cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
643
Views
0
Helpful
1
Replies

Change VPN IPSEC static-static to static-dynamic

DucTranHong5512
Level 1
Level 1

Hi, i have VPN site-to-site ipsec and have static all both site. It's worked. Now i add 1 site to VPN, so i must change to static-dynamic. But my vpn between 2 old site cant work, i just only change config in hub site.

 

 

##hub

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco123 address 0.0.0.0 //new config is red text

!

!

crypto ipsec transform-set TS esp-3des esp-md5-hmac

mode tunnel

!

!

crypto dynamic-map hq-vpn 10

set security-association lifetime seconds 86400

set transform-set TS

match address VPNTRAFFIC

!

!

crypto map VPN-DYNAMIC 10 ipsec-isakmp dynamic hq-vpn

!

crypto map cmap 10 ipsec-isakmp

set peer <peer ip public>

set security-association lifetime seconds 86400

set transform-set TS

match address VPNTRAFFIC

!

!

interface Dialer1

 crypto map VPN-DYNAMIC !

 

 

 

##Spoke

 

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco123 address <peer public ip>

!

!

crypto ipsec transform-set TS esp-3des esp-md5-hmac

mode tunnel

!

!

!

crypto map cmap 10 ipsec-isakmp

set peer <peer public ip>

set security-association lifetime seconds 86400

set transform-set TS

match address VPNTRAFFIC

 
 
 
 
 
Thanks so much!
1 Reply 1

Hi,

Here is a guide to implement Dynamic Crypto map, check out the crypto dynamic-map section which is configured differently to yours. Alternatively you could consider implementing a Dynamic VTI (DVTI) solution such as FlexVPN or DMVPN.


HTH