Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-Site VPN 1800 to ASA (8.4) both peers DHCP

Hi All,

I am trying to set up a site-to-site VPN between an 1841 Router and an ASA5510 running 8.4. Both ends negotiate their outside interface IP addresses via DHCP and are connected to ADSL lines.

I have setup the 1841 to an ASA with a fixed IP address using Aggresive mode and that works fine, however when i try to replicate the config on the ASA with the negotiated IP address it is as if there is no interesting traffic for the encryption domain and it fails at Phase 1.

I have re-used the same crypto maps, dynamic maps, transform sets, ACL format and static NAT exception as on the working fixed outside addressed ASA, but i cannot seem to get the tunnel to initiate from either side.

From the ASA end debugging i see

(crypto_map_check)-1: Error: No crypto map matched.

from the 1841 end i see

Aug  6 15:57:39.268: ISAKMP:(0:104:SW:1): retransmitting phase 1 AG_INIT_EXCH...

Aug  6 15:57:39.268: ISAKMP (0:134217832): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

Aug  6 15:57:39.268: ISAKMP:(0:104:SW:1): retransmitting phase 1 AG_INIT_EXCH

Aug  6 15:57:39.268: ISAKMP:(0:104:SW:1): sending packet to x.x.x.x my_port 500 peer_port 500 (I) AG_INIT_EXCH

Is this even possible to setup with both ends having negotiated addresses? I have seen a few posts that seem to suggest not.

Please see attached for configurations,

many thanks

Stuart

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Site-to-Site VPN 1800 to ASA (8.4) both peers DHCP

No, you've guessed it correctly.

You can't have both end having dynamic ip address to be setup with VPN tunnel because if both ends do not know what the IP Address is, it won't be able to establish the VPN tunnel.

You can only have 1 end dynamic, and the other end static IP Address.

4 REPLIES
Cisco Employee

Site-to-Site VPN 1800 to ASA (8.4) both peers DHCP

No, you've guessed it correctly.

You can't have both end having dynamic ip address to be setup with VPN tunnel because if both ends do not know what the IP Address is, it won't be able to establish the VPN tunnel.

You can only have 1 end dynamic, and the other end static IP Address.

New Member

Site-to-Site VPN 1800 to ASA (8.4) both peers DHCP

Hi Jennifer,

Thank you for clarifying this,

regards,

Stuart

Cisco Employee

Site-to-Site VPN 1800 to ASA (8.4) both peers DHCP

Cheers, pls kindly mark the post answered so others can learn from your question. Thank you.

VIP Purple

Site-to-Site VPN 1800 to ASA (8.4) both peers DHCP

There could be a solution for that. But it's really dirty and probably not worth it to try:

  • The ASA has to be registered in a service like DynDNS. That hast to be done by an inside host as the ASA can't do that.
  • On the ASA you need a dynamic crypto map to accept connections from any peers.

  • The IOS-router can be configured to use an FQDN as the peer-address that gets resolved at the time of the connection-attempt.

  • The connection has to be authenticated with digital certificates so that the peer-ID can be matched without knowing the peer-IP.

So, better get a static IP for your box.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
705
Views
0
Helpful
4
Replies
CreatePlease login to create content