I think I know what to do. Let me try out 1st

Thank you

Hi,

its dynamic to dynamic site to site VPN.

Anyway, I got an idea now after your advise above. Now will try out 1st.

Thank you so much.

Hi halijenn,

I tried using hostname to my crypto key but seem like hostname is not working for my site to site.

Crypto isakmp key cisco hostname example.dyn.com no-xauth

Am I doing correct on using the hostname method above?

Will using hostname will solve my problem?

Thankyou

No, you can't use hostname unfortunately.

Hi halijenn

Anyway to overcome the problem?

You can use the "crypto keyring" option instead of "crypto isakmp key" to configure the pre-shared key.

Here is the sample configuration for your reference:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

Hope that helps.

Cool!

Will try it out and let you know again. Thank you.

Cheers!

Hi Halijenn,

After using Command Keyring, Client is working but the Site to Site Router is not working.  When I 'show crypto isakmp sa", I can see connection BUT  when I show Crypto Ipsec sa, there is nothing.

From the config below, can you see any problem?

SITE A configuration:

crypto keyring ToSite
  pre-shared-key address 0.0.0.0 0.0.0.0 key Cisco123
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 20
!
crypto isakmp client configuration group Client-Group
key Cisco
dns 165.21.83.88
pool POOL_1
acl 101

crypto isakmp profile Vi
   match identity group Client-Group
   isakmp authorization list default
   client configuration address respond
   virtual-template 1

crypto isakmp profile Site-Crypto
   keyring ToSite
   match identity address 0.0.0.0
!
crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac

!
crypto ipsec profile Crypto
set transform-set AES256
set isakmp-profile Site-Crypto
!
crypto ipsec profile Vi
set transform-set AES256
set isakmp-profile Vi

interface Tunnel100
ip address 10.10.10.1 255.255.255.0
ip virtual-reassembly
zone-member security VPN
ip tcp adjust-mss 1400
tunnel source Dialer0
tunnel destination 110.XX.XX.XXX
tunnel mode ipsec ipv4
tunnel protection ipsec profile Crypto

For your information, Site B have 2 VTI Tunnel configured. Tunnel from Site B to C is working but Tunnel from Site B to A is not working. Will Site B having 2 VTI Tunnel caused the problem?

Thank you

Sorry, but why are you configuring GRE over IPSec?

Dynamic site-to-site IPSec is not GRE over IPSec, and by configuring tunnel interface, that's creating GRE tunnel.

Please kindly use dynamic-map to set the isakmp profile, and crypto map to set the dynamic map, and finally assign crypto map to the outside interface as per the sample configuration.

Good day to you Halijenn,

Sorry I'm only have a less than 3 months experience with Cisco. Thus do not have deep understanding on the different between GRE & VTI over Ipsec. But i was using the example below for my configuration and it is using tunnel but it called Virtual Tunnel Interface (VTI) and not GRE.

https://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.html

I thought they are similar but VTI is easier to configure and does not need to use ACL.

Please correct me if my understanding is wrong.

Thank you

From your configuration, your tunnel interface destination is a static ip address, however, you mentioned earlier that your remote peer has dynamic ip address. So is 110.XX.XX.XXX a static ip address, or it's dynamically assign ip address on the remote end?

If it's static, then the easiest is your first crypto isakmp key configuration with that 110.XX.XX.XXX static ip address (with no-xauth keyword). Nothing else needs to be changed apart from that.

Can you share your crypto map configuration?

Hi,

110.XX.XX.XXX a dynamic ip address. (In command mode, I entered the hostname and also performing DDNS updating)

Can advise why my site to site does not work with the crypto keyring command?

I will attached the config fastest by tomorrow.

Thank you