Cisco Dynamic L2L VPN setup

Todays challenge is to set up an L2L VPN tunnel between an Cisco ASA running IKEv1 and Cisco 927 with a dynamic IP address. The 927 is behind a NAT firewall so needs to be managed through the tunnel so the tunnel has to come up without intervention and it also needs to work without any LAN ports connected.

Stage 1 – ASA Setup for the head end.
The ASA needs to be st up using the dynamic map configuration described I a earlier post

crypto dynamic-map DYNOMAP 10 set ikev1 transform-set MY_TRANSFORMSET
crypto dynamic-map DYNOMAP 10 set reverse-route
crypto map VPN 999 ipsec-isakmp dynamic DYNOMAP
crypto map VPN interface OUTSIDE

And the special tunnel group for the dynamic L2L

tunnel-group DefaultL2LGroup ipsec-attributes
 ikev1 pre-shared-key *****

Stage 2 – C927 set for IPsec VPN
Normally we would use a tunnel interface but in this case the ASA does not support that setup so we are doing. tunnel-less version:

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2

crypto isakmp key my_secret_key! address W.X.Y.Z   

crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac 
 mode tunnel

crypto map GC_MAP 10 ipsec-isakmp 
 set peer W.X.Y.Z
 set transform-set MY_TRANSFORM_SET 
 match address TRAFFIC

ip access-list extended TRAFFIC
 permit ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

Then apply this to the WAN port

interface GigabitEthernet4
 description *** WAN ***
 ip address a.b.c.d 255.255.255.252
 crypto map GC_MAP

Assuming you have the NAT setup correctly we can assume that works fine.

Stage 3 – Keeping the tunnel alive.
I have used an SLA object to ping a server on the other side ever 5 seconds to trigger the tunnel. This allows us to log into the router via the tunnel.

ip sla 1
 icmp-echo 192.168.6.10 source-interface Vlan1
 frequency 5
ip sla schedule 1 life forever start-time now

Stage 4 – About these LAN cables
The SLA will not work if the VLAN1 interface is down. To make the VLAN1 interface come up there needs to be a live cable on a switch port of the router. Cisco has a sneaky command to sort this issue out:

interface Vlan1
 description *** LAN ***
 no autostate

So that’s about it!

This entry was posted in Cisco and tagged , , , , . Bookmark the permalink.