cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

VPN Site-to-Site with dynamic IP

2090
Views
5
Helpful
0
Comments
meddane
Frequent Contributor

Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.

One important note is that Site-to-Site VPN with Dynamic remote routers Public IP addresses can only be brought up by the remote site routers as only they are aware of the Hubs router Public IP address.

 

R1 the Hub has a static public IP address. R2 and R3 the spokes have a public dynamic IP addresses.

ISE.PNG

 

Configure the IP addressing as illustrated in the topology:

 

R1:

interface Loopback0

 ip address 10.1.1.1 255.255.255.0

!

interface FastEthernet0/0

 ip address 14.0.0.1 255.255.255.0

 no shutdown

!

ip route 0.0.0.0 0.0.0.0 14.0.0.4

 

R2:

interface Loopback0

 ip address 10.2.2.2 255.255.255.0

!

interface FastEthernet0/0

 ip address 24.0.0.2 255.255.255.0

 no shutdown

!

ip route 0.0.0.0 0.0.0.0 24.0.0.4

 

R3:

interface Loopback0

 ip address 10.3.3.3 255.255.255.0

!

interface FastEthernet0/0

 ip address 34.0.0.3 255.255.255.0

 no shutdown

!

ip route 0.0.0.0 0.0.0.0 34.0.0.4

 

Configure NAT translation to translate the LAN networks connected to R1, R2 and R3. Exclude traffic between LAN networks from NAT operation. Note on R2 and R3, only the traffic coming from their LAN network to the R1's LAN network should be excluded.

 

R1(config)#ip access-list extended NAT-ACL

R1(config-ext-nacl)#deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

R1(config-ext-nacl)#deny ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255

R1(config-ext-nacl)#permit ip 10.1.1.0 0.0.0.255 any

R1(config)ip nat inside source list NAT-ACL interface FastEthernet0/0 overload

 

R2(config)#ip access-list extended NAT-ACL

R2(config-ext-nacl)#deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

R2(config-ext-nacl)#permit ip 10.2.2.0 0.0.0.255 any

R2(config)ip nat inside source list NAT-ACL interface FastEthernet0/0 overload

 

R3(config)#ip access-list extended NAT-ACL

R3(config-ext-nacl)#deny ip 10.3.3.0 0.0.0.255 10.1.1.0 0.0.0.255

R3(config-ext-nacl)#permit ip 10.3.3.0 0.0.0.255 any

R3(config)ip nat inside source list NAT-ACL interface FastEthernet0/0 overload

 

Enable the NAT on Lo0 (inside) and fa0/0 (outside) interfaces.

 

R1(config)interface Loopback0

R1(config-if)ip nat inside

R1(config)interface fa0/0

R1(config-if)ip nat outside

 

R2(config)interface Loopback0

R2(config-if)ip nat inside

R2(config)interface fa0/0

R2(config-if)ip nat outside

 

R1(config)interface Loopback0

R1(config-if)ip nat inside

R1(config)interface fa0/0

R1(config-if)ip nat outside

 

Configure Interesting Traffic:

 

R1(config)#ip access-list extended VPN-TO-R2

R1(config-ext-nacl)#permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

 

R1(config)#ip access-list extended VPN-TO-R3

R1(config-ext-nacl)#permit ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255

 

R2(config)#ip access-list extended VPN-TO-R1

R2(config-ext-nacl)#permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

 

R3(config)#ip access-list extended VPN-TO-R1

R3(config-ext-nacl)#permit ip 10.3.3.0 0.0.0.255 10.1.1.0 0.0.0.255

 

Configure Phase 1 ISAKMP:

 

For ISAKMP policy use the following parameters:

 

1-Encryption: aes

2-Hash: sha

3-Authentication: pre-share

4-Diffie-Helman: Group 1

 

On R1:

 

R1(config)#crypto isakmp policy 10

R1(config-isakmp)#encr aes

R1(config-isakmp)#hash sha

R1(config-isakmp)#authentication pre-share

R1(config-isakmp)#group 1

 

On R2:

 

R2(config)#crypto isakmp policy 1

R2(config-isakmp)#encr aes

R2(config-isakmp)#hash sha

R2(config-isakmp)#authentication pre-share

R2(config-isakmp)#group 1

 

On R3:

 

R3(config)#crypto isakmp policy 1

R3(config-isakmp)#encr aes

R3(config-isakmp)#hash sha

R3(config-isakmp)#authentication pre-share

R3(config-isakmp)#group 1

 

On R2 and R3, define the pre-shared key for authentication with the Hub R1 14.0.0.1:

 

R2(config)#crypto isakmp key cisco address 14.0.0.1

 

R3(config)#crypto isakmp key cisco address 14.0.0.1

 

Configure Phase 2 IPsec on Spokes R2 and R3:

 

On R2 and R3. Configure a transform set with AES encryption and SHA-HMAC for authentication.

