Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 823
  • Last Modified:

Cisco 837: building a site to site vpn with dynamic ip addresses

Hi all

I have 2 sites with Cisco 837 adsl connection and dynamic adresses.
I could build my vpn tunnel by entering a fixed IP addressin SDM, but how to built it with hostname instead of IP address?

Nota: IOS 12.3(4)T and SDM ver2

Thank you for your advice
eric
0
emaud
Asked:
emaud
  • 3
1 Solution
 
plemieux72Commented:
I have never built a VPN tunnel between two dynamic addresses.  A tunnel between one dynamic and one static is defintely possible.  For the sake of stability, I recommend obtaining a static for one of the two sites.  

However, check out the new IPSec profiles introduced in 12.2(15)T... it "seems" like you might be able to configure profiles matching a FQDN instead of an IP address.  Please post your results as I am also interested in knowing if this can be done.
Here is an article that could point you to the right direction:
http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

Good luck
0
 
emaudAuthor Commented:
Hi Plemieux72,

thanks again for your reply. Unfortunately, your article is password-protected and my CCO ID is not authorized.
eric
0
 
plemieux72Commented:
If you get a SmartNet for your 837's, you will have access to all these great Cisco articles... I am not sure why they restrict access but it's worth the $$.  For now, here is a part of the article.  Just keep in mind, this is based on one static and one dynamic:

Network Diagram
This document uses the network setup shown in this diagram.

10.1.1.0/24 --- HubRouter 10.48.67.181 ------ Internet ------ DHCPobtainedAddress SpokeRouter ------ 10.2.2.0/24
                                                                             |------ VPN Client
Configurations


HubRouter Configuration
 
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Hub
!
no logging on
!
username gfullage password 7 0201024E070A0E2649
aaa new-model
!
!
aaa authentication login clientauth local
aaa authorization network groupauthor local  
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
!  
!  

!--- Keyring that defines wildcard pre-shared key.
 
crypto keyring spokes  
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!  
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2  
!  

!--- VPN Client configuration for group "testgroup"
!--- (this name is configured in the VPN Client).
 
crypto isakmp client configuration group testgroup
 key cisco321
 dns 1.1.1.1 2.2.2.2
 wins 3.3.3.3 4.4.4.4
 domain cisco.com
 pool ippool
!

!--- Profile for LAN-to-LAN connection, that references
!--- the wildcard pre-shared key and a wildcard
!--- identity (this is what is broken in
!--- Cisco bug ID CSCea77140) and no XAuth.

crypto isakmp profile L2L
   description LAN-to-LAN for spoke router(s) connection
   keyring spokes
   match identity address 0.0.0.0  

!--- Profile for VPN Client connections, that match
!--- the "testgroup" group and defines the XAuth properties.
 
crypto isakmp profile VPNclient
   description VPN clients profile
   match identity group testgroup
   client authentication list clientauth
   isakmp authorization list groupauthor
   client configuration address respond
!  
!  
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!  

!--- Two instances of the dynamic crypto map
!--- reference the two IPSec profiles above.
 
crypto dynamic-map dynmap 5
 set transform-set myset  
 set isakmp-profile VPNclient
crypto dynamic-map dynmap 10
 set transform-set myset  
 set isakmp-profile L2L
!  
!  

!--- Crypto-map only references the two
!--- instances of the dynamic crypto map above.
 
crypto map mymap 10 ipsec-isakmp dynamic dynmap  
!  
!  
!  
interface FastEthernet0/0
 description Outside interface
 ip address 10.48.67.181 255.255.255.224
 no ip mroute-cache
 duplex auto
 speed auto
 crypto map mymap
!  
interface FastEthernet0/1
 description Inside interface
 ip address 10.1.1.1 255.255.254.0
 
 duplex auto
 speed auto
 no keepalive
!  
ip local pool ippool 10.5.5.1 10.5.5.254
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.48.66.181  

!  
!  
call rsvp-sync
!  
!  
dial-peer cor custom
!  
!  
line con 0
 exec-timeout 0 0
 escape-character 27
line aux 0
line vty 0 4
 password 7 121A0C041104
!
!
end
 

SpokeRouter Configuration
 
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Spoke
!
no logging on
!
ip subnet-zero
no ip domain lookup
!
ip cef
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco123 address 10.48.67.181
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!

!--- Standard crypto map on the spoke router
!--- that references the known hub IP address.

crypto map mymap 10 ipsec-isakmp  
 set peer 10.48.67.181
 set transform-set myset  
 match address 100
!
!
controller ISA 5/1
!
!
interface FastEthernet0/0
 description Outside interface  

 ip address dhcp
 duplex auto
 speed auto
 crypto map mymap
!
interface FastEthernet0/1
 description Inside interface
 ip address 10.2.2.2 255.255.255.0
 duplex auto
 speed auto
 no keepalive
!
interface ATM1/0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.100.2.3
no ip http server
no ip http secure-server
!
!

!--- Standard access-list that references traffic to be
!--- encrypted. This is the only thing that needs
!--- to be changed between different spoke routers.

access-list 100 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
!
!
call rsvp-sync
!
!
mgcp profile default
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 password cisco
 login
!
!
end
0
 
plemieux72Commented:
I think I've answered the question... and provided the info from the article.  Any points should be awarded to me?
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now