emaud
asked on
Cisco 837: building a site to site vpn with dynamic ip addresses
Hi all
I have 2 sites with Cisco 837 adsl connection and dynamic adresses.
I could build my vpn tunnel by entering a fixed IP addressin SDM, but how to built it with hostname instead of IP address?
Nota: IOS 12.3(4)T and SDM ver2
Thank you for your advice
eric
I have 2 sites with Cisco 837 adsl connection and dynamic adresses.
I could build my vpn tunnel by entering a fixed IP addressin SDM, but how to built it with hostname instead of IP address?
Nota: IOS 12.3(4)T and SDM ver2
Thank you for your advice
eric
ASKER
Hi Plemieux72,
thanks again for your reply. Unfortunately, your article is password-protected and my CCO ID is not authorized.
eric
thanks again for your reply. Unfortunately, your article is password-protected and my CCO ID is not authorized.
eric
If you get a SmartNet for your 837's, you will have access to all these great Cisco articles... I am not sure why they restrict access but it's worth the $$. For now, here is a part of the article. Just keep in mind, this is based on one static and one dynamic:
Network Diagram
This document uses the network setup shown in this diagram.
10.1.1.0/24 --- HubRouter 10.48.67.181 ------ Internet ------ DHCPobtainedAddress SpokeRouter ------ 10.2.2.0/24
|------ VPN Client
Configurations
HubRouter Configuration
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Hub
!
no logging on
!
username gfullage password 7 0201024E070A0E2649
aaa new-model
!
!
aaa authentication login clientauth local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
!
!
!--- Keyring that defines wildcard pre-shared key.
crypto keyring spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
!--- VPN Client configuration for group "testgroup"
!--- (this name is configured in the VPN Client).
crypto isakmp client configuration group testgroup
key cisco321
dns 1.1.1.1 2.2.2.2
wins 3.3.3.3 4.4.4.4
domain cisco.com
pool ippool
!
!--- Profile for LAN-to-LAN connection, that references
!--- the wildcard pre-shared key and a wildcard
!--- identity (this is what is broken in
!--- Cisco bug ID CSCea77140) and no XAuth.
crypto isakmp profile L2L
description LAN-to-LAN for spoke router(s) connection
keyring spokes
match identity address 0.0.0.0
!--- Profile for VPN Client connections, that match
!--- the "testgroup" group and defines the XAuth properties.
crypto isakmp profile VPNclient
description VPN clients profile
match identity group testgroup
client authentication list clientauth
isakmp authorization list groupauthor
client configuration address respond
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
!--- Two instances of the dynamic crypto map
!--- reference the two IPSec profiles above.
crypto dynamic-map dynmap 5
set transform-set myset
set isakmp-profile VPNclient
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile L2L
!
!
!--- Crypto-map only references the two
!--- instances of the dynamic crypto map above.
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface FastEthernet0/0
description Outside interface
ip address 10.48.67.181 255.255.255.224
no ip mroute-cache
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet0/1
description Inside interface
ip address 10.1.1.1 255.255.254.0
duplex auto
speed auto
no keepalive
!
ip local pool ippool 10.5.5.1 10.5.5.254
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.48.66.181
!
!
call rsvp-sync
!
!
dial-peer cor custom
!
!
line con 0
exec-timeout 0 0
escape-character 27
line aux 0
line vty 0 4
password 7 121A0C041104
!
!
end
SpokeRouter Configuration
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Spoke
!
no logging on
!
ip subnet-zero
no ip domain lookup
!
ip cef
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 10.48.67.181
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
!--- Standard crypto map on the spoke router
!--- that references the known hub IP address.
crypto map mymap 10 ipsec-isakmp
set peer 10.48.67.181
set transform-set myset
match address 100
!
!
controller ISA 5/1
!
!
interface FastEthernet0/0
description Outside interface
ip address dhcp
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet0/1
description Inside interface
ip address 10.2.2.2 255.255.255.0
duplex auto
speed auto
no keepalive
!
interface ATM1/0
no ip address
shutdown
no atm ilmi-keepalive
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.100.2.3
no ip http server
no ip http secure-server
!