 

R2(config)#crypto ipsec transform-set TEST esp-aes esp-sha-hmac

 

R3(config)#crypto ipsec transform-set TEST esp-aes esp-sha-hmac

 

On R2 and R3. Configure a crypto map and attach the transform-set, the peer address of R1 and the ACL that defines the interesting traffic:

 

R2(config)#crypto map VPNMAP 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

        and a valid access list have been configured.

R2(config-crypto-map)# set peer 14.0.0.1

R2(config-crypto-map)# set transform-set TEST

R2(config-crypto-map)# match address VPN-TO-R1

 

R3(config)#crypto map VPNMAP 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

        and a valid access list have been configured.

R3(config-crypto-map)# set peer 14.0.0.1

R3(config-crypto-map)# set transform-set TEST

R3(config-crypto-map)# match address VPN-TO-R1

 

Attach the crypto map above to the Fa0/0 interface:

 

R2(config)#interface FastEthernet0/0

R2(config-if)# crypto map VPNMAP

 

R3(config)#interface FastEthernet0/0

R3(config-if)# crypto map VPNMAP

 

On R1, define the pre-shared key for authentication with the Spokes R2 and R3. We configure a wildcard mask (0.0.0.0 0.0.0.0) for the pre-shared key

because we don’t know the public IP addresses of R2 and R3 since they a dynamic IP addresses. R1 will accept isakmp requests from any router which has the correct pre-shared key.

 

R1(config)#crypto isakmp key cisco address 0.0.0.0 0.0.0.0

 

Remember, R2 and R3 are configured previously with a static crypto map which was referencing a peer IP address of R1 (14.0.0.1). Since the IP address of R2 and R3 are not known, we need to configure a “Dynamic Crypto Map” which will be used in the “Static Crypto Map”.

 

First on R1 configure two transform set with AES encryption and SHA-HMAC for authentication. Note (we can use one transform set which will be used for encryption for both R2 and R3):

 

R1(config)#crypto ipsec transform-set TEST-TO-R2 esp-aes esp-sha-hmac

R1(config)#crypto ipsec transform-set TEST-TO-R3 esp-aes esp-sha-hmac

 

Create a dynamic crypto map (DYNMAP-R2) and references the transform set "TEST-TO-R2" and the ACL "VPN-TO-R2":

 

R1(config)#crypto dynamic-map dynmap-R2 10

R1(config-crypto-map)# set transform-set TEST-TO-R2

R1(config-crypto-map)# match address VPN-TO-R2

 

Create a dynamic crypto map (DYNMAP-R3) and references the transform set "TEST-TO-R3" and the ACL "VPN-TO-R3":

 

R1(config)#crypto dynamic-map dynmap-R3 20

R1(config-crypto-map)# set transform-set TEST-TO-R3

R1(config-crypto-map)# match address VPN-TO-R3

 

Then create a static crypto map (VPNMAP) which uses the dynamic map configured previously:

 

R1(config)#crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap-R2

R1(config)#crypto map VPNMAP 20 ipsec-isakmp dynamic dynmap-R3

 

Attach the static crypto map (VPNMAP) to the fa0/0 interface:

 

R1(config)#interface FastEthernet0/0

R1(config-if)#crypto map VPNMAP

 

To test, deny the translation of ICMP packets in the ACL "NAT-ACL"

 

R1(config-ext-nacl)#ip access-list extended NAT-ACL

R1(config-ext-nacl)#21 deny icmp 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

R1(config-ext-nacl)#22 deny icmp 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255

 

R2(config-if)#ip access-list ext NAT-ACL

R2(config-ext-nacl)#15 deny icmp 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

 

R3(config-if)#ip access-list ext NAT-ACL

R3(config-ext-nacl)#15 deny icmp 10.3.3.0 0.0.0.255 10.1.1.0 0.0.0.255

 

Let's try a ping from R3 to the LAN network of the HUB with a the lo0 interface as a source. Note Only the Spoke routers R2 and R3 are aware of R1 public IP address (14.0.0.1) because it is static, and therefore only the Spoke router can initiate the VPN tunnel.

 

R3#ping 10.1.1.1 sou lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 10.3.3.3

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 220/246/272 ms

R3#

 

The ISAKMP has been established between R1 and R3:

 

R3#show crypto isakmp sa det

Codes: C - IKE configuration mode, D - Dead Peer Detection

       K - Keepalives, N - NAT-traversal

       T - cTCP encapsulation, X - IKE Extended Authentication

       psk - Preshared key, rsig - RSA signature

       renc - RSA encryption

IPv4 Crypto ISAKMP SA

 

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

 

1002  34.0.0.3        14.0.0.1               ACTIVE aes  sha    psk  1  23:58:55

       Engine-id:Conn-id =  SW:2

 

IPv6 Crypto ISAKMP SA

 

R3#

 

