Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
214
Views
0
Helpful
1
Replies

How to automatic dial VPN on Cisco881 behind ISP Modem

pandacloning123
Level 1
Level 1

‎11-03-2015 11:36 PM

Hi everyone,I want to make a VPN from my branch running cisco 881.

My Cisco 881 works behind an ISP modem (IP of 192.168.1.0/24) and I use port F4 of my cisco as WAN to it.

It seems working softly but if there is some affect from the modem (the ISP changes the IP WAN or reboot my modem for example) my VPN down. I must switch power of cisco Down and UP to tunneling vpn again.

Hope someone will help me find out this issue.

Thanks in advanced.

Here is my configuration:

ip dhcp pool LAN
import all
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
dns-server 8.8.8.8
lease 20
!
!
!
!
multilink bundle-name authenticated
license udi pid C881GWE-K9 sn FGL1714203C
!
!
username abc privilege 15 secret 4 nGukUrmPH7Mg6h9zWpF/hvFM/MVz/FotjlAvK1ijO4.
!
!
!
!
!
controller Cellular 0
!
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp peer address 1.1.1.10
set aggressive-mode password dl-test-01-123-123456
set aggressive-mode client-endpoint fqdn dl-test-01
!
!
crypto ipsec transform-set TRANS esp-des esp-md5-hmac
mode tunnel
!
!
!
!
crypto map VPN-To-COM 1 ipsec-isakmp
set peer 1.1.1.10
set transform-set TRANS
match address VPN-To-COM
!
!
!
!
!
interface Cellular0
no ip address
encapsulation slip
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
switchport access vlan 2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface FastEthernet4
description LAN
ip address 192.168.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPN-To-COM
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
no ip address
shutdown
!
interface Vlan1
no ip address
!
interface Vlan2
description LAN
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
no autostate


!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat inside source list Nat-to-Internet interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip access-list extended Nat-to-Internet
deny ip 172.16.1.0 0.0.0.255 172.16.0.0 0.0.255.255
permit ip 172.16.1.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VPN-To-COM
permit ip ip 172.16.1.0 0.0.0.255 172.16.0.0 0.0.255.255!
!

ip sla auto discovery

ip sla 1

icmp-echo 172.16.3.3 source-interface Vlan2

threshold 1000

timeout 1000

frequency 2

ip sla schedule 1 life forever start-time now
!
control-plane
!
!
!
line con 0
exec-timeout 20 0
privilege level 15
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line 3
no exec
line vty 0 4
exec-timeout 20 0

Labels:
0 Helpful
1 Reply 1

rvarelac
Level 7
Level 7

‎11-08-2015 08:27 PM

Hi

Are you using a dynamic-to-static setup , if not you should consider change the configuration.

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14131-ios-804.html

Also, I would use the IP SLA feature to constantly send intersting traffic accross the tunnel and not only monitor the VPN peer. 

Hope it helps

-Randy-

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents