Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to site ipsec vpn with dynamic ip on one end??

Hi,

How to create site to site ipsec  vpn with one end is static ip and other is dynamic ip.

Thanks

Sihanu N

2 REPLIES
New Member

Site to site ipsec vpn with dynamic ip on one end??

Hi Sihanu,

You probably could get a good start by taking a look at this document.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

A couple of suggestions in addition to this example:

  1. Use certificates for authentication instead of pre-shared keys. This article describes a general setup using certificates http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aa5be1.shtml
  2. If you do elect to use pre-shared keys then make the keys complex

Hope this helps.

New Member

Site to site ipsec vpn with dynamic ip on one end??

Hi Sihanu,

this will be very easy using the DMVPN , You will configure IPSec/GRE with NHRP enabled.

i will give you configuration sample

1- Server side ( With Static Real IP address) lets say the real address "x.x.x.x"

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10 3 periodic

crypto ipsec transform-set dmvpn esp-aes esp-sha-hmac

mode transport

crypto ipsec profile dmvpn

set transform-set dmvpn

interface Tunnel10

  ip address 10.10.10.1 255.255.255.252  << Any Private IP address>>

no ip redirects

ip mtu 1400

ip nhrp authentication key1

ip nhrp map multicast dynamic

ip nhrp network-id 1000

ip nhrp holdtime 600

load-interval 30

tunnel source S1/0         << The interface which carries the Static Real IP address)

tunnel mode gre multipoint

tunnel key 1000

tunnel protection ipsec profile dmvpn

2- Client Side ( the Router with dynamic address)

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address x.x.x.x

crypto isakmp keepalive 10 3 periodic

crypto ipsec transform-set dmvpn esp-aes esp-sha-hmac

mode transport

crypto ipsec profile dmvpn

set transform-set dmvpn

interface Tunnel1

  ip address 10.10.10.2 255.255.255.252

ip nhrp authentication key1

ip nhrp map multicast x.x.x.x

ip nhrp map 10.10.10.1 x.x.x.x

ip nhrp network-id 1000

ip nhrp holdtime 600

ip nhrp nhs 10.10.10.1

tunnel source Cellular0/0/0  << the interface with dynamic IP address>>

tunnel destination x.x.x.x

tunnel key 1000

tunnel protection ipsec profile dmvpn

Feel free to ask for more info.

Best Regards.

10597
Views
8
Helpful
2
Replies
CreatePlease login to create content