Solved

Cisco 800 series to Cisco 800 series VPN (with dynamic public WAN IP)

Posted on 2008-06-21
6
1,074 Views
Last Modified: 2011-10-19
Ok

I have one main office and 4 remote sites

all remote sites need a VPN IPSEC connection to the main office.

3 of these sites have succesful VPN's because all have static IP's however the 4th site unfortunately has a dynamic IP assigned from its ISP.

When trying to set up the vpn i set the peer address as a FDQN (from dyndns.org) however the cisco translates this and replaces it with its IP, so if the site was to be issued with a new IP the VPN tunnel would be broken until i replaced the IP again.

Surely there must be some config to sort this out? even cheap routers can do VPN's to dynamic IP's

Any help would be greatly apperciated
0
Comment
Question by:rtptucks
  • 3
  • 3
6 Comments
 
LVL 1

Expert Comment

by:Net-P
Comment Utility
You can add the peer IP address 0.0.0.0 (any) on the main office router.
But the tunnel will be initiated unidirectional from the remote site only.
0
 
LVL 2

Author Comment

by:rtptucks
Comment Utility
how does it know what SA password to use?

crypto isakmp key password address 0.0.0.0
crypto isakmp key password address 195.54.*.8
crypto isakmp key password address 195.54.*44

then how will it know which crypto map to bind it too?
0
 
LVL 1

Expert Comment

by:Net-P
Comment Utility
The crypto map will be negotiated through the proposals from both routers.

If there is noch dedicated key for a peer, the key for the 0.0.0.0 peer will be used.
This applies to all peers, so use strong keys.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 2

Author Comment

by:rtptucks
Comment Utility
Ok

I have tried allsorts to get this to work and still uncessfull, ive done some reading on cisco's website which is pretty useful

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml

However i already have static crypto's configured and cant seem to get it running in conjunction with a dynamic map?

from the dynamic SIte when running the following command

wentworthway#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
195.54.234.15   86.13.165.130   QM_IDLE           1004    0 ACTIVE
195.54.234.15   86.13.165.130   MM_NO_STATE       1003    0 ACTIVE (deleted)

then the main office site which has the static VPNs

tomsons_office#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
195.54.253.92   195.54.234.15   QM_IDLE           2002    0 ACTIVE
195.54.234.15   86.13.165.130   QM_IDLE           2043    0 ACTIVE
195.54.234.15   86.13.165.130   MM_NO_STATE       2042    0 ACTIVE (deleted)
195.54.244.232  195.54.234.15   QM_IDLE           2007    0 ACTIVE



you can see the static VPN's are active and seem okay, also the dynamic one is in twice?? one seems active the other is in NO_STATE?

You Help will be GREATLY apperciated, i am going to increase more points for this.




OFFICE.txt
Dynamic-Site.txt
0
 
LVL 1

Accepted Solution

by:
Net-P earned 125 total points
Comment Utility
OFFICE Router IPSec Policy - Phase II

##################################

remove these dynamic crypto map

crypto dynamic-map SDM_CMAP_1 10

##################################

create a static crypto map entry for the outside map and attach the dynamic one:

crypto map SDM_CMAP_1 4 ipsec-isakmp dynamic SDM_CMAP


##################################


see attached file

cryptos.txt
0
 
LVL 2

Author Comment

by:rtptucks
Comment Utility
Nice one! that worked!!!

Ive also got 250 points up for grabs on this question
http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_23504419.html

im sure you will be able to crack that one! its basically so i can route between all the vpns via the Office site rather than creating IPSEC tunnels to each router-to-router.

What would you say is best?

Regards
0

Featured Post

NetScaler Deployment Guides and Resources

Citrix NetScaler is certified to support many of the most commonly deployed enterprise applications. Deployment guides provide in-depth recommendations on configuring NetScaler to meet specific application requirements.

Join & Write a Comment

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now