04-21-2015 01:40 PM - edited 02-21-2020 08:11 PM
Hello,
I would like to create a site to site vpn with a fqdn crypto on the branch side.
The reason is the in our headquarter the wan IP will soonly change, and i would the branch router to reconnect as soon as they get the new ip.
How could a do that?
Here my Config:
ip domain lookup source-interface Dialer0 crypto isakmp policy 10 encr aes authentication pre-share group 2 lifetime 14400 crypto isakmp key MyKey address 22.22.22.22 crypto ipsec transform-set MySET esp-3des esp-md5-hmac crypto map BranchMap 10 ipsec-isakmp description HDG set peer 22.22.22.22 set transform-set MySET match address 110 int Dialer 0 ip access-group 101 in cryptop map BranchMap access-list 101 remark INT DIALER0 INCOMING access-list 101 permit udp host 62.2.24.162 eq domain host 11.11.11.11 access-list 101 permit udp host 62.2.17.60 eq domain host 11.11.11.11 access-list 101 permit udp host 22.22.22.22 host 11.11.11.11 eq non500-isakmp access-list 101 permit udp host 22.22.22.22 host 11.11.11.11 eq isakmp access-list 101 permit esp host 22.22.22.22 host 11.11.11.11 access-list 101 permit ahp host 22.22.22.22 host 11.11.11.11 access-list 101 permit tcp any any established access-list 101 permit udp host 129.132.2.21 eq ntp host 11.11.11.11 eq ntp access-list 101 permit udp host 130.60.75.52 eq ntp host 11.11.11.11 eq ntp access-list 101 permit udp host 8.8.8.8 eq domain host 11.11.11.11 access-list 101 remark INT DIALER0 INCOMING
11.11.11.11 = > Local Branch WAN IP
22.22.22.22 => Remote Headquarter WAN IP
Thanks
Solved! Go to Solution.
04-22-2015 11:21 AM
If your HQ has a dynamic IP (rare) then you'd need to do 3 things:
1. Setup a dynamic DNS hostname for your HQ VPN peer (dyndns.org, etc.)
2. Make your crypto map peer dynamic by using "set peer hqddns.company.com dynamic"
3. Make your isakmp key for the peer a wildcard ("crypto isakmp key addr 0.0.0.0")
If you're saying this is a one-time planned IP change at the HQ side, then perhaps:
1. Add in the new IP to your "access-list 101" ACL (consider using a named instead of numbered ACL for ease of readability)
2. Add another crypto isakmp key with the new IP
3. Add new IP as secondary peer:
crypto map BranchMap 10 ipsec-isakmp
set peer 22.22.22.22 default
set peer 3.3.3.3
04-22-2015 11:21 AM
If your HQ has a dynamic IP (rare) then you'd need to do 3 things:
1. Setup a dynamic DNS hostname for your HQ VPN peer (dyndns.org, etc.)
2. Make your crypto map peer dynamic by using "set peer hqddns.company.com dynamic"
3. Make your isakmp key for the peer a wildcard ("crypto isakmp key addr 0.0.0.0")
If you're saying this is a one-time planned IP change at the HQ side, then perhaps:
1. Add in the new IP to your "access-list 101" ACL (consider using a named instead of numbered ACL for ease of readability)
2. Add another crypto isakmp key with the new IP
3. Add new IP as secondary peer:
crypto map BranchMap 10 ipsec-isakmp
set peer 22.22.22.22 default
set peer 3.3.3.3
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide