Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
825
Views
0
Helpful
2
Replies

819 with dynamic cellular IP configure site to site vpn to SonicWall

Eric Brown
Level 1
Level 1

‎09-12-2017 10:06 AM - edited ‎03-12-2019 04:32 AM

I have an 819 router with a cellular connection only from ATT with a dynamic IP that I am trying to create a site 2 site VPN connection with a SonicWall NSA3500. SonicWall suggests setting up aggressive mode for a dynamic endpoint. I can then set the primary gateway address on the SonicWall to 0.0.0.0 to accept a connection from an unknown IP. For IKE authentication it requires a peer IKE ID of either Domain Name,email address,key identifier, firewall identifier, or IP address which we dont have because its dynamic. So how do I configure the cisco 819 to send the domain name or  key identifier to the SonicWall in the crypto map?

I had a standard site to site crypto map but it did not work. Should I make a profile with an identifier in it?

Anyone have experience with this a dynamic IP connecting to a SonicWall?

Thanks for the help in advance

 

Labels:
0 Helpful
2 Replies 2

Flavio Miranda
VIP
VIP

‎09-12-2017 07:32 PM

Hello,

 The command is : 

crypto isakmp identity key-id <tunnel-group_name>

Here a very good material between two ASA but you can adapt to your environment as well

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118652-configure-asa-00.html 

0 Helpful

Eric Brown
Level 1
Level 1

‎09-13-2017 02:43 PM

Thanks for the response. I tried the command but it did not help with the crypto I had configured. I think it was still using main mode on the cisco router. I did get the vpn to work by using an isakmp profile but I am still unclear if it is correct.

This is my working config and may have extra unnessesary items. I do know that it needs to be aggressive and have a self-identity (which I am using on the Sonicwall side for the remote peer).

 

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key password address xxx.xxx.xxx.xx
crypto isakmp key password address xx.xxx.xx.xx    no-xauth
crypto isakmp profile profile-agg
   keyring default
   self-identity fqdn routername.domain.com
   match identity address xx.xxx.xx.xx 255.255.255.255
   match identity address xxx.xx.xx.xx 255.255.255.255
   initiate mode aggressive
!
!
crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac
 mode tunnel
!
!
!
crypto map AGGVPN isakmp-profile profile-agg
crypto map AGGVPN 10 ipsec-isakmp
 set peer xx.xxx.xx.xx
 set peer xxx.xxx.xx.xx
 set transform-set aesset
 match address 121
!
!
!
!
!
!
interface Cellular0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation slip
 load-interval 30
 dialer in-band
 dialer string lte
 dialer-group 1
 no peer default ip address
 async mode interactive
 crypto map AGGVPN
 routing dynamic

 

0 Helpful
Customers Also Viewed These Support Documents