IEKV1 and IKEV2 Ipsec using DDNS

manojyesh · ‎03-10-2025

Dear Team,

Greetings,

I have routers from the 800 series and the 900 series on the Sites. The existing 800 series routers do not support IKEv2, while the 900 series does. I am looking to create IKEv2 configurations, which will include a Proposal, Keyring, Profile, and Crypto Map.

Our organization is using Dynamic DNS (DDNS) from dyndns.com and all sites have established IPsec VPN tunnels connecting to the Head Office (HO) properly. The DDNS is registered with the HO gateway (xxx.dyndns.com) and all sites point to the HO dyndns.com. Currently, all sites are configured for IKEv1, and I would like to transition a few routers to IKEv2. I would appreciate any guidance on setting up IKEv2 with DDNS.

I have not found specific guidance for configuring IKEv2 using DDNS on any websites. The HO gateway is a Cisco MX 105, which will support both IKEv1 and IKEv2. I am sharing the existing IKEv1 configuration of my current site router for reference.

crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key <presharedkey> address 0.0.0.0
crypto isakmp keepalive 20
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set setA esp-des esp-md5-hmac
mode tunnel
!
!
!
crypto map mapA 1 ipsec-isakmp
set peer xxx.dyndns.com dynamic
set transform-set setA
match address 140

Thankyou for support and guidance.

sdroy · ‎03-19-2025

To transition your network from IKEv1 to IKEv2 while using Dynamic DNS (DDNS), you'll need to configure IKEv2 proposals, policies, and profiles on your routers. Begin by creating an IKEv2 proposal that defines encryption, integrity, and DH group settings. Associate this proposal with a policy and define a keyring for pre-shared keys, using a wildcard address for flexibility with DDNS. Next, create an IKEv2 profile that matches the remote peer's identity, links the keyring, and specifies authentication methods. For IPsec, define a transform set and a crypto map that references the IKEv2 profile and DDNS hostname of the Head Office (e.g., xxx.dyndns.com). Apply the crypto map to the WAN interface. Ensure that your DNS settings are properly configured for resolving the DDNS hostname and test the IKEv2 connection on a few routers before full deployment. By systematically applying these steps, you'll establish secure IKEv2 IPsec VPN tunnels using DDNS.

Shuvodip Roy

manojyesh · ‎03-19-2025

Hi,

I created the Proposal, Profile, Keyring, and Crypto IPSec steps. I am pasting that here and if you can update me on whether the mentioned commands are fine or if any commands require attention kindly highlight them please.

Thankyou for the help and support.

crypto ikev2 proposal HO
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha256
group 15
!
crypto ikev2 policy Meraki
match fvrf any
proposal HO
!
crypto ikev2 keyring Meraki-MX
peer HO
address 0.0.0.0 0.0.0.0
pre-shared-key <HO Key>
!
!
crypto ikev2 profile DYNAMIC
match fvrf any
match identity remote address
authentication local pre-share
authentication remote pre-share
keyring local Meraki-MX
!
crypto ipsec transform-set setA esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto map mapA 1 ipsec-isakmp
set peer xxx.dyndns.com (DDNS Hostname)
set transform-set setA
set pfs group15
set ikev2-profile DYNAMIC
match address 130
!

!
interface Dialer0
ip address negotiated
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 5
dialer remote-name etisalat
dialer idle-timeout 0
dialer persistent
dialer-group 10
ppp pap sent-username xxxx password 0 xxxx
crypto map mapA

Manoj