Cisco ASA Site-to-Site IKEv1 IPsec VPN Dynamic Peer

In a previous lesson, I explained how to configure a site-to-site IPsec IKEv1 VPN between two Cisco ASA firewalls. What if one of the ASA firewalls has a dynamic IP address?

You could take a gamble and configure the IP address manually but as soon as your ISP gives you another IP address, your VPN will collapse.

In this lesson, I’ll show you how to configure a site-to-site IPsec VPN but we’ll use a dynamic IP address on one of the ASAs. Here’s the topology we will use:

ASA1 ASA2 R1 R2 IPSEC site to site VPN

ASA1 will use a static IP, ASA2 will use a dynamic IP address.


We’ll have to configure phase 1 and 2. I’ll show you the similarities and differences between the two ASA firewalls.

Phase 1 Configuration

We will start with the IKEv1 policy. This will be the same on both ASAs so let’s create a policy:

(config)# crypto ikev1 policy 10
(config-ikev1-policy)# authentication pre-share
(config-ikev1-policy)# encryption aes
(config-ikev1-policy)# hash sha
(config-ikev1-policy)# group 2
(config-ikev1-policy)# lifetime 3600

And we will enable it on both firewalls:

(config)# crypto isakmp identity address 
(config)# crypto ikev1 enable OUTSIDE

Now we have to configure a tunnel-group. This will be different…

Tunnel-Group Static Peer ASA1

Normally we configure an IP address of the remote peer in our tunnel-group. Since the remote peer is using a dynamic IP address, this is no option. One option is to use the “DefaultL2LGroup” tunnel-group for this. This is a built-in tunnel-group and all connections that don’t match another tunnel-group will belong to this group:

ASA1(config)# tunnel-group DefaultL2LGroup ipsec-attributes 
ASA1(config-tunnel-ipsec)# ikev1 pre-shared-key MY_SHARED_KEY

The advantage of using the DefaultL2LGroup is that it’s simple to configure. We add a pre-shared key and that’s it. The downside is that you can only configure a single pre-shared key for all dynamic peers. If you have more than one dynamic peer then it’s probably a better idea to create multiple tunnel-groups. This is something I will explain in another lesson.

Tunnel-Group ASA2 Dynamic Peer

On ASA2 we can use a “normal” tunnel-group where we specify our IP address:

ASA2(config)# tunnel-group type ipsec-l2l
ASA2(config)# tunnel-group ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev1 pre-shared-key MY_SHARED_KEY

This completes the phase 1 configuration. Let’s work on phase 2…

Phase 2 configuration

We will start with the transform-set. We can use the same on both ASAs:

(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac

Our next step is to create some access-lists that define what traffic should be encrypted:

ASA1(config)# access-list LAN1_LAN2 extended permit ip
ASA2(config)# access-list LAN2_LAN1 extended permit ip

Now we should configure the crypto map. This part will be different.

Crypto Map Static Peer ASA1

Normally we have to specify the remote peer IP address in the crypto map but that’s something we can’t do on ASA1. We have to use a dynamic map:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 731 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

511 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Forum Replies

  1. Hi Rene,

    I am using GNS3 ASAv for above lab. configuration is perfectly fine however vpn would not come up. There is a warning message I see on GNS3 as below. Not sure if that is reason or something else. Can you assiste?

    Warning: ASAv platform license state is Unlicensed.
    Install ASAv platform license for full functionality.

  2. After adding: crypto map Outside_map 1 set ikev1 phase1-mode aggressive
    My tunnel dropped and stopped working.


    HomeASA(config)# show version
    Cisco Adaptive Security Appliance Software Version 9.1(7)16
    Device Manager Version 7.7(1)150
    Compiled on Thu 30-Mar-17 17:39 by builders
    System image file is "disk0:/asa917-16-k8.bin"
    Config file at boot was "startup-config"
    HomeASA up 2 hours 10 mins
    Hardware: ASA5520-K8, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz,
    Internal ATA Compact Flash, 256MB
    BIOS Flash AT49LW080 @ 0xfff00000, 1024KB
    Encryption hardware de
    ... Continue reading in our forum

  3. Hello Maciej

    If you are getting the “There is no valid IKE proposal available, check IPSec SA configuration!” message then this means that there is a mismatch in the configuration of the peers. Verify that your config does indeed match on both ends.

    I hope this has been helpful!


  4. Hello Pavan

    When implementing the configuration of this lesson on a real world application with commercial ISP routers, you have to keep a few things in mind. In the lesson, the two ASAs were on the same subnet (this subnet simulated the Internet or some other large network), but in the real world, there are various other mechanisms that exist between the two ASAs that can disrupt the formation of a tunnel.

    Questions you should consider include:

    1. Is NAT running on the commercial routers at each site?
    2. Are the commercial routers running additional firewall featu
    ... Continue reading in our forum

  5. Hello Irfan

    Yes, if you create a connection profile using ASDM, it is created, and you can see it, even through the other side is not yet configured.

    I hope this has been helpful! Stay healthy and safe!


20 more replies! Ask a question or join the discussion by visiting our Community Forum