Solved: Re: IPSEC VPN with dynamic to dynamic IP

jazzlim2004 · ‎08-09-2010

Hi,

I have been trying out IPSEC VPN with dynamic to dynamic IP (router to router) for quite some time. But still cannot auto-establish the tunnel.

Can someone please tell me if it is possible to do it?

If yes, please share with me the secret to make it work.

Thank you!

Best Regards

bert.baker · ‎08-13-2010

Rather than Crypto map, I would use Crypto Profile. Then you establish an IPSEC tunnel. The beauty of Profile is that you can run Routing Protocols through it and you don't have to constantly change the maps everytime you change network topology. The "* * * * *" in the event timer is "minute hour day month weekday" so "* * * * *" is every minute update it. In Tunnel destination, it is an IP address, not a HOSTNAME that gets stored, but when you configure it, you can put in a HOSTNAME and it will convert it at the time you are configuring it to an IP.

So if you type:

config t

interface tunnel100
tunnel destination remote.dyndns.com

exit

show run int tunnel100

It shows:

interface Tunnel100
tunnel destination 75.67.43.79

That is why the event manager goes and changes the tunnel destination every minute to what ever the DDNS says the new IP is.

I didn't see that both of your routers were running DDNS. They will need to for this to work.

Local Router:

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key XXXXXXX address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac
!
crypto ipsec profile CRYPTOPROFILE
set transform-set ESP-AES-SHA
!
interface Tunnel100
description to remote.dyndns.org
ip address 10.254.220.10 255.255.255.252
ip virtual-reassembly
ip tcp adjust-mss 1400
tunnel source Dialer0
tunnel destination 75.67.43.79
tunnel mode ipsec ipv4
tunnel protection ipsec profile CRYPTOPROFILE

ip route 192.168.2.0 255.255.255.0 10.254.220.9

event manager applet change-tunnel-dest
event timer cron name "CHRON" cron-entry "* * * * *"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface tunnel100"
action 1.3 cli command "tunnel destination remote.dyndns.org"
!

--------

Remote Router:

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key XXXXXXX address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac
!
crypto ipsec profile CRYPTOPROFILE
set transform-set ESP-AES-SHA
!
interface Tunnel100
description to local.dyndns.org
ip address 10.254.220.9 255.255.255.252
ip virtual-reassembly
ip tcp adjust-mss 1400
tunnel source Dialer0
tunnel destination 93.219.58.191
tunnel mode ipsec ipv4
tunnel protection ipsec profile CRYPTOPROFILE

ip route 192.168.1.0 255.255.255.0 10.254.220.10

event manager applet change-tunnel-dest
event timer cron name "CHRON" cron-entry "* * * * *"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface tunnel100"
action 1.3 cli command "tunnel destination local.dyndns.org"

Thanks,

Bert

View solution in original post

Jitendriya Athavale · ‎08-10-2010

that will not be possible because the guy who initiates the tunnel atleast needs to know with whom is he trying to establish the tunnel.

jazzlim2004 · ‎08-10-2010

Hi,

But I using DDNS, so the local can intiate the tunnel based on that address. I assume DDNS will resolve the problem you mentioned.

So what oher factors will cause the failure?

Nitin Agarwal · ‎08-10-2010

Hi,

You will not be able to use DDNS in a Lan to Lan setup. That will work in the remote vpn setup.

Regards,

Nitin Agarwal.

jazzlim2004 · ‎08-11-2010

Hi,

We are not usingf DDNS in LAN. We have local & remote sites. For your advise pls.

Thank you

bert.baker · ‎08-12-2010

This should work:

event manager applet change-tunnel-dest
event timer cron name "CHRON" cron-entry "* * * * *"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface tunnel199"
action 1.3 cli command "tunnel destination remotevpn.gotdns.com"
!

Have both routers running DDNS then every minute it will change the tunnel destination to what ever the DDNS is for the remote site.

Bert

jazzlim2004 · ‎08-12-2010

Wow.....This event manager is very new to me.

Sorry I don t quite understand the command, is the purpose to detect changes on DDNS address and automatic re-establish the tunnel?

Could you be kind to explain the command line by line to me? there's alot of command I dont understand or use. (should i copy the exact command you wrote? and what is ****?)

I have attached my configuration. Can you advise whats mistake I had made?

Your help is greatly appreciated! Thank you so much in advance : )

bert.baker · ‎08-13-2010

Rather than Crypto map, I would use Crypto Profile. Then you establish an IPSEC tunnel. The beauty of Profile is that you can run Routing Protocols through it and you don't have to constantly change the maps everytime you change network topology. The "* * * * *" in the event timer is "minute hour day month weekday" so "* * * * *" is every minute update it. In Tunnel destination, it is an IP address, not a HOSTNAME that gets stored, but when you configure it, you can put in a HOSTNAME and it will convert it at the time you are configuring it to an IP.

So if you type:

config t

interface tunnel100
tunnel destination remote.dyndns.com

exit

show run int tunnel100

It shows:

interface Tunnel100
tunnel destination 75.67.43.79

That is why the event manager goes and changes the tunnel destination every minute to what ever the DDNS says the new IP is.

I didn't see that both of your routers were running DDNS. They will need to for this to work.

Local Router:

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key XXXXXXX address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac
!
crypto ipsec profile CRYPTOPROFILE
set transform-set ESP-AES-SHA
!
interface Tunnel100
description to remote.dyndns.org
ip address 10.254.220.10 255.255.255.252
ip virtual-reassembly
ip tcp adjust-mss 1400
tunnel source Dialer0
tunnel destination 75.67.43.79
tunnel mode ipsec ipv4
tunnel protection ipsec profile CRYPTOPROFILE

ip route 192.168.2.0 255.255.255.0 10.254.220.9

event manager applet change-tunnel-dest
event timer cron name "CHRON" cron-entry "* * * * *"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface tunnel100"
action 1.3 cli command "tunnel destination remote.dyndns.org"
!

--------

Remote Router:

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key XXXXXXX address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac
!
crypto ipsec profile CRYPTOPROFILE
set transform-set ESP-AES-SHA
!
interface Tunnel100
description to local.dyndns.org
ip address 10.254.220.9 255.255.255.252
ip virtual-reassembly
ip tcp adjust-mss 1400
tunnel source Dialer0
tunnel destination 93.219.58.191
tunnel mode ipsec ipv4
tunnel protection ipsec profile CRYPTOPROFILE

ip route 192.168.1.0 255.255.255.0 10.254.220.10

event manager applet change-tunnel-dest
event timer cron name "CHRON" cron-entry "* * * * *"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface tunnel100"
action 1.3 cli command "tunnel destination local.dyndns.org"

Thanks,

Bert

jazzlim2004 · ‎08-15-2010

Hi,

I trying to input these command but faced some problem. Can you advise the following:

Local Router configuration:

Interface Tunnel100
description to remote.dyndns.org
ip address 10.254.220.10 255.255.255.252 << Is this the WLAN Ip or router Ip address? My Wlan is dynamic
ip virtual-reassembly
ip tcp adjust-mss 1400
tunnel source Dialer0
tunnel destination 75.67.43.79
tunnel mode ipsec ipv4
tunnel protection ipsec profile CRYPTOPROFILE

ip route 192.168.2.0 255.255.255.0 10.254.220.9 <<<<192.168.2.0 is my remote router IP, so what is 10.254.220.9?

By ipsec profile, do I still need to match address? if yes, where should i key?

Thank you.

bert.baker · ‎08-15-2010

No it is the IP address of the newly created Tunnel interface. It could be anything. If you don't understand tunnels, time to read up on them.

jazzlim2004 · ‎08-16-2010

Hi,

thank you so much for the advise to use VTI. I had done some reading on it and applied the method to my router.

Now the VPN can auto-restablish with the event manager command ( even after router reset).

Could you please advise me, why i cannot ping my router?

and when I look at SDM monitor -->IPsec Tunnel, it displayed there nothing. I only can see IKE SA. Why is it so?

I had attached my config for your viewing pls. Thank you

taherudin · ‎11-18-2010

Hi Kim Lin

Me to facing same problem i have done tunnels is up i cant ping each other will you send me your config if its working

Regards

Taher

taherudin · ‎11-25-2010

Hi Bert

I have follow as your config its tunnels are up but i cant ping each other will help me please

Regards

Taher