Router to router VPn - Dynamic IP Address

BrianChernish · ‎08-28-2006

I have a hub and spoke network with GRE tunnels and EIGRP running to 28 sites from my head end. I have been asked to look into allowing several corporate types to tunnel into our VPN (so they can use Cisco Voice in their home offices). I have successfully implimented this with some surplus 806 routers for 2 such locations that have static IP Addresses and it works great. Now I am faced with a third site that has Dynamic IP Addressing on the outside interface. I tryed experimenting with DMVPN but the 806 does not seem to support NHRP. Is there any way to support a remote site that has dynamically assigned IP address?

My existing configs for Static IP Sites look something like this:

version 12.3

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname Myers-VPN

!

boot-start-marker

boot-end-marker

!

clock timezone PST -8

clock summer-time PDT recurring

no aaa new-model

ip subnet-zero

ip dhcp excluded-address 192.168.31.1 192.168.31.99

!

ip dhcp pool CLIENT

network 192.168.31.0 255.255.255.0

domain-name wsi.local

default-router 192.168.31.3

netbios-name-server 192.168.1.5

dns-server 192.168.1.5

option 150 ip 192.168.1.88 192.168.1.87

lease infinite

!

ip domain name wsi.local

ip name-server xxx.xxx.xxx.xxx

ip ips po max-events 100

no ftp-server write-enable

!

class-map match-all Myers-VPN

match access-group 150

!

policy-map VPN-tunnel-shapping-990

description bandwidth shaping for Myers

class Myers-VPN

shape peak 1536000

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

crypto isakmp key MyKeyISHere address xxx.xxx.xxx.xxx (Head End IP)

no crypto isakmp ccm

!

crypto ipsec transform-set MyTransformIsHere esp-3des esp-md5-hmac

!

crypto map Myers-VPN 990 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set MyTransformIsHere

match address 151

!

interface Tunnel990

description To MSO Cutthroat_vpn - IP addr xxx.xxx.xxx.xxx

ip address 192.168.201.246 255.255.255.252

service-policy output VPN-tunnel-shapping-990

ip mtu 1390

load-interval 30

keepalive 5 4

tunnel source Ethernet1

tunnel destination xxx.xxx.xxx.xxx

crypto map Myers-VPN

!

interface Ethernet0

description To Jim's PC

ip address 192.168.31.3 255.255.255.0

ip nat inside

ip virtual-reassembly

hold-queue 32 in

hold-queue 100 out

!

interface Ethernet1

description To WSI Corp VPN via Internet

ip address xxx.xxx.xxx.xxx 255.255.248.0

ip nat outside

ip virtual-reassembly

crypto map Myers-VPN

!

router eigrp 316

passive-interface Ethernet1

network 192.168.31.0

network 192.168.201.0

no auto-summary

no eigrp log-neighbor-changes

!

ip classless

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx

ip route xxx.xxx.xxx.xxx 255.255.255.255 xxx.xxx.xxx.xxx

ip route 192.168.0.0 255.255.0.0 Tunnel990

ip route xxx.xxx.xxx.xxx 255.255.248.0 xxx.xxx.xxx.xxx

no ip http server

no ip http secure-server

!

ip nat inside source route-map nonat interface Ethernet1 overload

!

logging trap warnings

logging 192.168.1.70

access-list 140 deny ip 192.168.31.0 0.0.0.255 10.125.0.0 0.0.255.255

access-list 140 deny ip 192.168.31.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 140 permit ip 192.168.31.0 0.0.0.255 any

access-list 150 permit ip any any

access-list 151 permit gre host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx

snmp-server community readonly RO

snmp-server community readwrite RW

route-map nonat permit 10

match ip address 140

!

Any wonderful Ideas out there?

puagarwa · ‎08-29-2006

Configuring Router-to-Router Dynamic-to-Static IPSec with NAT

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml