cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
sour
New Contributor

Dynamic VPN

Jump to solution

im trying to figure out how to do a dynamic VPN between a cisco of witch may have a ip address that changes frequently and a adtran 908e that has a public.  it seems to me that this should be possable?  i have already tryed the setup guides but they dont detal how to handle the situation when the peer ip address is unknwon..

i have 4 locations that have dynamic ip addresses and a primary with static.  im trying to get PBX's at each location to talk

THX!

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
jayh
Honored Contributor
Honored Contributor

Re: Dynamic VPN

Jump to solution

You'll need to have the remotes initiate and set the remote ID to something other than an IP address such as FQDN.  Hub end needs a static IP programmed into the remotes.

crypto ike policy 100

  no initiate

  respond anymode

  local-id fqdn adtran.example.com

  peer any

!

crypto ike remote-id fqdn cisco1.example.com preshared-key itsasecret1 ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

crypto ike remote-id fqdn cisco2.example.com preshared-key itsasecret2 ike-policy 100 crypto map VPN 20 no-mode-config no-xauth

!      

crypto ipsec transform-set esp-aes-192-cbc-esp-sha-hmac esp-aes-192-cbc esp-sha-hmac mode tunnel

!      

crypto map VPN 10 ipsec-ike

  description Cisco1

  match address VPN-10-vpn-selectors

  set transform-set esp-aes-192-cbc-esp-sha-hmac

  ike-policy 100

!      

crypto map VPN 20 ipsec-ike

  description Cisco2

  match address VPN-20-vpn-selectors

  set transform-set esp-aes-192-cbc-esp-sha-hmac

  ike-policy 100

ip access-list extended VPN-10-vpn-selectors

  permit ip 10.10.10.0 0.0.0.255  192.168.1.0 0.0.0.255   

!

ip access-list extended VPN-20-vpn-selectors

  permit ip 10.10.10.0 0.0.0.255  192.168.2.0 0.0.0.255   

!

There are a lot of variables with IPSec that all have to match, and it gets trickier with different vendors.  I'd try building it to a known IP address first to ensure that your PFS, D-H group, transform set, PSK, etc. are all good and then change to the dynamic model.

If there isn't "interesting" traffic over the VPN, consider building a ping probe running every few minutes to keep the tunnel up on the remote ends.  Otherwise when it times out the hub won't be able to initiate to the spokes with unknown IPs. 

View solution in original post

0 Kudos
2 Replies
jayh
Honored Contributor
Honored Contributor

Re: Dynamic VPN

Jump to solution

You'll need to have the remotes initiate and set the remote ID to something other than an IP address such as FQDN.  Hub end needs a static IP programmed into the remotes.

crypto ike policy 100

  no initiate

  respond anymode

  local-id fqdn adtran.example.com

  peer any

!

crypto ike remote-id fqdn cisco1.example.com preshared-key itsasecret1 ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

crypto ike remote-id fqdn cisco2.example.com preshared-key itsasecret2 ike-policy 100 crypto map VPN 20 no-mode-config no-xauth

!      

crypto ipsec transform-set esp-aes-192-cbc-esp-sha-hmac esp-aes-192-cbc esp-sha-hmac mode tunnel

!      

crypto map VPN 10 ipsec-ike

  description Cisco1

  match address VPN-10-vpn-selectors

  set transform-set esp-aes-192-cbc-esp-sha-hmac

  ike-policy 100

!      

crypto map VPN 20 ipsec-ike

  description Cisco2

  match address VPN-20-vpn-selectors

  set transform-set esp-aes-192-cbc-esp-sha-hmac

  ike-policy 100

ip access-list extended VPN-10-vpn-selectors

  permit ip 10.10.10.0 0.0.0.255  192.168.1.0 0.0.0.255   

!

ip access-list extended VPN-20-vpn-selectors

  permit ip 10.10.10.0 0.0.0.255  192.168.2.0 0.0.0.255   

!

There are a lot of variables with IPSec that all have to match, and it gets trickier with different vendors.  I'd try building it to a known IP address first to ensure that your PFS, D-H group, transform set, PSK, etc. are all good and then change to the dynamic model.

If there isn't "interesting" traffic over the VPN, consider building a ping probe running every few minutes to keep the tunnel up on the remote ends.  Otherwise when it times out the hub won't be able to initiate to the spokes with unknown IPs. 

0 Kudos
Anonymous
Not applicable

Re: Dynamic VPN

Jump to solution

Sour,

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks!

David