cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
955
Views
15
Helpful
6
Replies

Dynamic IP'd S2S VPN between ASA 5510 and Cisco 819 LTE router

Sam Brynes
Level 1
Level 1

We have an ASA 5510 running 9.1(7)32 and a Cisco 819 LTE router running IOS 15.3(3).

 

I was thinking about building a VTI tunnel between the two, but will it work if both sides have dynamic IPs? What are my options

 

The ASA has a dynamic DNS hostname. I could probably get one for the Cisco 819 too if needed.

6 Replies 6

Hello,

 

that should work (provided the group policy on the ASA can be updated dynamically using an EEM script). I'll do some testing and get back with you...

Thanks!

Hello,

 

I came up with the below config. Unfortunately I could not simulate this on a 'real' network, so I am not sure if this works. The trick is for the EEM scripts to replace everything where usually the IP addresses of the remote devices would be entered (which you obviously don't know) with the dynamic DNS name.

 

ASA

 

event manager applet DDNS
event timer cron name "CHRON" cron-entry "* * * * *"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface tunnel0"
action 1.3 cli command "tunnel destination remoteioshostname.dyndns.com"
action 1.4 cli command "exit"
action 1.5 cli command "tunnel-group remoteioshostname.dyndns.com type ipsec-l2l"
action 1.6 cli command "tunnel-group remoteioshostname.dyndns.com ipsec-attributes"
action 1.7 cli command "default-group-policy remoteioshostname.dyndns.com"
action 1.8 cli command "tunnel-group remoteioshostname.dyndns.com ipsec-attributes"
action 1.9 cli command "exit"
action 2.0 cli command "group-policy remoteioshostname.dyndns.com internal"
action 2.1 cli command "group-policy remoteioshostname.dyndns.com attributes"
action 2.2 cli command "end"
!
crypto ikev2 policy 1
encryption aes-256
integrity sha512 sha384
group 19 14
prf sha512 sha384
lifetime seconds 86400
!
crypto ikev2 enable OUTSIDE
!
crypto ipsec ikev2 ipsec-proposal TSET
protocol esp encryption aes-256 aes-192
protocol esp integrity sha-512 sha-384 sha-256
!
crypto ipsec profile IPSEC_PROFILE
set ikev2 ipsec-proposal TSET
!
group-policy remoteioshostname.dyndns.com internal
group-policy remoteioshostname.dyndns.com attributes
vpn-tunnel-protocol ikev2
!
tunnel-group remotehostname.dyndns.com type ipsec-l2l
tunnel-group remoteioshostname.dyndns.com general-attributes
default-group-policy remoteioshostname.dyndns.com
tunnel-group remoteioshostname.dyndns.com ipsec-attributes
ikev2 remote-authentication pre-shared-key ******
ikev2 local-authentication pre-shared-key ******
!
interface Tunnel0
nameif VPN_VTI
ip address 172.16.1.1 255.255.255.0
tunnel source interface OUTSIDE
tunnel destination remoteioshostname.dyndns.com
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE
!
route VPN_VTI 192.168.1.0 255.255.255.0 172.16.1.2

--------

IOS

 

event manager applet DDNS
event timer cron name "CHRON" cron-entry "* * * * *"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface tunnel0"
action 1.3 cli command "tunnel destination remoteasahostname.dyndns.com"
action 1.4 cli command "exit"
action 1.5 cli command "crypto ikev2 profile IKEV2_PROFILE"
action 1.6 cli command "match identity remote address remoteasahostname.dyndns.com"
action 1.7 cli command "identity local address remoteasahostname.dyndns.com"
action 1.9 cli command "exit"
action 2.2 cli command "end"
!
crypto ikev2 proposal IKEV2_PROP
encryption aes-cbc-256
integrity sha512 sha384
group 19 14
!
crypto ikev2 policy IKEV2_POLICY
proposal IKEV2_PROP
!
crypto ikev2 keyring KEYRING
peer ALL
address 0.0.0.0 0.0.0.0
pre-shared-key local ******
pre-shared-key remote ******
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote address remoteasahostname.dyndns.com
identity local address remoteasahostname.dyndns.com
authentication local pre-share
authentication remote pre-share
keyring local KEYRING
dpd 10 2 on-demand
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha512-hmac
!
crypto ipsec profile IPSEC_PROFILE
set transform-set TSET
set ikev2-profile IKEV2_PROFILE
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source Dialer0
tunnel mode ipsec ipv4
tunnel destination remoteasahostname.dyndns.com
tunnel protection ipsec profile IPSEC_PROFILE
!
ip route 192.168.2.0 255.255.0.0 172.16.1.1

Hi Georg,

I was able to test your config out using a Cisco IOS 15 router instead of our ASA, and it looks like our wireless carrier is NATing all our connections leaving our LTE router unfortunately. The IKEv2 is successful, but IPsec complains that the peer address is not found:

 

000622: Sep 19 2021 17:33:51.589 MST: IPSEC(ipsec_process_proposal): peer address X.X.X.X not found

 

X.X.X.X = (LTE NAT'd address)

 

We could try and map the NAT'd IP to the dynamic DNS hostname on the LTE router, but I don't see an easy way to do that without running a small raspberry PI or computer behind the LTE router to do the DDNS update. The LTE router doesn't know it's NAT'd IP address.

 

I was thinking of switching to using a DMVPN. The DMVPN hub wouldn't be behind a NAT, but it would still be dynamic IP'd. Ideally, the LTE router would reach out to the DMVPN hub using its dynamic DNS hostname, but it looks like that isn't a choice in the configuration.

 

Do you know of a TCL script that (maybe someone made already) that can do a lookup of a hostname by pinging it (the dynamic DNS hostname), capture that IP address, and do a "config t" and change the configuration to use the resolved IP address?

 

LTE-ROUTER(config-if)#ip nhrp map 169.254.0.1 255.255.255.255 dmvpnhub.hostname
^
% Invalid input detected at '^' marker.

LTE-ROUTER(config-if)#ip nhrp map 169.254.0.1 255.255.255.255 1.1.1.1 ?
<cr>

!===== Looks like it's not possible to reference a hostname with the following command =====!

LTE-ROUTER(config-if)#ip nhrp map 169.254.0.1 255.255.255.255 ?
A.B.C.D IP NBMA address
X:X:X:X::X IPv6 NBMA address
<cr>

LTE-ROUTER(config-if)#ip nhrp map 169.254.0.1 255.255.255.255

Sam Brynes
Level 1
Level 1

Thanks Georg. Looks like I don't have event manager applets on my ASA code 9.1(7)32.

 

This is an ASA 5510, so I don't think I can get event manager applet support on it. It is EOL and very old unfortunately.

 

Thanks for your time though : )

I have done something similar to this with an 829 on a cell connection that is NAT'd by the provider. I used EZVPN in network extension mode to connect to the ASA with a dynamic host name (and still do). It used to be a 5505, then became a 5506, and is now an ASA-V.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: