Dynamic Multipoint VPN configuration

Unanswered Question
Sep 21st, 2010
User Badges:


/* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

I want to create VPN connection between routers.

One of them have static connection. Another one have only GSM connection with dynamic IP address.

Can I use DMVPNfor that case??

How to configure it.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
fsebera Tue, 09/21/2010 - 12:12
User Badges:
  • Bronze, 100 points or more

YES, make the hub static IP address, spokes can use dynamic.

Works VERY well, as I am using this setup with CDMA.


Here is a link to the doc

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008075ea98.pdf


Sample Hub config:

ip cef
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key bigsecret address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto ipsec profile vpn-dmvpn
set transform-set vpn-test
!
interface Loopback0
description Loopback0
ip address 10.57.1.255 255.255.255.255
!
interface Tunnel0
description Tunnel0
bandwidth 1000000
ip address 10.56.0.1 255.255.252.0
no ip redirects
ip hold-time eigrp 1 35
ip nhrp authentication test
ip nhrp map multicast dynamic
ip nhrp network-id 105600
ip nhrp holdtime 600
no ip split-horizon eigrp 1
ip summary-address eigrp 1 10.0.0.0 255.0.0.0 5
tunnel source GigabitEthernet0/1

tunnel mode gre multipoint
tunnel key 105600
tunnel protection ipsec profile vpn-dmvpn
!
interface GigabitEthernet0/1
description GigabitEthernet0/1
ip address 192.168.251.1 255.255.255.248
duplex auto
speed auto
media-type gbic
negotiation auto
!
interface GigabitEthernet0/2
description GigabitEthernet0/2
ip address 10.57.1.1 255.255.255.248
duplex auto
speed auto
media-type gbic
negotiation auto
!
router eigrp 1
network 10.0.0.0
no auto-summary
!
ip route 192.168.0.0 255.255.0.0 192.168.251.2

pwolsza_wolfik1 Tue, 09/21/2010 - 12:28
User Badges:


/* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

Thanks for information.

But what about spoke config??

And what with ACL rules to send traffic through VPN to hub and not internet.

Diego Armando C... Tue, 09/21/2010 - 14:00
User Badges:
  • Bronze, 100 points or more

You do not have to configure an ACL for the interesting traffic. You will have to work with IPSEC

Profiles.


The Routing protocol (or statics) will be in charge to define where to send the traffic. Only the HUB needs a static IP.

Diego Armando C... Tue, 09/21/2010 - 14:02
User Badges:
  • Bronze, 100 points or more

If you are going to have only 2 routers in the VPN you can work with Easy VPN.

You can Work with Dynamic maps so your router with the static

IP will not need to know the peer IP Address.

Diego Armando C... Tue, 09/21/2010 - 14:28
User Badges:
  • Bronze, 100 points or more

The only problem with dynamic cryto maps is that only the

router with the dhcp address can initiate the connection or the vpn.

pwolsza_wolfik1 Mon, 09/27/2010 - 03:12
User Badges:


/* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

Well I managed to established connection between routers but I have one problem.

In a moment when the spoke IP address has changed it took too long to establish another connection.

In monitor (using CCP) I can see old tunnel but the new one going to established in approximately 10 minutes.

How to solve this problem??

Diego Armando C... Mon, 09/27/2010 - 09:06
User Badges:
  • Bronze, 100 points or more

What did you configure? DMVPN, EASY VPN or site to site using Dynamic map ??

pwolsza_wolfik1 Mon, 09/27/2010 - 11:32
User Badges:

DMVPN, hub and spoke network with p2p gre interface using OSPF routing.

pwolsza_wolfik1 Tue, 09/28/2010 - 00:43
User Badges:


/* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

Yes, it helped.

But I was thinking if I can use site2site VPN connection with Dynamic Crypto Map Sets.

And this also works for me.

But in this case I found a problem when the connection is established and the peer IP has changed.

Which option is responsible to check if the peer is still connected on IP? If not, close the vpn connection and establish new one on new IP.


In Crypto map I found security association lifetime and idle time.

In IKE policy is lifetime also.

Where should I look??

Actions

This Discussion