cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4022
Views
20
Helpful
8
Replies

Dynamic VPN between two 4G/LTE Cisco 819 routers

GTechy
Level 1
Level 1

Is it possible to create VPN between two Cisco 819 routers  using 4G/LTE(both dynamic endpoints)? What would be the steps without required?

1 Accepted Solution

Accepted Solutions

Rejohn Cuares
Level 4
Level 4

This can be done using these Cisco IOS tools. I have used this and it works.

 

1. EEM

- EEM is used to update the configuration of the IPSec peer.

2. DDNS

- DDNS is used to publish its new IP do DynDNS.

- Reference: Refer to https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dns/configuration/15-mt/dns-15-mt-book/dns-dyn-dns-supp-ios.html#GUID-89BCB212-EE5C-40D9-AEF5-B18DDB5D5758

 

Cisco also published a tech note on this kind of setup.

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-architecture-implementation/118048-technote-ipsec-00.html

 

Please be aware that for the 4G/LTE, the IP address that is allocated by the IPS is a private IP address and the ISP does the NAT. This is what I noticed in my country anyway, not sure in other parts of the world. Thus, make sure the your 4G/LTE provider assigns public IP address instead of private IP address.

HTH.

Please rate replies and mark question as "answered" if applicable.

View solution in original post

8 Replies 8

Richard Burts
Hall of Fame
Hall of Fame

While it is quite possible to configure site to site VPN where one peer has a static IP and the other peer has a dynamic IP (the peer with dynamic IP uses a regular static crypto map and has a set peer statement identifying its peer, and the peer with static IP uses a dynamic crypto map in which it does not need to identify its peer) it is problematic to try to set up VPN when both peers use dynamic IP. The biggest problem is that if both peers have dynamic IP then both peers would need to use dynamic crypto map (because neither peer would be able to do a set peer in a static crypto map). The dynamic crypto map says that the device will respond to any request but does not originate any request. If neither peer can originate a request then how do you get the VPN started.

 

I do not know of a way to achieve what you are asking.

 

HTH

 

Rick

HTH

Rick

Rejohn Cuares
Level 4
Level 4

This can be done using these Cisco IOS tools. I have used this and it works.

 

1. EEM

- EEM is used to update the configuration of the IPSec peer.

2. DDNS

- DDNS is used to publish its new IP do DynDNS.

- Reference: Refer to https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dns/configuration/15-mt/dns-15-mt-book/dns-dyn-dns-supp-ios.html#GUID-89BCB212-EE5C-40D9-AEF5-B18DDB5D5758

 

Cisco also published a tech note on this kind of setup.

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-architecture-implementation/118048-technote-ipsec-00.html

 

Please be aware that for the 4G/LTE, the IP address that is allocated by the IPS is a private IP address and the ISP does the NAT. This is what I noticed in my country anyway, not sure in other parts of the world. Thus, make sure the your 4G/LTE provider assigns public IP address instead of private IP address.

HTH.

Please rate replies and mark question as "answered" if applicable.

Really appreciate for the infromation. Rejohan, if you can, would you be able to share an example script?
Regards

Both dynamic IP address appears t0 be private or public IP addresses (100.xxx.xxx.xxx, 10.xx.xx.xx) from network CGNAT. I'm struggling to make a VPN between them using the DDNS. The GRE tunnel or VPN doesn't work. Is there any workarund to solve this?

The post from Rejohan does advocate that you get the provider to supply a public IP for the 4G/LTE connection. If both peers have public IP then it would seem pretty easy to get the VPN to work. I would think that as long as one peer had a public IP then you  could initiate the tunnel from the peer with private IP. I am not sure how it would work when both are private IP. Rejohan is he one who has experience with this and I leave further suggestion to him.

 

HTH

 

Rick 

HTH

Rick

Hi Rich,
I managed to create IPSEC VPN netween two Cisco 4G routers. Then, i created L2TP tunnel between the serial interface of the routers; the L2TP is inside the IPSEC VPN. Now, i am trying to data test (X.2) from one serial interface with a loop at the other serial interface but doesn't seem to be working. Both IPSEC VPN and L2TP tunnel are up and established. Surely, i should be able to pass data from one end to another; am i missing something here?

If both tunnels are up and established then I would expect that you would be able to pass data between the sites. If that is not working then there must be some issue. Since I do not know the details of what you have configured I am not able to give good advice about what is the problem. I can offer some general comments and hope that they might help you find the issue. In my experience with site to site VPN when data does not pass through the VPN there are several things that might be the problem:

- is there possibly a mismatch in the ACL used by the sites to identify traffic to be encrypted?

- is there possibly some issue with routing on one side or the other which is not forwarding traffic to where it would be evaluated by the ACL for encryption (this would work slightly differently depending on whether this is traditional IPsec tunnel or was VTI)?

- is there possibly some issue with address translation? (traffic being translated that should not be or traffic not being translated that should be)

 

I have not ever done an implementation of L2TP running inside IPsec and can not assess whether there are possible problems involved in doing this. Perhaps someone else in the forum might speak to this.

 

HTH

 

Rick

HTH

Rick

Hey folks.

 

I was working a setup with just one end with dynamic address and the DDNS setup. But you should be able to make this setup to both ends. I've made the commands conversion while was writing this, so forgive-me any mistake.

