Showing results for 
Search instead for 
Did you mean: 

Who Me Too'd this topic

2900 router to ASA - L2L VPN with router side dynamic IP


Hi everyone -

I need to do an L2L VPN between two devices.

The VPN needs to pass traffic for several subnets.

There are routers behind all the equipment, so routing isn't a problem, and I understand how to do the traffic matching ACLs so that

we get the correct traffic sent over the link.

For sake of background info, this is a CME router that's portable in a case, and is designed to operate either off a satellite

link or a direct Ethernet link to some public Internet access.

The router does an IPSec L2L VPN back to home, and allows an H.323 trunk to permit calling between the phones on the remote system and the main phone system at the head end site.


Main site is an ASA 5505 with a static public IP.

Remote site is a 2911 router

The router has a fixed IP address on a satellite link (FastEthernet 0/1)

That link is connected to a satellite modem.

The router also has FastEthernet 0/0 set up as DHCP.

I have a VPN config in the ASA and in the router that works for the satellite link, using the DefaultL2L tunnel group.

At one time, that worked OK for the initial setup.

Now, I'm trying to use the same router, connected to the FastEthernet0/0 interface, with it getting a dynamic IP from an ISP.

The satellite would be shut down.

The same crypto map is applied to both the FastEthernet 0/0 and FastEthernet0/1 interfaces - so the same VPN tunnel should

try to come up over whichever interface is available.

Based on this:

The Cisco document states that the IPSec L2L tunnels require static IP addressing on each end -


tunnel-group type ipsec-l2l

!--- In order to create and manage the database of connection-specific
!--- records for ipsec-l2l—IPsec (LAN-to-LAN) tunnels, use the command
!--- tunnel-group in global configuration mode.
!--- For L2L connections the name of the tunnel group MUST be the IP
!--- address of the IPsec peer.

tunnel-group ipsec-attributes

pre-shared-key *

!--- Enter the pre-shared-key in order to configure the
!--- authentication method".

I asked the vendor for the CME equipment about just using EasyVPN in NEM mode, since I know that would route networks, but he said that won't work for multiple subnets behind routers behind the VPN-endpoints.

Is it in fact possible to establish an IPSec L2L VPN tunnel between an ASA with a fixed IP and a remote 29XX router

with a dynamic IP address, and route several subnets over that link?

I can post bits of config, but some of this is proprietary to that vendor, so I can't post entire configs..


Who Me Too'd this topic