Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2322
Views
0
Helpful
3
Replies

Define Encryption Domain in Route-Based IPSec

andreas.schaefer1
Level 1
Level 1

‎02-01-2016 02:59 AM - edited ‎02-21-2020 08:39 PM

Hi there,

i have several sites that are connected to a central VPN Hub in a route-based configuration.

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key ****** address XXX.XXX.XXX.XXX
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set aes256sha esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile PROF-VERWALTUNG
set transform-set aes256sha
!
!
!
!
!
!
!
interface Tunnel20
description Tunnel VERWALTUNG
bandwidth 1000000
ip unnumbered GigabitEthernet0/0
ip flow ingress
ip inspect MYFW in
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination XXX.XXX.XXX.XXX
tunnel protection ipsec profile PROF-VERWALTUNG

At some sites i have to transmit the local Networks of the SA to the Central VPN hub to negotiate which networks are available at the specific spoke site due to a dynamic IPv4 address of the local internet connection.

Policy based IPsec solves this issue by defining the local Subnets within the crypto-map ... but i don't have a crypto map in my configuration.

Any hints how to solve this?

best Regards

Andreas

Labels:
0 Helpful
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

‎02-01-2016 03:50 AM

When using the "tunnel protection ipsec profile method" you don't define an encryption domain.  In this case it is automatically based on the source and destination of the two tunnel end points.  You then either run a dynamic routing protocol over the tunnels, or even just use static routes.

However, as you have discovered, there is a complication when one tunnel end point is dynamic.

The solution - DMVPN.  You nominate one (or more if you are keen) head ends.  They must have static IP addresses.  All other sites then connect into them, so it does not matter if they have static or dynamic public IP addresses.

Check out this Cisco design guide.  Skip to page 32 if you just want to get to the configuring bit.

http://www.cisco.com/c/dam/en/us/products/collateral/security/dynamic-multipoint-vpn-dmvpn/dmvpn_design_guide.pdf

0 Helpful

andreas.schaefer1
Level 1
Level 1
In response to Philip D'Ath

‎02-01-2016 06:52 AM

Thanks for the reply.

i can't use DMVPN because i don't have Ciscos at the hub site.

best regards

Andreas

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to andreas.schaefer1

‎02-01-2016 11:27 AM

Then you need to change the entire VPN technology to using a crypto-map.

Knowing there is not a Cisco at the hub site, and that you have to cope with dynamic hub addresses I don't feel very confident in being able to help you.  This is a far more complex solution.

If you get a Cisco device at the hub let me know, as it will be easy and reliable then,

0 Helpful
Customers Also Viewed These Support Documents