So from what I understand, your match address command for map 11 using VPN-ACL1 is working correctly, right? But when you add the match address for the other sites (12, 13 etc) those don’t seem to work. Traffic stops functioning on them, right?
The ACLs are used to match interesting traffic, that is, traffic that should be tunneled and encrypted. Without those ACLs indicating what is interesting traffic, the config is incomplete. So you should have a separate ACL that indicates the interesting traffic for each of your tunnels. Can you give us a little more information about the behavior you are experiencing so that we can help you further?
So from what I understand, your match address command for map 11 using VPN-ACL1 is working correctly, right? But when you add the match address for the other sites (12, 13 etc) those don’t seem to work. Traffic stops functioning on them, right?
Exactly so!
What’s happening is that if I put up the statement on thoose specific tunnels aswell the traffic stops,
So let say that I would add:
crypto map dyn-map 12 match address VPN-ACL2
The site 12 would stop working, and the tunnel wouldn’t go up, if I remeber correclty is says something about not having any “intresting” traffic.
This happens for the rest of the tunnels aswell.
The strange thing is that the tunnel works as expected when the configuration is “incomplete” but not when I complete the configuration by adding “Match address”.
Forgot to mention that I am working on ASA routers for all sites.
This is the configuration on the other side: Site 12.
access-list VPN-ACL extended permit ip 192.168.27.0 255.255.255.240 192.168.20.0 255.255.255.0
crypto map VPNMAP 12 match address VPN-ACL
crypto map VPNMAP 12 set peer XXX.XXX.XXX.XXX
crypto map VPNMAP 12 set ikev1 transform-set THN_VPN2
crypto map VPNMAP interface outside.
It should not work when its incomplete, but it does. And it should work when its complete which it doesn’t . So the configuration has to be Incomplete on the main Site for it to work. Can I be missing some proxy commands after the ACL statement?
I have gone over every textbook and also your site on how to setup this (they are exactly the same configuration).
This sounds like a strange situation. If you have no crypto maps referencing ACLs to define interesting traffic, and yet your tunnels are up and running, something else must be matching to create interesting traffic. Also you mentioned that when you apply the ACL, the tunnel would go down and an error message about not having any interesting traffic appears? Can you elaborate on that? Where do you see it and under what circumstances?
I suggest you use some debugs on your topology to determine how traffic is matched and sent through the tunnel. You can use one or more of the following:
debug crypto ipsec
debug crypto isakmp
debug crypto ikev2 protocol
debug crypto ikev2 platform
debug crypto ikev2 internal
debug access-list
Let us know how you get along in your troubleshooting, and share with us your results so we can help you further.