Solved

Cisco 800 series to Cisco 800 series VPN (with dynamic public WAN IP)

Posted on 2008-06-21
6
1,082 Views
Last Modified: 2011-10-19
Ok

I have one main office and 4 remote sites

all remote sites need a VPN IPSEC connection to the main office.

3 of these sites have succesful VPN's because all have static IP's however the 4th site unfortunately has a dynamic IP assigned from its ISP.

When trying to set up the vpn i set the peer address as a FDQN (from dyndns.org) however the cisco translates this and replaces it with its IP, so if the site was to be issued with a new IP the VPN tunnel would be broken until i replaced the IP again.

Surely there must be some config to sort this out? even cheap routers can do VPN's to dynamic IP's

Any help would be greatly apperciated
0
Comment
Question by:rtptucks
  • 3
  • 3
6 Comments
 
LVL 1

Expert Comment

by:Net-P
ID: 21854282
You can add the peer IP address 0.0.0.0 (any) on the main office router.
But the tunnel will be initiated unidirectional from the remote site only.
0
 
LVL 2

Author Comment

by:rtptucks
ID: 21854376
how does it know what SA password to use?

crypto isakmp key password address 0.0.0.0
crypto isakmp key password address 195.54.*.8
crypto isakmp key password address 195.54.*44

then how will it know which crypto map to bind it too?
0
 
LVL 1

Expert Comment

by:Net-P
ID: 21854457
The crypto map will be negotiated through the proposals from both routers.

If there is noch dedicated key for a peer, the key for the 0.0.0.0 peer will be used.
This applies to all peers, so use strong keys.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Author Comment

by:rtptucks
ID: 21873854
Ok

I have tried allsorts to get this to work and still uncessfull, ive done some reading on cisco's website which is pretty useful

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml

However i already have static crypto's configured and cant seem to get it running in conjunction with a dynamic map?

from the dynamic SIte when running the following command

wentworthway#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
195.54.234.15   86.13.165.130   QM_IDLE           1004    0 ACTIVE
195.54.234.15   86.13.165.130   MM_NO_STATE       1003    0 ACTIVE (deleted)

then the main office site which has the static VPNs

tomsons_office#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
195.54.253.92   195.54.234.15   QM_IDLE           2002    0 ACTIVE
195.54.234.15   86.13.165.130   QM_IDLE           2043    0 ACTIVE
195.54.234.15   86.13.165.130   MM_NO_STATE       2042    0 ACTIVE (deleted)
195.54.244.232  195.54.234.15   QM_IDLE           2007    0 ACTIVE



you can see the static VPN's are active and seem okay, also the dynamic one is in twice?? one seems active the other is in NO_STATE?

You Help will be GREATLY apperciated, i am going to increase more points for this.




OFFICE.txt
Dynamic-Site.txt
0
 
LVL 1

Accepted Solution

by:
Net-P earned 125 total points
ID: 21874054
OFFICE Router IPSec Policy - Phase II

##################################

remove these dynamic crypto map

crypto dynamic-map SDM_CMAP_1 10

##################################

create a static crypto map entry for the outside map and attach the dynamic one:

crypto map SDM_CMAP_1 4 ipsec-isakmp dynamic SDM_CMAP


##################################


see attached file

cryptos.txt
0
 
LVL 2

Author Comment

by:rtptucks
ID: 21874264
Nice one! that worked!!!

Ive also got 250 points up for grabs on this question
http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_23504419.html

im sure you will be able to crack that one! its basically so i can route between all the vpns via the Office site rather than creating IPSEC tunnels to each router-to-router.

What would you say is best?

Regards
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now