The IPsec SA is established between R1 and R3. Since one ICMP packet is lost, the number of the encrypted/decrypted packet is 4:

 

R3#show crypto ipsec sa | s local|remote|pkts

    Crypto map tag: VPNMAP, local addr 34.0.0.3

   local  ident (addr/mask/prot/port): (10.3.3.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

     local crypto endpt.: 34.0.0.3, remote crypto endpt.: 14.0.0.1

 

R3#

 

On R1, the Hub has only one ISAKMP sa with R3, the ISAKMP sa is not yet negociated with R2:

 

R1#show crypto isakmp sa det

Codes: C - IKE configuration mode, D - Dead Peer Detection

       K - Keepalives, N - NAT-traversal

       T - cTCP encapsulation, X - IKE Extended Authentication

       psk - Preshared key, rsig - RSA signature

       renc - RSA encryption

IPv4 Crypto ISAKMP SA

 

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

 

1003  14.0.0.1        34.0.0.3               ACTIVE aes  sha    psk  1  23:54:06

       Engine-id:Conn-id =  SW:3

 

IPv6 Crypto ISAKMP SA

 

R1#

 

The IPses SA on R1 shown the same number of encrypted/decrypted packets (4) :

 

R1#show crypto ipsec sa | s local|remote|pkts

    Crypto map tag: VPNMAP, local addr 14.0.0.1

   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.3.3.0/255.255.255.0/0/0)

    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

     local crypto endpt.: 14.0.0.1, remote crypto endpt.: 34.0.0.3

 

R1#

 

Let's try a ping from R2 with Lo0 as the source to the LAN network of R1:

 

R2#ping 10.1.1.1 sou lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 10.2.2.2

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 172/220/252 ms

R2#

 

The ISAKMP sa has been established between R1 and R2:

 

R2#show crypto isakmp sa det

Codes: C - IKE configuration mode, D - Dead Peer Detection

       K - Keepalives, N - NAT-traversal

       T - cTCP encapsulation, X - IKE Extended Authentication

       psk - Preshared key, rsig - RSA signature

       renc - RSA encryption

IPv4 Crypto ISAKMP SA

 

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

 

1002  24.0.0.2        14.0.0.1               ACTIVE aes  sha    psk  1  23:59:10

       Engine-id:Conn-id =  SW:2

 

IPv6 Crypto ISAKMP SA

 

R2#

 

The IPsec SA on R2 shown 4 four encrypted/decrypted packets, because one ICMP echo is lost:

 

R2#show crypto ipsec sa | s local|remote|pkts

    Crypto map tag: VPNMAP, local addr 24.0.0.2

   local  ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

     local crypto endpt.: 24.0.0.2, remote crypto endpt.: 14.0.0.1

 

R2#

 

R1 has now two ISAKMP sa with R2 and R3:

 

R1#show crypto isakmp sa det

Codes: C - IKE configuration mode, D - Dead Peer Detection

       K - Keepalives, N - NAT-traversal

       T - cTCP encapsulation, X - IKE Extended Authentication

       psk - Preshared key, rsig - RSA signature

       renc - RSA encryption

IPv4 Crypto ISAKMP SA

 

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

 

1004  14.0.0.1        24.0.0.2               ACTIVE aes  sha    psk  1  23:57:24

       Engine-id:Conn-id =  SW:4

 

1003  14.0.0.1        34.0.0.3               ACTIVE aes  sha    psk  1  23:48:25

       Engine-id:Conn-id =  SW:3

 

IPv6 Crypto ISAKMP SA

 

R1#

 

Now R1 has built two IPsec sa with R2 and R3:

 

R1#show crypto ipsec sa | s local|remote|pkts

    Crypto map tag: VPNMAP, local addr 14.0.0.1

   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)

    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

     local crypto endpt.: 14.0.0.1, remote crypto endpt.: 24.0.0.2

   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.3.3.0/255.255.255.0/0/0)

    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

     local crypto endpt.: 14.0.0.1, remote crypto endpt.: 34.0.0.3

 

R1#

 

The show crypto session command at R1 router displays all remote Spoke routers public IP addresses:

 

R1#show crypto session

Crypto session current status

 

Interface: FastEthernet0/0

Session status: UP-ACTIVE

Peer: 24.0.0.2 port 500

  IKEv1 SA: local 14.0.0.1/500 remote 24.0.0.2/500 Active

  IPSEC FLOW: permit ip 10.1.1.0/255.255.255.0 10.2.2.0/255.255.255.0

        Active SAs: 2, origin: dynamic crypto map

 

Interface: FastEthernet0/0

Session status: UP-ACTIVE

Peer: 34.0.0.3 port 500

  IKEv1 SA: local 14.0.0.1/500 remote 34.0.0.3/500 Active

  IPSEC FLOW: permit ip 10.1.1.0/255.255.255.0 10.3.3.0/255.255.255.0

        Active SAs: 2, origin: dynamic crypto map

 

R1#