 

First of all I made the DDNS setup:

ip ddns update method HOME
 HTTP
  add http://email@test.com:Password@dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a>
 interval maximum 0 0 5 0

interface FastEthernet0/0
 description INTERNET
 ip ddns update hostname home.ddns.net
 ip ddns update HOME
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map HOME-to-OFFICE

PS. to put the "?"on the string for the DDNS update, you need to type "ctrl + v" and then the IOS will understand that you want to put a question mark instead show the help.

 

Next you need to make your crypto config:

crypto pki token default removal timeout 0
crypto isakmp policy 2
 encr aes 256
 hash sha256
 authentication pre-share
crypto isakmp key VPNKEY address 0.0.0.0 no-xauth
crypto ipsec transform-set HOME-to-OFFICE esp-aes 256 esp-sha-hmac
crypto map HOME-to-OFFICE 10 ipsec-isakmp
 set peer home.ddns.net dynamic default
 set transform-set HOME-to-OFFICE
 match address HOME-to-OFFICE
 crypto map HOME-to-OFFICE

 

In my case I used the public IPs to set up a GRE with BGP.

After that, you will setup the internet DNS servers, the ACL with the initial IP addresses and the interface Tunnel:

!DNS

ip name-server 8.8.8.8
ip name-server 4.4.2.2

!

!ACL

ip access-list extended HOME-to-OFFICE
 permit gre host  home.ddns.net host office.ddns.net
 permit gre host office.ddns.net host home.ddns.net

deny ip any any

!

interface Tunnel0
 ip address 192.168.10.4 255.255.255.254
 cdp enable
 tunnel source FastEthernet0/0
 tunnel destination office.ddns.net

 

OK! So this should be enough to make it work for the first time.

Next we will concern about keeping this thing on.

So for the first problem the DDNS should take care about, keeping the IPs updated.

You will need an IP SLA and track to some reliable internet server, so the router will know when the internet is back:

ip sla 1
 icmp-echo 8.8.8.8
 frequency 30
ip sla schedule 1 life forever start-time now

!

track 1 ip sla 1 reachability

 

And here goes our first EEM, to find the IP address of the remote peer:

event manager applet HOME-to-OFFICE_RECOVERY_1
 event track 1 state up maxrun 60
 action 1.4 cli command "enable"
 action 1.5 cli command "configure terminal"
 action 1.6 cli command "interface Tunnel0"
 action 1.7 cli command "tunnel destination office.ddns.net"
 action 1.8 cli command "no ip access-list extended HOME-to-OFFICE"
 action 1.9 cli command "ip access-list extended HOME-to-OFFICE"
 action 2.0 cli command "permit gre host office.ddns.net host home.ddns.net"
 action 2.1 cli command "permit gre host home.ddns.net host office.ddns.net"

 action 2.2 cli command "deny   ip any any"

 action 2.3 cli command "no ip sla schedule 2 life forever start-time now"

 action 2.4 cli command "no ip sla 2"

 action 2.5 cli command "ip sla 2"
 action 2.6 cli command "icmp-echo office.ddns.net"
 action 2.7 cli command "frequency 30"
 action 2.8 cli command "ip sla schedule 2 life forever start-time now"

 action 2.9 cli command "end"
 action 3.0 cli command "write"

With this done the first side should be ok.

 

Our next challenge is to configure the remote router. That's why we made the second IP SLA.

ip sla 2
 icmp-echo office.ddns.net

 !the address will be update by the first EEM
 frequency 30
ip sla schedule 1 life forever start-time now

!

track 2 ip sla 2 reachability

When the track 2 move to UP, this will start the second EEM:

event manager applet HOME_to_OFFICE_RECOVERY_2
 event track 1 state up maxrun 60

 action 1.0 syslog msg "****VPN IP PEER UP. STARTING DYNAMIC IP UPDATE****"

! I used this wait timer, since the DDNS to Google DNS could take some moments

 action 1.1 wait 30

 action 1.2 cli command "enable"

!You will need an user on the remote router to trigger the update
 action 1.3 cli command "ssh -l eem-script office.ddns.net" pattern "assword:"
 action 1.4 cli command "Password" pattern "#"
 action 1.5 syslog msg "****VPN PEER FIXED. DYNAMIC IP UPDATE COMPLETE****"

I lost a lot of time trying to make one side give commands on the other, but that doesn't work. So I found a workaround that seems to be fine. On the remote router you will the local EEM  and the user that will update the local config of the tunnel:

username eem-script privilege 15 secret 5 $1$xsRp$mnYiH9ehBnhtU5J8irpCv.
username eem-script autocommand event manager run HOME-to-OFFICE_RECOVERY

!

event manager applet HOME-to-OFFICE_RECOVERY_3
 event none
 action 1.4 cli command "enable"
 action 1.5 cli command "configure terminal"
 action 1.6 cli command "interface Tunnel0"
 action 1.7 cli command "tunnel destination home.ddns.net"
 action 1.8 cli command "no ip access-list extended HOME-to-OFFICE"
 action 1.9 cli command "ip access-list extended HOME-to-OFFICE"
 action 2.0 cli command "permit gre host office.ddns.net host home.ddns.net"
 action 2.1 cli command "permit gre host home.ddns.net host office.ddns.net"

 action 2.2 cli command "deny   ip any any"

 action 2.3 cli command "end"
 action 2.4 cli command "write"

With this setup in place on the remote router, soon that the local router track 2 goes up, it will try to connect on the remote with the "user eem-script".  The autocommand will force to run the EEM 3 on the far side. That should be enough to the VPN up again. 

 

HTH.

 

Best regards,

Daniel Freitas

CCIE SP#48302

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: