Solved

Cisco 800 series to Cisco 800 series VPN (with dynamic public WAN IP)

Posted on 2008-06-21
6
1,104 Views
Last Modified: 2011-10-19
Ok

I have one main office and 4 remote sites

all remote sites need a VPN IPSEC connection to the main office.

3 of these sites have succesful VPN's because all have static IP's however the 4th site unfortunately has a dynamic IP assigned from its ISP.

When trying to set up the vpn i set the peer address as a FDQN (from dyndns.org) however the cisco translates this and replaces it with its IP, so if the site was to be issued with a new IP the VPN tunnel would be broken until i replaced the IP again.

Surely there must be some config to sort this out? even cheap routers can do VPN's to dynamic IP's

Any help would be greatly apperciated
0
Comment
Question by:rtptucks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 1

Expert Comment

by:Net-P
ID: 21854282
You can add the peer IP address 0.0.0.0 (any) on the main office router.
But the tunnel will be initiated unidirectional from the remote site only.
0
 
LVL 2

Author Comment

by:rtptucks
ID: 21854376
how does it know what SA password to use?

crypto isakmp key password address 0.0.0.0
crypto isakmp key password address 195.54.*.8
crypto isakmp key password address 195.54.*44

then how will it know which crypto map to bind it too?
0
 
LVL 1

Expert Comment

by:Net-P
ID: 21854457
The crypto map will be negotiated through the proposals from both routers.

If there is noch dedicated key for a peer, the key for the 0.0.0.0 peer will be used.
This applies to all peers, so use strong keys.
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 2

Author Comment

by:rtptucks
ID: 21873854
Ok

I have tried allsorts to get this to work and still uncessfull, ive done some reading on cisco's website which is pretty useful

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml

However i already have static crypto's configured and cant seem to get it running in conjunction with a dynamic map?

from the dynamic SIte when running the following command

wentworthway#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
195.54.234.15   86.13.165.130   QM_IDLE           1004    0 ACTIVE
195.54.234.15   86.13.165.130   MM_NO_STATE       1003    0 ACTIVE (deleted)

then the main office site which has the static VPNs

tomsons_office#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
195.54.253.92   195.54.234.15   QM_IDLE           2002    0 ACTIVE
195.54.234.15   86.13.165.130   QM_IDLE           2043    0 ACTIVE
195.54.234.15   86.13.165.130   MM_NO_STATE       2042    0 ACTIVE (deleted)
195.54.244.232  195.54.234.15   QM_IDLE           2007    0 ACTIVE



you can see the static VPN's are active and seem okay, also the dynamic one is in twice?? one seems active the other is in NO_STATE?

You Help will be GREATLY apperciated, i am going to increase more points for this.




OFFICE.txt
Dynamic-Site.txt
0
 
LVL 1

Accepted Solution

by:
Net-P earned 125 total points
ID: 21874054
OFFICE Router IPSec Policy - Phase II

##################################

remove these dynamic crypto map

crypto dynamic-map SDM_CMAP_1 10

##################################

create a static crypto map entry for the outside map and attach the dynamic one:

crypto map SDM_CMAP_1 4 ipsec-isakmp dynamic SDM_CMAP


##################################


see attached file

cryptos.txt
0
 
LVL 2

Author Comment

by:rtptucks
ID: 21874264
Nice one! that worked!!!

Ive also got 250 points up for grabs on this question
http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_23504419.html

im sure you will be able to crack that one! its basically so i can route between all the vpns via the Office site rather than creating IPSEC tunnels to each router-to-router.

What would you say is best?

Regards
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ip igmp join-group 8 73
Show IP BGP Information 10 48
Microwave IP VPN or Wireless Bridging 26 56
Multicast IGMP Join Group 8 22
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question