rtptucks
asked on
Cisco 800 series to Cisco 800 series VPN (with dynamic public WAN IP)
Ok
I have one main office and 4 remote sites
all remote sites need a VPN IPSEC connection to the main office.
3 of these sites have succesful VPN's because all have static IP's however the 4th site unfortunately has a dynamic IP assigned from its ISP.
When trying to set up the vpn i set the peer address as a FDQN (from dyndns.org) however the cisco translates this and replaces it with its IP, so if the site was to be issued with a new IP the VPN tunnel would be broken until i replaced the IP again.
Surely there must be some config to sort this out? even cheap routers can do VPN's to dynamic IP's
Any help would be greatly apperciated
I have one main office and 4 remote sites
all remote sites need a VPN IPSEC connection to the main office.
3 of these sites have succesful VPN's because all have static IP's however the 4th site unfortunately has a dynamic IP assigned from its ISP.
When trying to set up the vpn i set the peer address as a FDQN (from dyndns.org) however the cisco translates this and replaces it with its IP, so if the site was to be issued with a new IP the VPN tunnel would be broken until i replaced the IP again.
Surely there must be some config to sort this out? even cheap routers can do VPN's to dynamic IP's
Any help would be greatly apperciated
ASKER
how does it know what SA password to use?
crypto isakmp key password address 0.0.0.0
crypto isakmp key password address 195.54.*.8
crypto isakmp key password address 195.54.*44
then how will it know which crypto map to bind it too?
crypto isakmp key password address 0.0.0.0
crypto isakmp key password address 195.54.*.8
crypto isakmp key password address 195.54.*44
then how will it know which crypto map to bind it too?
The crypto map will be negotiated through the proposals from both routers.
If there is noch dedicated key for a peer, the key for the 0.0.0.0 peer will be used.
This applies to all peers, so use strong keys.
If there is noch dedicated key for a peer, the key for the 0.0.0.0 peer will be used.
This applies to all peers, so use strong keys.
ASKER
Ok
I have tried allsorts to get this to work and still uncessfull, ive done some reading on cisco's website which is pretty useful
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml
However i already have static crypto's configured and cant seem to get it running in conjunction with a dynamic map?
from the dynamic SIte when running the following command
wentworthway#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
195.54.234.15 86.13.165.130 QM_IDLE 1004 0 ACTIVE
195.54.234.15 86.13.165.130 MM_NO_STATE 1003 0 ACTIVE (deleted)
then the main office site which has the static VPNs
tomsons_office#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
195.54.253.92 195.54.234.15 QM_IDLE 2002 0 ACTIVE
195.54.234.15 86.13.165.130 QM_IDLE 2043 0 ACTIVE
195.54.234.15 86.13.165.130 MM_NO_STATE 2042 0 ACTIVE (deleted)
195.54.244.232 195.54.234.15 QM_IDLE 2007 0 ACTIVE
you can see the static VPN's are active and seem okay, also the dynamic one is in twice?? one seems active the other is in NO_STATE?
You Help will be GREATLY apperciated, i am going to increase more points for this.
OFFICE.txt
Dynamic-Site.txt
I have tried allsorts to get this to work and still uncessfull, ive done some reading on cisco's website which is pretty useful
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml
However i already have static crypto's configured and cant seem to get it running in conjunction with a dynamic map?
from the dynamic SIte when running the following command
wentworthway#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
195.54.234.15 86.13.165.130 QM_IDLE 1004 0 ACTIVE
195.54.234.15 86.13.165.130 MM_NO_STATE 1003 0 ACTIVE (deleted)
then the main office site which has the static VPNs
tomsons_office#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
195.54.253.92 195.54.234.15 QM_IDLE 2002 0 ACTIVE
195.54.234.15 86.13.165.130 QM_IDLE 2043 0 ACTIVE
195.54.234.15 86.13.165.130 MM_NO_STATE 2042 0 ACTIVE (deleted)
195.54.244.232 195.54.234.15 QM_IDLE 2007 0 ACTIVE
you can see the static VPN's are active and seem okay, also the dynamic one is in twice?? one seems active the other is in NO_STATE?
You Help will be GREATLY apperciated, i am going to increase more points for this.
OFFICE.txt
Dynamic-Site.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Nice one! that worked!!!
Ive also got 250 points up for grabs on this question
https://www.experts-exchange.com/questions/23504419/Cisco-800-series-to-Cisco-800-series-VPN-with-dynamic-public-WAN-IP.html
im sure you will be able to crack that one! its basically so i can route between all the vpns via the Office site rather than creating IPSEC tunnels to each router-to-router.
What would you say is best?
Regards
Ive also got 250 points up for grabs on this question
https://www.experts-exchange.com/questions/23504419/Cisco-800-series-to-Cisco-800-series-VPN-with-dynamic-public-WAN-IP.html
im sure you will be able to crack that one! its basically so i can route between all the vpns via the Office site rather than creating IPSEC tunnels to each router-to-router.
What would you say is best?
Regards
But the tunnel will be initiated unidirectional from the remote site only.