Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Dynamic IP to Dynamic IP IPSEC VPN Tunnel

Introduction: This document describes process of creating a LAN to LAN tunnel between 2 routers when both routers have a dynamic IP address.

Hardware: Cisco Router

Software: 12.4

DDNS registration for both sites

Procedure: 

In order to achieve this we need to get Dynamic DNS(DDNS) registered name for both sites from ISP. So once we have  DDNS configured for both sites, then every minute it will change the tunnel destination to what ever IP address, DDNS  name will be used  for the remote site. 

Instead of crypto map we would use crypto Profile using VTI so that tunnels get automatically re establish. The beauty of Profile is that you can run Routing Protocols through it and you don't have to constantly change the crypto maps, every time you change network topology.    

So we will make use of event manager to implement DDNS----

event manager applet change-tunnel-dest

event timer cron name "CHRON" cron-entry "* * * * *"

action 1.0 cli command "enable"

action 1.1 cli command "configure terminal"

action 1.2 cli command "interface tunnel199"

action 1.3 cli command "tunnel destination remotevpn.gotdns.com"

The "* * * * *" in the event timer is "minute hour day month weekday".  So "* * * * *" means every minute update it.

In Tunnel destination, it is an IP address, not a HOSTNAME that gets stored, but when you configure it, you can put in a HOSTNAME and it will convert it at the time you are configuring it to an IP.

So if you type:

config  terminal

interface tunnel100

tunnel destination remote.dyndns.com

exit

And  then--

show run int tunnel100

It shows:

interface Tunnel100

tunnel destination 75.67.43.79

That is why the event manager goes and changes the tunnel destination every minute to what ever the DDNS says the new IP is.

Network Diagram------

Router.gif

Configuration Sample

Local Router:

crypto isakmp policy 10

encryption 3des

authentication pre-share

group 2

crypto isakmp key XXXX address 0.0.0.0 0.0.0.0 no-xauth ( where XXXX is the pre share key)

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CRYPTOPROFILE

set transform-set ESP-3DES-SHA

!

interface Tunnel100

description to remote.dyndns.org

ip address 10.10.10.1 255.255.255.0

ip virtual-reassembly

ip tcp adjust-mss 1400

tunnel source Dialer0

tunnel destination <remote dynamic Ip>

tunnel mode ipsec ipv4

tunnel protection ipsec profile CRYPTOPROFILE

ip route 192.168.2.0 255.255.255.0 10.10.10.2

event manager applet change-tunnel-dest

event timer cron name "CHRON" cron-entry "* * * * *"

action 1.0 cli command "enable"

action 1.1 cli command "configure terminal"

action 1.2 cli command "interface tunnel100"

action 1.3 cli command "tunnel destination remote.dyndns.org" ( where remote.dyndns.org is DDNS)

Remote Router:

crypto isakmp policy 10

encryption 3des

authentication pre-share

group 2

crypto isakmp key XXXX address 0.0.0.0 0.0.0.0 no-xauth ( where XXXX is the pre share key)

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec profile CRYPTOPROFILE

set transform-set ESP-AES-SHA

interface Tunnel100

description to local.dyndns.org

ip address 10.10.10.2 255.255.255.0

ip virtual-reassembly

ip tcp adjust-mss 1400

tunnel source Dialer0

tunnel destination 93.219.58.191

tunnel mode ipsec ipv4

tunnel protection ipsec profile CRYPTOPROFILE

ip route 192.168.1.0 255.255.255.0 10.10.10.1

event manager applet change-tunnel-dest

event timer cron name "CHRON" cron-entry "* * * * *"

action 1.0 cli command "enable"

action 1.1 cli command "configure terminal"

action 1.2 cli command "interface tunnel100"

action 1.3 cli command "tunnel destination local.dyndns.org" ( where local.dyndns.org is DDNS)


Verify:

Please use to following commands-----

show crypto isakmp sa

show crypto ipsec sa

Hope this will be informative and i want to thank you for viewing.

11619
Views
20
Helpful
0
Comments