Introduction: This document describes process of creating a LAN to LAN tunnel between 2 routers when both routers have a dynamic IP address.
Hardware: Cisco Router
Software: 12.4
DDNS registration for both sites
In order to achieve this we need to get Dynamic DNS(DDNS) registered name for both sites from ISP. So once we have DDNS configured for both sites, then every minute it will change the tunnel destination to what ever IP address, DDNS name will be used for the remote site.
Instead of crypto map we would use crypto Profile using VTI so that tunnels get automatically re establish. The beauty of Profile is that you can run Routing Protocols through it and you don't have to constantly change the crypto maps, every time you change network topology.
So we will make use of event manager to implement DDNS----
event manager applet change-tunnel-dest
event timer cron name "CHRON" cron-entry "* * * * *"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface tunnel199"
action 1.3 cli command "tunnel destination remotevpn.gotdns.com"
The "* * * * *" in the event timer is "minute hour day month weekday". So "* * * * *" means every minute update it.
In Tunnel destination, it is an IP address, not a HOSTNAME that gets stored, but when you configure it, you can put in a HOSTNAME and it will convert it at the time you are configuring it to an IP.
So if you type:
config terminal
interface tunnel100
tunnel destination remote.dyndns.com
exit
And then--
show run int tunnel100
It shows:
interface Tunnel100
tunnel destination 75.67.43.79
That is why the event manager goes and changes the tunnel destination every minute to what ever the DDNS says the new IP is.
Network Diagram------
Configuration Sample—
Local Router:
crypto isakmp policy 10
encryption 3des
authentication pre-share
group 2
crypto isakmp key XXXX address 0.0.0.0 0.0.0.0 no-xauth ( where XXXX is the pre share key)
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CRYPTOPROFILE
set transform-set ESP-3DES-SHA
!
interface Tunnel100
description to remote.dyndns.org
ip address 10.10.10.1 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1400
tunnel source Dialer0
tunnel destination <remote dynamic Ip>
tunnel mode ipsec ipv4
tunnel protection ipsec profile CRYPTOPROFILE
ip route 192.168.2.0 255.255.255.0 10.10.10.2
event manager applet change-tunnel-dest
event timer cron name "CHRON" cron-entry "* * * * *"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface tunnel100"
action 1.3 cli command "tunnel destination remote.dyndns.org" ( where remote.dyndns.org is DDNS)
Remote Router:
crypto isakmp policy 10
encryption 3des
authentication pre-share
group 2
crypto isakmp key XXXX address 0.0.0.0 0.0.0.0 no-xauth ( where XXXX is the pre share key)
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CRYPTOPROFILE
set transform-set ESP-AES-SHA
interface Tunnel100
description to local.dyndns.org
ip address 10.10.10.2 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1400
tunnel source Dialer0
tunnel destination 93.219.58.191
tunnel mode ipsec ipv4
tunnel protection ipsec profile CRYPTOPROFILE
ip route 192.168.1.0 255.255.255.0 10.10.10.1
event manager applet change-tunnel-dest
event timer cron name "CHRON" cron-entry "* * * * *"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface tunnel100"
action 1.3 cli command "tunnel destination local.dyndns.org" ( where local.dyndns.org is DDNS)
Verify:
Please use to following commands-----
show crypto isakmp sa
show crypto ipsec sa
Hope this will be informative and i want to thank you for viewing.