Change VPN IPSEC static-static to static-dynamic

DucTranHong5512 · ‎09-30-2019

Hi, i have VPN site-to-site ipsec and have static all both site. It's worked. Now i add 1 site to VPN, so i must change to static-dynamic. But my vpn between 2 old site cant work, i just only change config in hub site.

##hub

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco123 address 0.0.0.0 //new config is red text

!

crypto ipsec transform-set TS esp-3des esp-md5-hmac

mode tunnel

!

crypto dynamic-map hq-vpn 10

set security-association lifetime seconds 86400

set transform-set TS

match address VPNTRAFFIC

!

crypto map VPN-DYNAMIC 10 ipsec-isakmp dynamic hq-vpn

!

crypto map cmap 10 ipsec-isakmp

set peer <peer ip public>

set security-association lifetime seconds 86400

set transform-set TS

match address VPNTRAFFIC

!

interface Dialer1

crypto map VPN-DYNAMIC !

##Spoke

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco123 address <peer public ip>

!

crypto ipsec transform-set TS esp-3des esp-md5-hmac

mode tunnel

!

crypto map cmap 10 ipsec-isakmp

set peer <peer public ip>

set security-association lifetime seconds 86400

set transform-set TS

match address VPNTRAFFIC

Thanks so much!

Rob Ingram · ‎09-30-2019

Hi,

Here is a guide to implement Dynamic Crypto map, check out the crypto dynamic-map section which is configured differently to yours. Alternatively you could consider implementing a Dynamic VTI (DVTI) solution such as FlexVPN or DMVPN.

HTH