IPSEC VPN with dynamic to dynamic IP

Answered Question
Aug 9th, 2010

Hi,


I have been trying out IPSEC VPN with dynamic to dynamic IP (router to router) for quite some time. But still cannot auto-establish the tunnel.


Can someone please tell me if it is possible to do it?


If yes, please share with me the secret to make it work.


Thank you!


Best Regards

Correct Answer by bert.baker about 6 years 6 months ago

Rather than Crypto map, I would use Crypto Profile.  Then you establish an IPSEC tunnel.  The beauty of Profile is that you can run Routing Protocols through it and you don't have to constantly change the maps everytime you change network topology.  The "* * * * *" in the event timer is "minute hour day month weekday" so "* * * * *" is every minute update it.  In Tunnel destination, it is an IP address, not a HOSTNAME that gets stored, but when you configure it, you can put in a HOSTNAME and it will convert it at the time you are configuring it to an IP.


So if you type:

config t

interface tunnel100
tunnel destination remote.dyndns.com

exit

show run int tunnel100


It shows:

interface Tunnel100
tunnel destination 75.67.43.79

That is why the event manager goes and changes the tunnel destination every minute to what ever the DDNS says the new IP is.


I didn't see that both of your routers were running DDNS.  They will need to for this to work.


Local Router:


crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key XXXXXXX address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac
!
crypto ipsec profile CRYPTOPROFILE
set transform-set ESP-AES-SHA
!
interface Tunnel100
description to remote.dyndns.org
ip address 10.254.220.10 255.255.255.252
ip virtual-reassembly
ip tcp adjust-mss 1400
tunnel source Dialer0
tunnel destination 75.67.43.79
tunnel mode ipsec ipv4
tunnel protection ipsec profile CRYPTOPROFILE

ip route 192.168.2.0 255.255.255.0 10.254.220.9

event manager applet change-tunnel-dest
event timer cron name "CHRON" cron-entry "* * * * *"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface tunnel100"
action 1.3 cli command "tunnel destination remote.dyndns.org"
!


--------


Remote Router:


crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key XXXXXXX address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac
!
crypto ipsec profile CRYPTOPROFILE
set transform-set ESP-AES-SHA
!
interface Tunnel100
description to local.dyndns.org
ip address 10.254.220.9 255.255.255.252
ip virtual-reassembly
ip tcp adjust-mss 1400
tunnel source Dialer0
tunnel destination 93.219.58.191
tunnel mode ipsec ipv4
tunnel protection ipsec profile CRYPTOPROFILE

ip route 192.168.1.0 255.255.255.0 10.254.220.10

event manager applet change-tunnel-dest
event timer cron name "CHRON" cron-entry "* * * * *"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface tunnel100"
action 1.3 cli command "tunnel destination local.dyndns.org"


Thanks,


Bert

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jitendriya Athavale Tue, 08/10/2010 - 02:11

that will not be possible because the guy who initiates the tunnel atleast needs to know with whom is he trying to establish the tunnel.

jazzlim2004 Tue, 08/10/2010 - 06:43

Hi,


But I using DDNS, so the local can intiate the tunnel based on that address. I assume DDNS will resolve the problem you mentioned.


So what oher factors will cause the failure?

Nitin Agarwal Tue, 08/10/2010 - 08:15

Hi,


You will not be able to use DDNS in a Lan to Lan setup. That will work in the remote vpn setup.


Regards,

Nitin Agarwal.

jazzlim2004 Wed, 08/11/2010 - 20:01

Hi,


We are not usingf DDNS in LAN. We have local & remote sites. For your advise pls.


Thank you

bert.baker Thu, 08/12/2010 - 08:46

This should work:


event manager applet change-tunnel-dest
event timer cron name "CHRON" cron-entry "* * * * *"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface tunnel199"
action 1.3 cli command "tunnel destination remotevpn.gotdns.com"
!


Have both routers running DDNS then every minute it will change the tunnel destination to what ever the DDNS is for the remote site.


Bert

jazzlim2004 Thu, 08/12/2010 - 19:43

Wow.....This event manager is very new to me.


Sorry I don t quite understand the command, is  the purpose  to  detect changes on DDNS address and automatic re-establish the tunnel?


Could you be kind to explain the command line by line to me? there's alot of command I dont understand or use. (should i copy the exact command you wrote? and what is ****?)


I have attached my configuration. Can you advise whats mistake I had made?


