Thank you all for these lessons!
I have attempted to combine several of the ASA lessons together, and setup l2l VPNs between a core and two remote “spoke” locations. There is no connectivity between the spokes, only spoke to hub/core. I was able to get things working with ikev2 and certificate authentication, but only with one spoke at a time. The configuration that allowed this required the line:
crypto map MADEUP_NAME_MAP interface outsideWith a single remote this worked wonderfully, but with two I needed to combine both MADEUP_NAME_MAP and OTHER_MADEUP_NAME_MAP into a dynamic-map, and doing so caused the entire VPN functionality to stop working.
This is the key parts of the hub/core which allowed this to work for the specified single spoke:
1. access-list MADEUP_NAME extended permit ip object OBJ-HOSTA 192.168.2.0 255.255.255.0
2. access-list MADEUP_NAME extended permit ip object OBJ-HOSTB 192.168.2.0 255.255.255.0
3. crypto ipsec ikev2 ipsec-proposal MY_PROPOSAL
4. protocol esp encryption aes-256
5. protocol esp integrity sha-512 sha-384 sha-256 sha-1
6. crypto ipsec security-association pmtu-aging infinite
7. crypto map MADEUP_NAME_MAP 11 match address MADEUP_NAME
8. crypto map MADEUP_NAME_MAP 11 set peer 2.2.2.2
9. crypto map MADEUP_NAME_MAP 11 set ikev2 ipsec-proposal MY_PROPOSAL
10. crypto map MADEUP_NAME_MAP interface outside
11. crypto ca trustpoint MY_CA
12. enrollment terminal
13. fqdn sub1.company.com
14. subject-name O=Company, C=US, EA=support@company.com, ST=New-York, CN=sub1.company.com
15. serial-number
16. keypair sub1.company.com_csr
17. crl configure
18. crypto ca trustpool policy
19. auto-import
20. crypto ikev2 policy 11
21. encryption aes-256
22. integrity sha512
23. group 21
24. prf sha
25. lifetime seconds 86400
26. crypto ikev2 enable outside
When I tried to change the map to a dynamic-map to include both spokes at once, this is what I did:
1. "crypto dynamic-map MADEUP_NAME_MAP 10 match address MADEUP_NAME"
2. "crypto dynamic-map MADEUP_NAME_MAP 10 set peer 2.2.2.2"
3. "crypto dynamic-map MADEUP_NAME_MAP 10 set ikev2 ipsec-proposal MY_PROPOSAL"
4. "crypto dynamic-map OTHER_MADEUP_NAME_MAP 10 match address OTHER_MADEUP_NAME"
5. "crypto dynamic-map OTHER_MADEUP_NAME_MAP 10 set peer 3.3.3.3"
6. "crypto dynamic-map OTHER_MADEUP_NAME_MAP 10 set ikev2 ipsec-proposal MY_PROPOSAL"
7. "crypto map MY_CRYPTO_MAP 10 ipsec-isakmp dynamic MADEUP_NAME_MAP"
8. "crypto map MY_CRYPTO_MAP 20 ipsec-isakmp dynamic OTHER_MADEUP_NAME_MAP"
9. "crypto map MY_CRYPTO_MAP interface outside"
At this point, both the hub and both spokes are able to ping one another so simple connectivity is established, but show crypto isakmp sa or show crypto ikev2 sa shows no connections at all. Does anyone see what I did incorrectly when converting my static maps to dynamic maps?
Sorry I couldn’t get either the code, pre-formatted text, or quotes to display my configs clearly, one line of code per line. Unsure what is going on there. I hope it is readable!