cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3986
Views
20
Helpful
8
Replies

Dynamic VPN between two 4G/LTE Cisco 819 routers

GTechy
Beginner
Beginner

Is it possible to create VPN between two Cisco 819 routers  using 4G/LTE(both dynamic endpoints)? What would be the steps without required?

1 Accepted Solution

Accepted Solutions

Rejohn Cuares
Enthusiast
Enthusiast

This can be done using these Cisco IOS tools. I have used this and it works.

 

1. EEM

- EEM is used to update the configuration of the IPSec peer.

2. DDNS

- DDNS is used to publish its new IP do DynDNS.

- Reference: Refer to https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dns/configuration/15-mt/dns-15-mt-book/dns-dyn-dns-supp-ios.html#GUID-89BCB212-EE5C-40D9-AEF5-B18DDB5D5758

 

Cisco also published a tech note on this kind of setup.

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-architecture-implementation/118048-technote-ipsec-00.html

 

Please be aware that for the 4G/LTE, the IP address that is allocated by the IPS is a private IP address and the ISP does the NAT. This is what I noticed in my country anyway, not sure in other parts of the world. Thus, make sure the your 4G/LTE provider assigns public IP address instead of private IP address.

HTH.

Please rate replies and mark question as "answered" if applicable.

View solution in original post

8 Replies 8

Richard Burts
Hall of Fame
Hall of Fame

While it is quite possible to configure site to site VPN where one peer has a static IP and the other peer has a dynamic IP (the peer with dynamic IP uses a regular static crypto map and has a set peer statement identifying its peer, and the peer with static IP uses a dynamic crypto map in which it does not need to identify its peer) it is problematic to try to set up VPN when both peers use dynamic IP. The biggest problem is that if both peers have dynamic IP then both peers would need to use dynamic crypto map (because neither peer would be able to do a set peer in a static crypto map). The dynamic crypto map says that the device will respond to any request but does not originate any request. If neither peer can originate a request then how do you get the VPN started.

 

I do not know of a way to achieve what you are asking.

 

HTH

 

Rick

HTH

Rick

Rejohn Cuares
Enthusiast
Enthusiast

This can be done using these Cisco IOS tools. I have used this and it works.

 

1. EEM

- EEM is used to update the configuration of the IPSec peer.

2. DDNS

- DDNS is used to publish its new IP do DynDNS.

- Reference: Refer to https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dns/configuration/15-mt/dns-15-mt-book/dns-dyn-dns-supp-ios.html#GUID-89BCB212-EE5C-40D9-AEF5-B18DDB5D5758

 

Cisco also published a tech note on this kind of setup.

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-architecture-implementation/118048-technote-ipsec-00.html

 

Please be aware that for the 4G/LTE, the IP address that is allocated by the IPS is a private IP address and the ISP does the NAT. This is what I noticed in my country anyway, not sure in other parts of the world. Thus, make sure the your 4G/LTE provider assigns public IP address instead of private IP address.

HTH.

Please rate replies and mark question as "answered" if applicable.

Really appreciate for the infromation. Rejohan, if you can, would you be able to share an example script?
Regards

Both dynamic IP address appears t0 be private or public IP addresses (100.xxx.xxx.xxx, 10.xx.xx.xx) from network CGNAT. I'm struggling to make a VPN between them using the DDNS. The GRE tunnel or VPN doesn't work. Is there any workarund to solve this?

The post from Rejohan does advocate that you get the provider to supply a public IP for the 4G/LTE connection. If both peers have public IP then it would seem pretty easy to get the VPN to work. I would think that as long as one peer had a public IP then you  could initiate the tunnel from the peer with private IP. I am not sure how it would work when both are private IP. Rejohan is he one who has experience with this and I leave further suggestion to him.

 

HTH

 

Rick 

HTH

Rick

Hi Rich,
I managed to create IPSEC VPN netween two Cisco 4G routers. Then, i created L2TP tunnel between the serial interface of the routers; the L2TP is inside the IPSEC VPN. Now, i am trying to data test (X.2) from one serial interface with a loop at the other serial interface but doesn't seem to be working. Both IPSEC VPN and L2TP tunnel are up and established. Surely, i should be able to pass data from one end to another; am i missing something here?