!
!--- Standard access-list that references traffic to be
!--- encrypted. This is the only thing that needs
!--- to be changed between different spoke routers.
access-list 100 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
!
!
call rsvp-sync
!
!
mgcp profile default
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password cisco
login
!
!
end
Network Diagram
This document uses the network setup shown in this diagram.
10.1.1.0/24 --- HubRouter 10.48.67.181 ------ Internet ------ DHCPobtainedAddress SpokeRouter ------ 10.2.2.0/24
|------ VPN Client
Configurations
HubRouter Configuration
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Hub
!
no logging on
!
username gfullage password 7 0201024E070A0E2649
aaa new-model
!
!
aaa authentication login clientauth local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
!
!
!--- Keyring that defines wildcard pre-shared key.
crypto keyring spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
!--- VPN Client configuration for group "testgroup"
!--- (this name is configured in the VPN Client).
crypto isakmp client configuration group testgroup
key cisco321
dns 1.1.1.1 2.2.2.2
wins 3.3.3.3 4.4.4.4
domain cisco.com
pool ippool
!
!--- Profile for LAN-to-LAN connection, that references
!--- the wildcard pre-shared key and a wildcard
!--- identity (this is what is broken in
!--- Cisco bug ID CSCea77140) and no XAuth.
crypto isakmp profile L2L
description LAN-to-LAN for spoke router(s) connection
keyring spokes
match identity address 0.0.0.0
!--- Profile for VPN Client connections, that match
!--- the "testgroup" group and defines the XAuth properties.
crypto isakmp profile VPNclient
description VPN clients profile
match identity group testgroup
client authentication list clientauth
isakmp authorization list groupauthor
client configuration address respond
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
!--- Two instances of the dynamic crypto map
!--- reference the two IPSec profiles above.
crypto dynamic-map dynmap 5
set transform-set myset
set isakmp-profile VPNclient
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile L2L
!
!
!--- Crypto-map only references the two
!--- instances of the dynamic crypto map above.
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface FastEthernet0/0
description Outside interface
ip address 10.48.67.181 255.255.255.224
no ip mroute-cache
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet0/1
description Inside interface
ip address 10.1.1.1 255.255.254.0
duplex auto
speed auto
no keepalive
!
ip local pool ippool 10.5.5.1 10.5.5.254
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.48.66.181
!
!
call rsvp-sync
!
!
dial-peer cor custom
!
!
line con 0
exec-timeout 0 0
escape-character 27
line aux 0
line vty 0 4
password 7 121A0C041104
!
!
end
SpokeRouter Configuration
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Spoke
!
no logging on
!
ip subnet-zero
no ip domain lookup
!
ip cef
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 10.48.67.181
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
!--- Standard crypto map on the spoke router
!--- that references the known hub IP address.
crypto map mymap 10 ipsec-isakmp
set peer 10.48.67.181
set transform-set myset
match address 100
!
!
controller ISA 5/1
!
!
interface FastEthernet0/0
description Outside interface
ip address dhcp
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet0/1
description Inside interface
ip address 10.2.2.2 255.255.255.0
duplex auto
speed auto
no keepalive
!
interface ATM1/0
no ip address
shutdown
no atm ilmi-keepalive
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.100.2.3
no ip http server
no ip http secure-server
!
!
!--- Standard access-list that references traffic to be
!--- encrypted. This is the only thing that needs
!--- to be changed between different spoke routers.
access-list 100 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
!
!
call rsvp-sync
!
!
mgcp profile default
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password cisco
login
!
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
However, check out the new IPSec profiles introduced in 12.2(15)T... it "seems" like you might be able to configure profiles matching a FQDN instead of an IP address. Please post your results as I am also interested in knowing if this can be done.
Here is an article that could point you to the right direction:
http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml
Good luck