cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
565
Views
15
Helpful
6
Replies

Dynamic IP'd S2S VPN between ASA 5510 and Cisco 819 LTE router

Sam Brynes
Beginner
Beginner

We have an ASA 5510 running 9.1(7)32 and a Cisco 819 LTE router running IOS 15.3(3).

 

I was thinking about building a VTI tunnel between the two, but will it work if both sides have dynamic IPs? What are my options

 

The ASA has a dynamic DNS hostname. I could probably get one for the Cisco 819 too if needed.

6 Replies 6

Georg Pauwen
VIP Master VIP Master
VIP Master

Hello,

 

that should work (provided the group policy on the ASA can be updated dynamically using an EEM script). I'll do some testing and get back with you...

Thanks!

Hello,

 

I came up with the below config. Unfortunately I could not simulate this on a 'real' network, so I am not sure if this works. The trick is for the EEM scripts to replace everything where usually the IP addresses of the remote devices would be entered (which you obviously don't know) with the dynamic DNS name.

 

ASA

 

event manager applet DDNS
event timer cron name "CHRON" cron-entry "* * * * *"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface tunnel0"
action 1.3 cli command "tunnel destination remoteioshostname.dyndns.com"
action 1.4 cli command "exit"
action 1.5 cli command "tunnel-group remoteioshostname.dyndns.com type ipsec-l2l"
action 1.6 cli command "tunnel-group remoteioshostname.dyndns.com ipsec-attributes"
action 1.7 cli command "default-group-policy remoteioshostname.dyndns.com"
action 1.8 cli command "tunnel-group remoteioshostname.dyndns.com ipsec-attributes"
action 1.9 cli command "exit"
action 2.0 cli command "group-policy remoteioshostname.dyndns.com internal"
action 2.1 cli command "group-policy remoteioshostname.dyndns.com attributes"
action 2.2 cli command "end"
!
crypto ikev2 policy 1
encryption aes-256
integrity sha512 sha384
group 19 14
prf sha512 sha384
lifetime seconds 86400
!
crypto ikev2 enable OUTSIDE
!
crypto ipsec ikev2 ipsec-proposal TSET
protocol esp encryption aes-256 aes-192
protocol esp integrity sha-512 sha-384 sha-256
!
crypto ipsec profile IPSEC_PROFILE
set ikev2 ipsec-proposal TSET
!
group-policy remoteioshostname.dyndns.com internal
group-policy remoteioshostname.dyndns.com attributes
vpn-tunnel-protocol ikev2
!
tunnel-group remotehostname.dyndns.com type ipsec-l2l
tunnel-group remoteioshostname.dyndns.com general-attributes
default-group-policy remoteioshostname.dyndns.com
tunnel-group remoteioshostname.dyndns.com ipsec-attributes
ikev2 remote-authentication pre-shared-key ******
ikev2 local-authentication pre-shared-key ******
!
interface Tunnel0
nameif VPN_VTI
ip address 172.16.1.1 255.255.255.0
tunnel source interface OUTSIDE
tunnel destination remoteioshostname.dyndns.com
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE
!
route VPN_VTI 192.168.1.0 255.255.255.0 172.16.1.2

--------

IOS

 

event manager applet DDNS
event timer cron name "CHRON" cron-entry "* * * * *"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface tunnel0"
action 1.3 cli command "tunnel destination remoteasahostname.dyndns.com"
action 1.4 cli command "exit"
action 1.5 cli command "crypto ikev2 profile IKEV2_PROFILE"
action 1.6 cli command "match identity remote address remoteasahostname.dyndns.com"
action 1.7 cli command "identity local address remoteasahostname.dyndns.com"
action 1.9 cli command "exit"
action 2.2 cli command "end"
!
crypto ikev2 proposal IKEV2_PROP
encryption aes-cbc-256
integrity sha512 sha384
group 19 14
!
crypto ikev2 policy IKEV2_POLICY
proposal IKEV2_PROP
!
crypto ikev2 keyring KEYRING
peer ALL
address 0.0.0.0 0.0.0.0
pre-shared-key local ******
pre-shared-key remote ******
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote address remoteasahostname.dyndns.com
identity local address remoteasahostname.dyndns.com
authentication local pre-share
authentication remote pre-share
keyring local KEYRING
dpd 10 2 on-demand
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha512-hmac
!
crypto ipsec profile IPSEC_PROFILE
set transform-set TSET
set ikev2-profile IKEV2_PROFILE
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source Dialer0
tunnel mode ipsec ipv4
tunnel destination remoteasahostname.dyndns.com
tunnel protection ipsec profile IPSEC_PROFILE
!
ip route 192.168.2.0 255.255.0.0 172.16.1.1