04-10-2010 10:32 PM
I need to configure site to site VPN. One of the peer has dynamic IP. The hostname of the peer is qpmmoroc.dyndns.org. I am able to ping this from the firewall but how do i configure the perr using hostname
Solved! Go to Solution.
04-11-2010 04:34 AM
Unfortunately not a supported configuration. You would need to configure dynamic to static LAN-to-LAN tunnel as per the following sample configuration:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml
VPN tunnel can only be initiated from the dynamic end.
04-12-2010 06:00 AM
Make sure you have NAT exemption configured between the 2 subnets.
04-11-2010 04:34 AM
Unfortunately not a supported configuration. You would need to configure dynamic to static LAN-to-LAN tunnel as per the following sample configuration:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml
VPN tunnel can only be initiated from the dynamic end.
04-11-2010 10:43 PM
HI, I have 2 questions
is this mpossile in a multisite scenario ?
Dont we have to call any access list in the main site which has static IP ?
04-12-2010 02:32 AM
1) You can have multiple dynamic sites connecting to static site.
2) If it's dynamic, you don't have to configure access-list, you would need to use dynamic-map
04-12-2010 02:51 AM
the tunnel actually got established but was facing a problem with traffic forwarding.
Moreover i am also not able to put the following command in remote asa
crypto map newmap 10 ipsec-isakmp
Can u pls help me further
04-12-2010 02:54 AM
What do you mean by you can't put the command: crypto map newmap 10 ipsec-isakmp
Can you share the config? and also the output of what you tried to configure.
04-12-2010 05:37 AM
hi,
i have established the tunnel
Out of 2 sites one site is working with out any issues
the other site tunnel is been formed but i am not able to ping any interested traffic.
Wat and all i need to check
04-12-2010 05:50 AM
Make sure the third site's LAN does not overlap with the other sites' LAN.
Is this the dynamic peer? So you are seeing Phase 1 - QM_IDLE, and can you share the output of "show crypto ipsec sa peer
04-12-2010 05:53 AM
I have changed the ip addresses. Pls dont mind
sh crypto ipsec sa peer 1.1.1.1
peer address: 1.1.1.1
Crypto map tag: cisco, seq num: 20, local addr: 2.2.2.2
local ident (addr/mask/prot/port): (10.3.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18
#pkts decaps: 194, #pkts decrypt: 194, #pkts verify: 194
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 18, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2 /4500, remote crypto endpt.: 1.1.1.1/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 9738032C
inbound esp sas:
spi: 0x2E96F8B6 (781646006)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 167936, crypto-map: cisco
sa timing: remaining key lifetime (kB/sec): (4373981/28746)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x9738032C (2537030444)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 167936, crypto-map: cisco
sa timing: remaining key lifetime (kB/sec): (4373992/28742)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
04-12-2010 05:55 AM
and the peer 1.1.1.1 is the dynamic peer. I dont see any idle messages
04-12-2010 06:00 AM
Make sure you have NAT exemption configured between the 2 subnets.
04-12-2010 10:31 PM
thanks it is working now
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: