03-19-2018 02:38 PM - edited 03-05-2019 10:08 AM
Is it possible to create VPN between two Cisco 819 routers using 4G/LTE(both dynamic endpoints)? What would be the steps without required?
Solved! Go to Solution.
03-20-2018 06:09 PM
This can be done using these Cisco IOS tools. I have used this and it works.
1. EEM
- EEM is used to update the configuration of the IPSec peer.
2. DDNS
- DDNS is used to publish its new IP do DynDNS.
- Reference: Refer to https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dns/configuration/15-mt/dns-15-mt-book/dns-dyn-dns-supp-ios.html#GUID-89BCB212-EE5C-40D9-AEF5-B18DDB5D5758
Cisco also published a tech note on this kind of setup.
Please be aware that for the 4G/LTE, the IP address that is allocated by the IPS is a private IP address and the ISP does the NAT. This is what I noticed in my country anyway, not sure in other parts of the world. Thus, make sure the your 4G/LTE provider assigns public IP address instead of private IP address.
HTH.
03-20-2018 11:04 AM
While it is quite possible to configure site to site VPN where one peer has a static IP and the other peer has a dynamic IP (the peer with dynamic IP uses a regular static crypto map and has a set peer statement identifying its peer, and the peer with static IP uses a dynamic crypto map in which it does not need to identify its peer) it is problematic to try to set up VPN when both peers use dynamic IP. The biggest problem is that if both peers have dynamic IP then both peers would need to use dynamic crypto map (because neither peer would be able to do a set peer in a static crypto map). The dynamic crypto map says that the device will respond to any request but does not originate any request. If neither peer can originate a request then how do you get the VPN started.
I do not know of a way to achieve what you are asking.
HTH
Rick
03-20-2018 06:09 PM
This can be done using these Cisco IOS tools. I have used this and it works.
1. EEM
- EEM is used to update the configuration of the IPSec peer.
2. DDNS
- DDNS is used to publish its new IP do DynDNS.
- Reference: Refer to https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dns/configuration/15-mt/dns-15-mt-book/dns-dyn-dns-supp-ios.html#GUID-89BCB212-EE5C-40D9-AEF5-B18DDB5D5758
Cisco also published a tech note on this kind of setup.
Please be aware that for the 4G/LTE, the IP address that is allocated by the IPS is a private IP address and the ISP does the NAT. This is what I noticed in my country anyway, not sure in other parts of the world. Thus, make sure the your 4G/LTE provider assigns public IP address instead of private IP address.
HTH.
03-23-2018 03:17 AM
03-27-2018 02:46 PM
Both dynamic IP address appears t0 be private or public IP addresses (100.xxx.xxx.xxx, 10.xx.xx.xx) from network CGNAT. I'm struggling to make a VPN between them using the DDNS. The GRE tunnel or VPN doesn't work. Is there any workarund to solve this?
03-28-2018 07:44 AM
The post from Rejohan does advocate that you get the provider to supply a public IP for the 4G/LTE connection. If both peers have public IP then it would seem pretty easy to get the VPN to work. I would think that as long as one peer had a public IP then you could initiate the tunnel from the peer with private IP. I am not sure how it would work when both are private IP. Rejohan is he one who has experience with this and I leave further suggestion to him.
HTH
Rick
04-08-2018 11:07 AM - edited 04-09-2018 03:19 AM
04-10-2018 11:32 AM
If both tunnels are up and established then I would expect that you would be able to pass data between the sites. If that is not working then there must be some issue. Since I do not know the details of what you have configured I am not able to give good advice about what is the problem. I can offer some general comments and hope that they might help you find the issue. In my experience with site to site VPN when data does not pass through the VPN there are several things that might be the problem:
- is there possibly a mismatch in the ACL used by the sites to identify traffic to be encrypted?
- is there possibly some issue with routing on one side or the other which is not forwarding traffic to where it would be evaluated by the ACL for encryption (this would work slightly differently depending on whether this is traditional IPsec tunnel or was VTI)?
- is there possibly some issue with address translation? (traffic being translated that should not be or traffic not being translated that should be)
I have not ever done an implementation of L2TP running inside IPsec and can not assess whether there are possible problems involved in doing this. Perhaps someone else in the forum might speak to this.
HTH
Rick
08-17-2018 03:24 PM
Hey folks.
I was working a setup with just one end with dynamic address and the DDNS setup. But you should be able to make this setup to both ends. I've made the commands conversion while was writing this, so forgive-me any mistake.
First of all I made the DDNS setup:
ip ddns update method HOME HTTP add http://email@test.com:Password@dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a> interval maximum 0 0 5 0 interface FastEthernet0/0 description INTERNET ip ddns update hostname home.ddns.net ip ddns update HOME ip address dhcp ip nat outside ip virtual-reassembly in duplex auto speed auto crypto map HOME-to-OFFICE |
PS. to put the "?"on the string for the DDNS update, you need to type "ctrl + v" and then the IOS will understand that you want to put a question mark instead show the help.
Next you need to make your crypto config:
crypto pki token default removal timeout 0 crypto isakmp policy 2 encr aes 256 hash sha256 authentication pre-share crypto isakmp key VPNKEY address 0.0.0.0 no-xauth crypto ipsec transform-set HOME-to-OFFICE esp-aes 256 esp-sha-hmac crypto map HOME-to-OFFICE 10 ipsec-isakmp set peer home.ddns.net dynamic default set transform-set HOME-to-OFFICE match address HOME-to-OFFICE crypto map HOME-to-OFFICE |
In my case I used the public IPs to set up a GRE with BGP.
After that, you will setup the internet DNS servers, the ACL with the initial IP addresses and the interface Tunnel:
!DNS ip name-server 8.8.8.8 ! !ACL ip access-list extended HOME-to-OFFICE deny ip any any ! interface Tunnel0 |
OK! So this should be enough to make it work for the first time.
Next we will concern about keeping this thing on.
So for the first problem the DDNS should take care about, keeping the IPs updated.
You will need an IP SLA and track to some reliable internet server, so the router will know when the internet is back:
ip sla 1 ! track 1 ip sla 1 reachability |
And here goes our first EEM, to find the IP address of the remote peer:
event manager applet HOME-to-OFFICE_RECOVERY_1 action 2.2 cli command "deny ip any any" action 2.3 cli command "no ip sla schedule 2 life forever start-time now" action 2.4 cli command "no ip sla 2" action 2.5 cli command "ip sla 2" action 2.9 cli command "end" |
With this done the first side should be ok.
Our next challenge is to configure the remote router. That's why we made the second IP SLA.
ip sla 2 !the address will be update by the first EEM ! track 2 ip sla 2 reachability |
When the track 2 move to UP, this will start the second EEM:
event manager applet HOME_to_OFFICE_RECOVERY_2 action 1.0 syslog msg "****VPN IP PEER UP. STARTING DYNAMIC IP UPDATE****" ! I used this wait timer, since the DDNS to Google DNS could take some moments action 1.1 wait 30 action 1.2 cli command "enable" !You will need an user on the remote router to trigger the update |
I lost a lot of time trying to make one side give commands on the other, but that doesn't work. So I found a workaround that seems to be fine. On the remote router you will the local EEM and the user that will update the local config of the tunnel:
username eem-script privilege 15 secret 5 $1$xsRp$mnYiH9ehBnhtU5J8irpCv. ! event manager applet HOME-to-OFFICE_RECOVERY_3 action 2.2 cli command "deny ip any any" action 2.3 cli command "end" |
With this setup in place on the remote router, soon that the local router track 2 goes up, it will try to connect on the remote with the "user eem-script". The autocommand will force to run the EEM 3 on the far side. That should be enough to the VPN up again.
HTH.
Best regards,
Daniel Freitas
CCIE SP#48302
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: