cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
367
Views
0
Helpful
10
Replies
Highlighted
Enthusiast

Configure Site-to-Site VPN with dynamic IP on one side!

Hello Experts,

 

I want to configure  a IPSec tunnel with dynamic IP on remote site.

 

HQ (HUB)----------Remote Location

 

Here is my layout:

Dyn_IPsec.PNG

 

Info: HUB is using static IP routing for public IP routes, so its really hard to route a unknow IP!!! (Biggest issue) and i have a default router to our LAN from HQ router.

Thanks in advance.

 

Everyone's tags (1)
10 REPLIES 10
VIP Mentor

Re: Configure Site-to-Site VPN with dynamic IP on one side!

Hello,

 

 

have a look at the configuration example below:

 

CONFIGURING CISCO SITE TO SITE IPSEC VPN WITH DYNAMIC IP ENDPOINT CISCO ROUTERS

 

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/936-cisco-router-vpn-dynamic-endpoint.html

Enthusiast

Re: Configure Site-to-Site VPN with dynamic IP on one side!

thanks for quick answer.

 

But my main issue is routing on HQ router!!

 

I do i route the dynamic ip from HQ routers as i do not have specific IP!!!

 

Thanks

 

VIP Advocate

Re: Configure Site-to-Site VPN with dynamic IP on one side!

But my main issue is routing on HQ router!!

I do i route the dynamic ip from HQ routers as i do not have specific IP!!!

What is your meaning with routing with WAN IP address? You can implement a default route also from the ISP 2.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution If this comment will make help you!
Enthusiast

Re: Configure Site-to-Site VPN with dynamic IP on one side!

Sorry for typo.

 

I am routing WAN IP address for all 40 location statically (next hop is ISP and ISP2).

 

There is one default route available on HQ router and that is towards LAN: 0/0 10.18.2.254

 

Thanks

 

 

 

VIP Mentor

Re: Configure Site-to-Site VPN with dynamic IP on one side!

Hello,

 

all you need is a default route pointing to the outgoing interface on both the remote site and the HQ site...

 

ip route 0.0.0.0 0.0.0.0 interface X

Enthusiast

Re: Configure Site-to-Site VPN with dynamic IP on one side!

Thanks again.

Problem is I already have a default route on HQ router towards LAN.

 

====================

ip route 0.0.0.0 0.0.0.0 10.18.2.254

====================

 

 

Thanks

 

 

VIP Mentor

Re: Configure Site-to-Site VPN with dynamic IP on one side!

Hello,

 

is that default route actually needed ? Typically, the LAN would be on a directly connected interface...

Enthusiast

Re: Configure Site-to-Site VPN with dynamic IP on one side!

I think we need it.

 

Please have a look on the topology:

Dyn_IPsec.PNG

Thanks

VIP Advocate

Re: Configure Site-to-Site VPN with dynamic IP on one side!

Hi,

The LAN to Remote site route will be done using the Tunnel interface IP address neither a public IP address and tunnel mode will be point-to-multipoint. 

HQ Configuration will be like for Dynamic Remote (Spoke) IP address as:

 

interface Tunnel0
description mGRE - DMVPN Tunnel
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip nhrp authentication firewall
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source 1.1.1.1 <Interface WAN Interface IP>
tunnel mode gre multipoint

 

 

Spoke Tunnel configuration as:

 

interface Tunnel0

 description R2 mGRE - DMVPN Tunnel
 ip address 172.16.0.2 255.255.255.0
 no ip redirects
 ip nhrp authentication firewall
 ip nhrp map multicast dynamic
 ip nhrp map 172.16.0.1 1.1.1.1
 ip nhrp map multicast 1.1.1.1
 ip nhrp network-id 1
 ip nhrp nhs 172.16.0.1
 tunnel source FastEthernet0/1  <WAN Interface which is having dynamic IP address>
 tunnel mode gre multipoint
 
You can implement Dynamic routing or Static route as per your environment and destination host will be a tunnel interface. 
Regards,
Deepak Kumar,
Don't forget to vote and accept the solution If this comment will make help you!
Enthusiast

Re: Configure Site-to-Site VPN with dynamic IP on one side!

Agree with you.

 

here are my config:

 

Remote:

 

Int gig0/0/2
desc *** Cradelpoint Router ***
ip address DHCP --> 37.85.167.30
ip mtu 1300
ip access-group internet in
ip tcp adjust-mss 1260
negotiation auto
no shut
!
int Tunnel 599
ip address 10.13.97.99 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication CRALTE
ip nhrp map 10.13.97.4 195.243.205.120
ip nhrp map multicast 195.243.205.120
ip nhrp network-id 99
ip nhrp holdtime 300
ip nhrp nhs 10.13.97.4
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0/2
tunnel mode gre multipoint
tunnel key 99
!
ip route 195.243.205.120 255.255.255.255 gig0/0/2 DHCP

---------------------------------------------------------------------------

HQ:

interface Tunnel599
ip address 10.13.97.4 255.255.255.0
no ip redirects
ip nhrp authentication CRALTE
ip nhrp map multicast dynamic
ip nhrp network-id 99
ip nhrp holdtime 300
ip tcp adjust-mss 1360
tunnel source 195.243.205.120
tunnel mode gre multipoint
tunnel key 99
!
ip route <?> 255.255.255.255 195.243.205.99 name LTE_BKP_99

 

 

my issue is routing on HQ router! (I am using static IP routing for all other 40 locations)

 

Thanks

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards