Cisco 800 series to Cisco 800 series VPN (with dynamic public WAN IP)

Ok

I have one main office and 4 remote sites

all remote sites need a VPN IPSEC connection to the main office.

3 of these sites have succesful VPN's because all have static IP's however the 4th site unfortunately has a dynamic IP assigned from its ISP.

When trying to set up the vpn i set the peer address as a FDQN (from dyndns.org) however the cisco translates this and replaces it with its IP, so if the site was to be issued with a new IP the VPN tunnel would be broken until i replaced the IP again.

Surely there must be some config to sort this out? even cheap routers can do VPN's to dynamic IP's

Any help would be greatly apperciated
LVL 2
rtptucksAsked:
Who is Participating?
 
Net-PConnect With a Mentor Commented:
OFFICE Router IPSec Policy - Phase II

##################################

remove these dynamic crypto map

crypto dynamic-map SDM_CMAP_1 10

##################################

create a static crypto map entry for the outside map and attach the dynamic one:

crypto map SDM_CMAP_1 4 ipsec-isakmp dynamic SDM_CMAP


##################################


see attached file

cryptos.txt
0
 
Net-PCommented:
You can add the peer IP address 0.0.0.0 (any) on the main office router.
But the tunnel will be initiated unidirectional from the remote site only.
0
 
rtptucksAuthor Commented:
how does it know what SA password to use?

crypto isakmp key password address 0.0.0.0
crypto isakmp key password address 195.54.*.8
crypto isakmp key password address 195.54.*44

then how will it know which crypto map to bind it too?
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Net-PCommented:
The crypto map will be negotiated through the proposals from both routers.

If there is noch dedicated key for a peer, the key for the 0.0.0.0 peer will be used.
This applies to all peers, so use strong keys.
0
 
rtptucksAuthor Commented:
Ok

I have tried allsorts to get this to work and still uncessfull, ive done some reading on cisco's website which is pretty useful

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml

However i already have static crypto's configured and cant seem to get it running in conjunction with a dynamic map?

from the dynamic SIte when running the following command

wentworthway#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
195.54.234.15   86.13.165.130   QM_IDLE           1004    0 ACTIVE
195.54.234.15   86.13.165.130   MM_NO_STATE       1003    0 ACTIVE (deleted)

then the main office site which has the static VPNs

tomsons_office#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
195.54.253.92   195.54.234.15   QM_IDLE           2002    0 ACTIVE
195.54.234.15   86.13.165.130   QM_IDLE           2043    0 ACTIVE
195.54.234.15   86.13.165.130   MM_NO_STATE       2042    0 ACTIVE (deleted)
195.54.244.232  195.54.234.15   QM_IDLE           2007    0 ACTIVE



you can see the static VPN's are active and seem okay, also the dynamic one is in twice?? one seems active the other is in NO_STATE?

You Help will be GREATLY apperciated, i am going to increase more points for this.




OFFICE.txt
Dynamic-Site.txt
0
 
rtptucksAuthor Commented:
Nice one! that worked!!!

Ive also got 250 points up for grabs on this question
http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_23504419.html

im sure you will be able to crack that one! its basically so i can route between all the vpns via the Office site rather than creating IPSEC tunnels to each router-to-router.

What would you say is best?

Regards
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.