10-05-2008 07:37 PM - edited 02-21-2020 03:02 AM
I'm want to build a Site-To-site VPN.
HQ will using Cisco 1841 ISR
HQ will be using registered PUBLIC IP.
DSL
Branch will be using Cisco 877 series ISR
Branch will be using only dynamic IP provided by the country internet service provider.
ADSL
What approach should I use and how to configure to make the vpn connection works ?
10-06-2008 04:37 AM
Chong,
You can build the tunnel in a hub-spoke architecture. The spoke in your case will be using dynamic IP assigned by ISP , your hub uses static..
Have a look here for dynamic L2L config sections.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml
Rgds
Jorge
10-06-2008 05:40 PM
Thanks Jorge for the pointing it the right direction.
I'm a beginner at cisco router, do you know link to SDM type of example that I can follow easier ?
10-07-2008 12:40 PM
I have not seen a SDM link, the above link is easy to follow try using it omiting the RA client configuration, at least try creating a configuration sketch in notepad for each router without entering in the router, you may post the proposed config from both router that we could see prior to implementing them.
10-07-2008 07:28 PM
Thanks Jorge !
I have not got a clue how to get the project started . Now that you mentioned that i will start a 'sketch' in notepad for each router, u or anyone can take a look and suggest where I got wrong. Thanks in advance !
10-09-2008 07:28 AM
Hi Jorge, I've been trying to create the 'sketch' , but I encounter problem regarding how to 'glue' the HQ VPN Head-end server to the 'peers'-ends to create a connectivity. The peers are using dynamic IPs , so how do I get over this obstacles ? Do I have to resort to e.g. getting each peers to register an hostname e.g. peer1.members.dyndns.org. After that I enter the peer1.members.dyndns.org instead in the HQ's VPN's configuration?
Thanks in advance
10-16-2008 09:48 AM
Hello Jorge.
! HUB's Configurations
!
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Hub
!
no logging on
!
username admin password xxx
aaa new-model
!
!
aaa authentication login clientauth local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
!
!
crypto keyring spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key mykey123
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group myclientgroup
key xxx
dns 165.21.83.88 165.21.100.88
wins 3.3.3.3 4.4.4.4
domain myclient.com
pool ippool
crypto isakmp profile VPNclient
description VPN clients profile
match identity group testgroup
client authentication list clientauth
isakmp authorization list groupauthor
client configuration address respond
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
!--- Two instances of the dynamic crypto map
!--- reference the two previous IPsec profiles.
crypto dynamic-map dynmap 5
set transform-set myset
set isakmp-profile VPNclient
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile L2L
!
!
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface FastEthernet0/0
description Outside interface
ip address 10.48.67.181 255.255.255.224
no ip mroute-cache
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet0/1
description Inside interface
ip address 10.1.1.1 255.255.254.0
duplex auto
speed auto
no keepalive
!
ip local pool ippool 10.5.5.1 10.5.5.254
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.48.66.181
!
!
call rsvp-sync
!
!
dial-peer cor custom
!
!
line con 0
exec-timeout 0 0
escape-character 27
line aux 0
line vty 0 4
password xxx
!
!
end
_____________________________________________
! SPOKE's configurations
!
!version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname spoke_01
!
no logging on
!
ip subnet-zero
no ip domain lookup
!
ip cef
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key mykey123 address 10.40.67.181
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
!--- Standard crypto map on the spoke router
!--- that references the known hub IP address.
crypto map mymap 10 ipsec-isakmp
set peer 10.40.67.181
set transform-set myset
match address 100
!
!
controller ISA 5/1
!
!
interface Dialer1
description Outside interface
ip address dhcp
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet0/0
description Inside interface
ip address 10.2.2.2 255.255.255.0
duplex auto
speed auto
no keepalive
!
interface ATM1/0
no ip address
shutdown
no atm ilmi-keepalive
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.100.2.3
no ip http server
no ip http secure-server
access-list 100 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
!
!
call rsvp-sync
!
!
mgcp profile default
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password xxx
login
!
!
end
___________________________________________
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: