Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN IPSec Site-to-Site Aggressive Mode on Cisco1905

Hello everyone, you can configure a cisco 1905 router with vpn ipsec site-to-site in an aggressive mode? If so, someone may indicate a link to what I do? The VPN works well, but on site A, I had to configure a crypto map associating the IP address for site B (wich is dynamic), so if the connection on site B broken, I will have to configure another crypto map.

The scenario is:

Site A - ASA 5510 configured as a VPN concentrator and firewall for enterprise.

Site B - Cisco 1905 connected to Internet through a ADSL through a dynamic IP address and starting connection to Site A, bellow is the configuration:

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxxxxxxxxx address W.X.Y.Z

crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac

crypto map VPN_2_SITE_A 10 ipsec-isakmp

set peer W.X.Y.Z

set transform-set ESP-3DES

match address 100

interface GigabitEthernet0/0

description LINK_MODEM_ADSL

ip address dhcp

ip nat inside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

interface GigabitEthernet0/1

description LAN SITE_B

ip address 172.16.20.252 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

interface Dialer1

description $FW_OUTSIDE$

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname siteb@enterprise.com

ppp chap password 7 [omitted]

ppp pap sent-username siteb@enterprise.com password 7 [omitted]

crypto map VPN_2_SITE_A

ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 172.16.0.0 255.255.255.0 Z.Y.X.W

!

access-list 100 permit ip 172.16.20.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 111 deny   ip 172.16.20.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 111 permit ip 172.16.20.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 111

Best regards, and I appreciate a lot a help :-)

Marlon V. Resende

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: VPN IPSec Site-to-Site Aggressive Mode on Cisco1905

Marlon

I do not believe that aggressive mode will solve your issue. Site to site VPN where one peer uses dynamic address is a situation that occurs with some frequency. The usual solution is to configure the peer using fixed address with a dynamic entry in the crypto map. This allows the VPN to be initiated from the dynamic peer and does not require the fixed address peer to specify the peer address of the dynamic peer.

HTH

Rick

Sent from Cisco Technical Support iPad App

5 REPLIES
Hall of Fame Super Silver

Re: VPN IPSec Site-to-Site Aggressive Mode on Cisco1905

Marlon

I do not believe that aggressive mode will solve your issue. Site to site VPN where one peer uses dynamic address is a situation that occurs with some frequency. The usual solution is to configure the peer using fixed address with a dynamic entry in the crypto map. This allows the VPN to be initiated from the dynamic peer and does not require the fixed address peer to specify the peer address of the dynamic peer.

HTH

Rick

Sent from Cisco Technical Support iPad App

New Member

Re: VPN IPSec Site-to-Site Aggressive Mode on Cisco1905

    Hello, I configured the dynamic crypto, but the peer can't find a valid tunnel-group and then is aborted.

    I already have the configuration below applied in concentrator:

tunnel-group VPN_2_SITE_A type ipsec-l2l

tunnel-group VPN_2_SITE_A ipsec-attributes

pre-shared-key *

How can I configure the peer using fixed address? Would be with the command below?

crypto map OUTSIDE_MAP 5 set peer W.X.Y.Z.

    If not, wich are the commands?

Thanks

Marlon

New Member

VPN IPSec Site-to-Site Aggressive Mode on Cisco1905

Hi, we are havin one issue related to ipsec. Could you tell me which IOS version are using for cisco 1905?

basically we need to configure ipsec site-to-site vpn on cisco 1905? hence need the IOS name or URL would be great

Hall of Fame Super Silver

VPN IPSec Site-to-Site Aggressive Mode on Cisco1905

I would think that any of the versions of code supported on the 1905 would support IPSec VPN. Since the 1900 routers run the Universal image it is less important what version of code and more important to be sure that you have the Security license applied on the router for it to support IPSec tunnels.

HTH

Rick

New Member

VPN IPSec Site-to-Site Aggressive Mode on Cisco1905

Hello,

Please share Isakmp debug logs.

Thanks,

2060
Views
0
Helpful
5
Replies