Todays challenge is to set up an L2L VPN tunnel between an Cisco ASA running IKEv1 and Cisco 927 with a dynamic IP address. The 927 is behind a NAT firewall so needs to be managed through the tunnel so the tunnel has to come up without intervention and it also needs to work without any LAN ports connected.
Stage 1 – ASA Setup for the head end.
The ASA needs to be st up using the dynamic map configuration described I a earlier post
crypto dynamic-map DYNOMAP 10 set ikev1 transform-set MY_TRANSFORMSET crypto dynamic-map DYNOMAP 10 set reverse-route crypto map VPN 999 ipsec-isakmp dynamic DYNOMAP crypto map VPN interface OUTSIDE
And the special tunnel group for the dynamic L2L
tunnel-group DefaultL2LGroup ipsec-attributes ikev1 pre-shared-key *****
Stage 2 – C927 set for IPsec VPN
Normally we would use a tunnel interface but in this case the ASA does not support that setup so we are doing. tunnel-less version:
crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key my_secret_key! address W.X.Y.Z crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac mode tunnel crypto map GC_MAP 10 ipsec-isakmp set peer W.X.Y.Z set transform-set MY_TRANSFORM_SET match address TRAFFIC ip access-list extended TRAFFIC permit ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255
Then apply this to the WAN port
interface GigabitEthernet4 description *** WAN *** ip address a.b.c.d 255.255.255.252 crypto map GC_MAP
Assuming you have the NAT setup correctly we can assume that works fine.
Stage 3 – Keeping the tunnel alive.
I have used an SLA object to ping a server on the other side ever 5 seconds to trigger the tunnel. This allows us to log into the router via the tunnel.
ip sla 1 icmp-echo 192.168.6.10 source-interface Vlan1 frequency 5 ip sla schedule 1 life forever start-time now
Stage 4 – About these LAN cables
The SLA will not work if the VLAN1 interface is down. To make the VLAN1 interface come up there needs to be a live cable on a switch port of the router. Cisco has a sneaky command to sort this issue out:
interface Vlan1 description *** LAN *** no autostate
So that’s about it!