RE: Possible to have L2L IPSEC (Dynamic IP address) clients and

Martin,

> -----Original Message-----
> Sent: Thursday, May 13, 2010 5:12 PM
> To: Cisco certification
> Subject: OT: Possible to have L2L IPSEC (Dynamic IP address) clients and
> regular IPSEC VPN Clients (Dynamic IP address) connecting to the same
> ASA/PIX(Static IP address)
>
> OT: Possible to have L2L IPSEC (Dynamic IP address) clients[IOS] and regular
> IPSEC VPN Clients (Dynamic IP address) connecting to the same ASA/PIX(Static
> IP address)
>
> Disclaimer: "I'm not a firewall guy"
>
> Hi All,
>
> As the subject line says; I've got an odd requirement for a customer to have
> a last minute ultra urgent branch office turned up but the only connectivity
> option available is a dynamic IP address based Internet link, thus moving
> away from the existing / known working setups.
>
> This ASA already has IPSEC VPN Clients (Cisco clients running on Windows)
> that connect and work fine.
>
> It would seem as if its possible, but I think I must be missing some config
> at the ASA/PIX end, the unit connects, negotiates Phase 1, then fails
> (deletes the SA) with no errors in debug crypto isakmp sa pointing to the
> issue that I can see.
>
> The ultra urgency and last minute being the part which is causing me to ask
> here rather than build the lab, configure, test, configure test which would
> be my preferred option.
>
> If anyone could tell me it definitely can work that would be a big help,
> even better if anyone can note the specific requirements (config) for it to
> work.
>

Can you post part of your config? Show run crypto show run isakmp show run access-list's involved.

You can enable a crypto peer with an any address to bring up phase1, then your phase2 traffic would need match inversely as normal. The tunnel needs to be initiated from the dynamic end of course. You can also configure the remote end to act as EzVPN client and use NEM.

-ryan

Blogs and organic groups at http://www.ccie.net
Received on Thu May 13 2010 - 21:23:12 ART