im trying to figure out how to do a dynamic VPN between a cisco of witch may have a ip address that changes frequently and a adtran 908e that has a public. it seems to me that this should be possable? i have already tryed the setup guides but they dont detal how to handle the situation when the peer ip address is unknwon..
i have 4 locations that have dynamic ip addresses and a primary with static. im trying to get PBX's at each location to talk
THX!
You'll need to have the remotes initiate and set the remote ID to something other than an IP address such as FQDN. Hub end needs a static IP programmed into the remotes.
crypto ike policy 100
no initiate
respond anymode
local-id fqdn adtran.example.com
peer any
!
crypto ike remote-id fqdn cisco1.example.com preshared-key itsasecret1 ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
crypto ike remote-id fqdn cisco2.example.com preshared-key itsasecret2 ike-policy 100 crypto map VPN 20 no-mode-config no-xauth
!
crypto ipsec transform-set esp-aes-192-cbc-esp-sha-hmac esp-aes-192-cbc esp-sha-hmac mode tunnel
!
crypto map VPN 10 ipsec-ike
description Cisco1
match address VPN-10-vpn-selectors
set transform-set esp-aes-192-cbc-esp-sha-hmac
ike-policy 100
!
crypto map VPN 20 ipsec-ike
description Cisco2
match address VPN-20-vpn-selectors
set transform-set esp-aes-192-cbc-esp-sha-hmac
ike-policy 100
ip access-list extended VPN-10-vpn-selectors
permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
!
ip access-list extended VPN-20-vpn-selectors
permit ip 10.10.10.0 0.0.0.255 192.168.2.0 0.0.0.255
!
There are a lot of variables with IPSec that all have to match, and it gets trickier with different vendors. I'd try building it to a known IP address first to ensure that your PFS, D-H group, transform set, PSK, etc. are all good and then change to the dynamic model.
If there isn't "interesting" traffic over the VPN, consider building a ping probe running every few minutes to keep the tunnel up on the remote ends. Otherwise when it times out the hub won't be able to initiate to the spokes with unknown IPs.
You'll need to have the remotes initiate and set the remote ID to something other than an IP address such as FQDN. Hub end needs a static IP programmed into the remotes.
crypto ike policy 100
no initiate
respond anymode
local-id fqdn adtran.example.com
peer any
!
crypto ike remote-id fqdn cisco1.example.com preshared-key itsasecret1 ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
crypto ike remote-id fqdn cisco2.example.com preshared-key itsasecret2 ike-policy 100 crypto map VPN 20 no-mode-config no-xauth
!
crypto ipsec transform-set esp-aes-192-cbc-esp-sha-hmac esp-aes-192-cbc esp-sha-hmac mode tunnel
!
crypto map VPN 10 ipsec-ike
description Cisco1
match address VPN-10-vpn-selectors
set transform-set esp-aes-192-cbc-esp-sha-hmac
ike-policy 100
!
crypto map VPN 20 ipsec-ike
description Cisco2
match address VPN-20-vpn-selectors
set transform-set esp-aes-192-cbc-esp-sha-hmac
ike-policy 100
ip access-list extended VPN-10-vpn-selectors
permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
!
ip access-list extended VPN-20-vpn-selectors
permit ip 10.10.10.0 0.0.0.255 192.168.2.0 0.0.0.255
!
There are a lot of variables with IPSec that all have to match, and it gets trickier with different vendors. I'd try building it to a known IP address first to ensure that your PFS, D-H group, transform set, PSK, etc. are all good and then change to the dynamic model.
If there isn't "interesting" traffic over the VPN, consider building a ping probe running every few minutes to keep the tunnel up on the remote ends. Otherwise when it times out the hub won't be able to initiate to the spokes with unknown IPs.
Sour,
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks!
David