Solved: Re: IPSec VPN with DynDNS host problems after address change

Smailmilak83_2 · ‎02-04-2011

Hi guys,

I have a weird problem on a IOS router.

I need to implement IPSec L2L VPN.

Because of security requirements every site need an own pre-shared key. The sites have dynamic IP's and that is

why I am using dyndns.

crypto isakmp key KEY hostname XXXXXXXXXXX.dyndns.org

crypto map CMAP_1 1 ipsec-isakmp
set peer XXXXXXXXX.dyndns.org dynamic

First it works great, but after the IP address change it is not working anymore.

On debug I found out that it resolves the new IP but IPSec is trying to connect to the previous IP.

I tried this on two different IOS, 15.0 and 12.4

This the debug output:

Mar 1 01:02:39.735: IPSEC: Peer Link70's addr (70.1.1.3) is stale, triggering DNS
*Mar 1 01:02:39.735: IPSEC: Peer has the (DNS cached) address 70.1.1.3.                 New IP
*Mar 1 01:02:41.731: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 1.1.1.2, remote= 70.1.1.200,   OLD IP
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 10.254.70.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
    lifedur= 240s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Mar 1 01:02:41.739: ISAKMP:(0): SA request profile is (NULL)
*Mar 1 01:02:41.739: ISAKMP: Created a peer struct for 70.1.1.200, peer port 500
*Mar 1 01:02:41.739: ISAKMP: New peer created peer = 0x673FB268 peer_handle = 0x80000008
*Mar 1 01:02:41.739: ISAKMP: Locking peer struct 0x673FB268, refcount 1 for isakmp_initiator
*Mar 1 01:02:41.743: ISAKMP: local port 500, remote port 500
*Mar 1 01:02:41.743: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 01:02:41.743: insert sa successfully sa = 650AE400
*Mar 1 01:02:41.747: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Mar 1 01:02:41.747: ISAKMP:(0):No pre-shared key with 70.1.1.200!                     PROBLEM!!!
*Mar 1 01:02:41.747: ISAKMP:(0): No Cert or pre-shared address key.                   PROBLEM!!!
*Mar 1 01:02:41.747: ISAKMP:(0): construct_initial_message: Can not start Main mode
*Mar 1 01:02:41.751: ISAKMP: Unlocking peer struct 0x673FB268 for isadb_unlock_peer_delete_sa(), count 0
*Mar 1 01:02:41.751: ISAKMP: Deleting peer node by peer_reap for 70.1.1.200: 673FB268
*Mar 1 01:02:41.751: ISAKMP:(0):purging SA., sa=650AE400, delme=650AE400
*Mar 1 01:02:41.755: ISAKMP:(0):purging node -267512777
*Mar 1 01:02:41.755: ISAKMP: Error while processing SA request: Failed to initialize SA
*Mar 1 01:02:41.755: ISAKMP: Error while processing KMI message 0, error 2.
*Mar 1 01:02:41.759: IPSEC(key_engine): got a queue event with 1 KMI message(s)....
Success rate is 0 percent (0/5)

I build up a lab to find a solution for this.

On the other side is an Linksys VPN router, I tried with an IOS router on both sites too, but got same results.

I tried with DPD, ISAKMP profiles... no help.

lginod · ‎02-06-2011

Hi Smailmilak83,

Configuring a static crypto map with a specific peer creates an sa for the peer. Now the dns lookup ll happen only the first time it tries to connect, after which it's just gonna be the rekey. So it would ideally use the peer value in the sa and not the config nor does a dns lookup. So it's wise to use a dynamic crypto map.

Please try using a dynamic crypto map instead of a static one. Although there are certain limitations such as crypto being initiated only from the other end, we can workaround it by keeping the tunnel live.

Hope that helps.

Sent from Cisco Technical Support iPhone App

--Please rate the solutions.

View solution in original post

lginod · ‎02-06-2011

Hi Smailmilak83,

Configuring a static crypto map with a specific peer creates an sa for the peer. Now the dns lookup ll happen only the first time it tries to connect, after which it's just gonna be the rekey. So it would ideally use the peer value in the sa and not the config nor does a dns lookup. So it's wise to use a dynamic crypto map.

Please try using a dynamic crypto map instead of a static one. Although there are certain limitations such as crypto being initiated only from the other end, we can workaround it by keeping the tunnel live.

Hope that helps.

Sent from Cisco Technical Support iPhone App

--Please rate the solutions.

Smailmilak83_2 · ‎02-07-2011

Hi,

I managed to solve this one.

Adding the default command under the crypto map helped me.

set peer HOSTNAME dynamic default

Your idea is great too. I have not tried it but I am sure that it would work.

Do you know how to get lesser downtime when the remote peer gets a new IP? What timer should I tune?

IPSec SA lifetime, idle-timer...?

Right now I am using IPSec SA lifetime with 240 seconds. There will be maybe 200 locations. I hope that this is not to much

for a 1841 router.