Your help is greatly appreciated! Thank you so much in advance : )

Attachment: 
Correct Answer
bert.baker Fri, 08/13/2010 - 06:29

Rather than Crypto map, I would use Crypto Profile.  Then you establish an IPSEC tunnel.  The beauty of Profile is that you can run Routing Protocols through it and you don't have to constantly change the maps everytime you change network topology.  The "* * * * *" in the event timer is "minute hour day month weekday" so "* * * * *" is every minute update it.  In Tunnel destination, it is an IP address, not a HOSTNAME that gets stored, but when you configure it, you can put in a HOSTNAME and it will convert it at the time you are configuring it to an IP.


So if you type:

config t

interface tunnel100
tunnel destination remote.dyndns.com

exit

show run int tunnel100


It shows:

interface Tunnel100
tunnel destination 75.67.43.79

That is why the event manager goes and changes the tunnel destination every minute to what ever the DDNS says the new IP is.


I didn't see that both of your routers were running DDNS.  They will need to for this to work.


Local Router:


crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key XXXXXXX address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac
!
crypto ipsec profile CRYPTOPROFILE
set transform-set ESP-AES-SHA
!
interface Tunnel100
description to remote.dyndns.org
ip address 10.254.220.10 255.255.255.252
ip virtual-reassembly
ip tcp adjust-mss 1400
tunnel source Dialer0
tunnel destination 75.67.43.79
tunnel mode ipsec ipv4
tunnel protection ipsec profile CRYPTOPROFILE

ip route 192.168.2.0 255.255.255.0 10.254.220.9

event manager applet change-tunnel-dest
event timer cron name "CHRON" cron-entry "* * * * *"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface tunnel100"
action 1.3 cli command "tunnel destination remote.dyndns.org"
!


--------


Remote Router:


crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key XXXXXXX address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac
!
crypto ipsec profile CRYPTOPROFILE
set transform-set ESP-AES-SHA
!
interface Tunnel100
description to local.dyndns.org
ip address 10.254.220.9 255.255.255.252
ip virtual-reassembly
ip tcp adjust-mss 1400
tunnel source Dialer0
tunnel destination 93.219.58.191
tunnel mode ipsec ipv4
tunnel protection ipsec profile CRYPTOPROFILE

ip route 192.168.1.0 255.255.255.0 10.254.220.10

event manager applet change-tunnel-dest
event timer cron name "CHRON" cron-entry "* * * * *"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface tunnel100"
action 1.3 cli command "tunnel destination local.dyndns.org"


Thanks,


Bert

jazzlim2004 Sun, 08/15/2010 - 20:54

Hi,


I trying to input these command but faced some problem. Can you advise the following:


Local Router configuration:

Interface Tunnel100
description to remote.dyndns.org
ip address 10.254.220.10 255.255.255.252          << Is this the WLAN Ip or router Ip address? My Wlan is dynamic
ip virtual-reassembly
ip tcp adjust-mss 1400
tunnel source Dialer0
tunnel destination 75.67.43.79
tunnel mode ipsec ipv4
tunnel protection ipsec profile CRYPTOPROFILE

ip route 192.168.2.0 255.255.255.0 10.254.220.9     <<<<192.168.2.0 is my remote router IP, so what is 10.254.220.9?




By ipsec profile, do I still need to match address? if yes, where should i key?


Thank you.

bert.baker Sun, 08/15/2010 - 21:01

No it is the IP address of the newly created Tunnel interface.  It could be anything.  If you don't understand tunnels, time to read up on them.

jazzlim2004 Mon, 08/16/2010 - 20:47

Hi,


thank you so much for the advise to use VTI. I had done some reading on it and applied the method to my router.


Now the VPN can auto-restablish with the event manager command ( even after router reset).


Could you please advise me, why i cannot ping my router?


and when I look at SDM monitor -->IPsec Tunnel, it displayed there nothing. I only can see IKE SA. Why is it so?


I had attached my config for your viewing pls. Thank you

Attachment: 
taherudin Thu, 11/18/2010 - 10:44

Hi Kim Lin


Me to facing same problem i have done tunnels is up i cant ping each other will you send me your config if its working


Regards

Taher

taherudin Thu, 11/25/2010 - 08:29

Hi Bert


I have follow as your config its tunnels are up but i cant ping each other will help me please


Regards

Taher

Actions

This Discussion