Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
380
Views
0
Helpful
1
Replies

LAN-to-LAN VPN w/ Multiple Dynamic IP Remote Routers

dmcquestion
Level 1
Level 1

‎10-18-2005 02:02 AM

I have multiple sites with Cisco 877 routers. These sites are all issued dynamic IP addresses from their ISP's.

In my scenario all sites will have their own unique:

a) Private IP network (10.16.xxx.0/24)

b) Unique isakmp key

I configured one:

crypto isakmp key (uniquekey) address 0.0.0.0 0.0.0.0

crypto dynamic-map (name) 90

set transform-set (name)

match address 109

crypto map (name) 90 ipsec-isakmp dynamic (name)

This works great until I try to add a 2nd configuration using a different isakmp key and crypto map.

To problems:

1) I am unable to configure any additional unique isakmp keys for additional sites. When I try to configuration another key for dynamic I get an error that a key for 0.0.0.0 already exists. I understand this but how do I get around it?

2) I am also unable to configure additional crypto maps. When I add another crypto map specifying dynamic it does not show up.

I currently have 8 static remote sites configured. Have not had any problems for 2 years. I am just now having to deal with sites using dynamic IP's and want to be able to create each site as a unique key and map entity with the ability to use dynamic IP's.

I have attached a very simple diagram showing my network relationship.

2691v at main office (12.3(1a))

877's at remote offices (12.3(14)-YT1)

Any help, suggestions or configuration examples would be appreciated.

Thanks,

Danny Mc?

Labels:
Preview file
203 KB
0 Helpful
1 Reply 1

spremkumar
Level 9
Level 9

‎10-18-2005 03:07 AM

Hi

Have you tried adding the new locations onto the existing dynamic group ?

Becoz i think you wont be able to create another dynamic map since you have got one already in place out there serving your mobile/dynamic users.

if you want them to be treated as a seperate entity with seperate key and transform set then the only way out would be going for static ips at the remote location by doing like that you have the freedom of creating seperate statement numbers under the same crypto map in the main office with respect to different remote locations.

regds

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents