• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 557
  • Last Modified:

Cisco site-to-site vpn with dynamic ip address

Hi Experts,

I'm rebuilding my network because I moved all my server to a data center. I also got a private 100mbps fiber optic L2 link between the main office and the datacenter.

There is 7 sites involved in my situation. They basically only need to connect to the datacenter via site-to-site vpn. Sites don't need to communicate between them.

I already have an existing working setup for this but now I need to add a site that does NOT HAVE A STATIC IP ADDRESS.

What should I do to configure the datacenter router to accept conneciton from any IP address that just have the correct vpn key ?
here's my current configuration at the datacenter :

Cisco2811#sh run
Building configuration...

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp key My_Secret_VPN_Key address 1.1.1.1
crypto isakmp key My_Secret_VPN_Key address 2.2.2.2
crypto isakmp key My_Secret_VPN_Key address 3.3.3.3
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map CMAP-IPSEC 1 ipsec-isakmp
 set peer 1.1.1.1
 set peer 2.2.2.2
 set peer 3.3.3.3
 set transform-set ESP-3DES-SHA
 match address ACL_IPSEC
!
interface FastEthernet0/1
 description INTERNET
 ip address 1.2.3.4 255.255.255.248
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1450
 duplex auto
 speed auto
 crypto map CMAP-IPSEC

ip route 0.0.0.0 0.0.0.0 1.2.3.4
!
ip nat inside source route-map RMAP_NAT interface FastEthernet0/1 overload
!
ip access-list extended ACL_IPSEC
 remark Identify traffic allowed on IPSEC Crypto map
 permit ip 10.10.99.0 0.0.0.255 10.11.12.0 0.0.0.255
 permit ip 10.10.99.0 0.0.0.255 10.10.40.0 0.0.0.255
 permit ip 10.10.99.0 0.0.0.255 10.10.70.0 0.0.0.255
ip access-list extended ACL_NAT
 remark Identify traffic not allowed to be nated
 deny   ip 10.10.99.0 0.0.0.255 10.11.12.0 0.0.0.255
 deny   ip 10.10.99.0 0.0.0.255 10.10.40.0 0.0.0.255
 deny   ip 10.10.99.0 0.0.0.255 10.10.70.0 0.0.0.255
 permit ip 10.10.99.0 0.0.0.255 any
!
route-map RMAP_NAT permit 100
 match ip address ACL_NAT
0
Rubicon2009
Asked:
Rubicon2009
  • 3
  • 2
1 Solution
 
Istvan KalmarCommented:
hi,

you need to extend the key to 0.0.0.0 0.0.0.0 and the remote site need to bulid up the VPN
0
 
Rubicon2009Author Commented:
Okay for

ypto isakmp key My_Secret_VPN_Key address 0.0.0.0 0.0.0.0

but what should I put in

crypto map CMAP-IPSEC 1 ipsec-isakmp
 set peer 1.1.1.1

?

Thank you !
0
 
Istvan KalmarCommented:
you need "set peer dynamic':

https://supportforums.cisco.com/thread/343363

Or if you want to implement more tunnels you need DMVPN or EASYVPN
0
 
Rubicon2009Author Commented:
"set peer dynamic" does not seems to be a reconnized command on my router.

861W(config-crypto-map)#set peer ?
  A.B.C.D  IP address of peer
  WORD     Host name of the peer
0
 
Istvan KalmarCommented:
Hi,

In this case yo need to configure DMVPN:

http://www.fir3net.com/Cisco-Router/dmvpn-tutorial.html


0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now