a question or join the discussion by visiting our Community Forum