Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco 800 series to Cisco 800 series VPN (with dynamic public WAN IP)

Posted on 2008-06-21
6
Medium Priority
?
1,124 Views
Last Modified: 2011-10-19
Ok

I have one main office and 4 remote sites

all remote sites need a VPN IPSEC connection to the main office.

3 of these sites have succesful VPN's because all have static IP's however the 4th site unfortunately has a dynamic IP assigned from its ISP.

When trying to set up the vpn i set the peer address as a FDQN (from dyndns.org) however the cisco translates this and replaces it with its IP, so if the site was to be issued with a new IP the VPN tunnel would be broken until i replaced the IP again.

Surely there must be some config to sort this out? even cheap routers can do VPN's to dynamic IP's

Any help would be greatly apperciated
0
Comment
Question by:rtptucks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 1

Expert Comment

by:Net-P
ID: 21854282
You can add the peer IP address 0.0.0.0 (any) on the main office router.
But the tunnel will be initiated unidirectional from the remote site only.
0
 
LVL 2

Author Comment

by:rtptucks
ID: 21854376
how does it know what SA password to use?

crypto isakmp key password address 0.0.0.0
crypto isakmp key password address 195.54.*.8
crypto isakmp key password address 195.54.*44

then how will it know which crypto map to bind it too?
0
 
LVL 1

Expert Comment

by:Net-P
ID: 21854457
The crypto map will be negotiated through the proposals from both routers.

If there is noch dedicated key for a peer, the key for the 0.0.0.0 peer will be used.
This applies to all peers, so use strong keys.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 2

Author Comment

by:rtptucks
ID: 21873854
Ok

I have tried allsorts to get this to work and still uncessfull, ive done some reading on cisco's website which is pretty useful

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml

However i already have static crypto's configured and cant seem to get it running in conjunction with a dynamic map?

from the dynamic SIte when running the following command

wentworthway#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
195.54.234.15   86.13.165.130   QM_IDLE           1004    0 ACTIVE
195.54.234.15   86.13.165.130   MM_NO_STATE       1003    0 ACTIVE (deleted)

then the main office site which has the static VPNs

tomsons_office#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
195.54.253.92   195.54.234.15   QM_IDLE           2002    0 ACTIVE
195.54.234.15   86.13.165.130   QM_IDLE           2043    0 ACTIVE
195.54.234.15   86.13.165.130   MM_NO_STATE       2042    0 ACTIVE (deleted)
195.54.244.232  195.54.234.15   QM_IDLE           2007    0 ACTIVE



you can see the static VPN's are active and seem okay, also the dynamic one is in twice?? one seems active the other is in NO_STATE?

You Help will be GREATLY apperciated, i am going to increase more points for this.




OFFICE.txt
Dynamic-Site.txt
0
 
LVL 1

Accepted Solution

by:
Net-P earned 375 total points
ID: 21874054
OFFICE Router IPSec Policy - Phase II

##################################

remove these dynamic crypto map

crypto dynamic-map SDM_CMAP_1 10

##################################

create a static crypto map entry for the outside map and attach the dynamic one:

crypto map SDM_CMAP_1 4 ipsec-isakmp dynamic SDM_CMAP


##################################


see attached file

cryptos.txt
0
 
LVL 2

Author Comment

by:rtptucks
ID: 21874264
Nice one! that worked!!!

Ive also got 250 points up for grabs on this question
http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_23504419.html

im sure you will be able to crack that one! its basically so i can route between all the vpns via the Office site rather than creating IPSEC tunnels to each router-to-router.

What would you say is best?

Regards
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s list some of the technologies that enable smooth teleworking. 
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question