In a previous lesson, I explained how to configure a site-to-site IPsec VPN between an ASA with a static IP and one with a dynamic IP address. What if you have multiple peers with dynamic IP addresses?
If you want, you can land all these VPN connections on a single tunnel-group, but it might be a better idea to use different tunnel-groups. This allows you to use different pre-shared keys and policies.
In this lesson, you will learn how to configure site-to-site IPsec VPNs with multiple dynamic peers. Here’s the topology we will use:
We will configure two VPN tunnels:
- Between ASA1 and ASA2.
- Between ASA1 and ASA3.
ASA1 will use a static IP address, and ASA2/ASA3 have dynamic IP addresses. Let’s look at the configuration…
Most of our work will be on ASA1. Let’s start there.
ASA1 – Static IP
First, we have to configure the IKEv1 policy:
ASA1(config)# crypto ikev1 policy 10 ASA1(config-ikev1-policy)# authentication pre-share ASA1(config-ikev1-policy)# encryption aes-256 ASA1(config-ikev1-policy)# hash sha ASA1(config-ikev1-policy)# group 2
It doesn’t matter what we use here, just make sure it’s the same on all ASAs. Since ASA1 is using a static IP address, we can use its address as the identity:
ASA1(config)# crypto isakmp identity address ASA1(config)# crypto ikev1 enable OUTSIDE
Make sure you enable this policy on the outside interface. Now we can configure the tunnel-groups, one for each ASA:
ASA1(config)# tunnel-group ASA1_ASA2 type ipsec-l2l ASA1(config)# tunnel-group ASA1_ASA2 ipsec-attributes ASA1(config-tunnel-ipsec)# ikev1 pre-shared-key ASA1_ASA2_KEY
ASA1(config)# tunnel-group ASA1_ASA3 type ipsec-l2l ASA1(config)# tunnel-group ASA1_ASA3 ipsec-attributes ASA1(config-tunnel-ipsec)# ikev1 pre-shared-key ASA1_ASA3_KEY
We will use a different pre-shared key for each ASA. When you configure the tunnel-groups, you’ll get a warning like this:
WARNING: For IKEv1, L2L tunnel-groups that have names which are not an IP address may only be used if the tunnel authentication method is Digital Certificates and/or The peer is configured to use Aggressive Mode
This is something you need to keep in mind. Since we are using dynamic IP addresses and pre-shared keys on ASA2 and ASA3, we’ll have to use aggressive mode.
Let’s continue; we’ll have to create a transform-set. It doesn’t matter what security parameters we pick as long as it matches with ASA2 and ASA3:
ASA1(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac
Let’s add two access-lists that define the traffic that we want to encrypt:
ASA1(config)# access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 ASA1(config)# access-list LAN1_LAN3 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
We can only attach a single crypto map to the outside interface, so when we have multiple dynamic peers, we’ll have to use multiple dynamic maps. Let’s create two, one of each ASA: