Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
788
Views
0
Helpful
1
Replies

Router 886VA Site to site ipsec vpn fqdn

Go to solution
Naegeli Adrian
Level 1
Level 1

‎04-21-2015 01:40 PM - edited ‎02-21-2020 08:11 PM

Hello,

 

I would like to create a site to site vpn with a fqdn crypto on the branch side.

 

The reason is the in our headquarter the wan IP will soonly change, and i would the branch router to reconnect as soon as they get the new ip.

 

How could a do that?

Here my Config:

ip domain lookup source-interface Dialer0

crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 14400
crypto isakmp key MyKey address 22.22.22.22

crypto ipsec transform-set MySET esp-3des esp-md5-hmac



crypto map BranchMap 10 ipsec-isakmp
description HDG
set peer 22.22.22.22
set transform-set MySET
match address 110



int Dialer 0
  ip access-group 101 in  cryptop map BranchMap

access-list 101 remark INT DIALER0 INCOMING
access-list 101 permit udp host 62.2.24.162 eq domain host 11.11.11.11
access-list 101 permit udp host 62.2.17.60 eq domain host 11.11.11.11
access-list 101 permit udp host 22.22.22.22 host 11.11.11.11 eq non500-isakmp
access-list 101 permit udp host 22.22.22.22 host 11.11.11.11 eq isakmp
access-list 101 permit esp host 22.22.22.22 host 11.11.11.11
access-list 101 permit ahp host 22.22.22.22 host 11.11.11.11
access-list 101 permit tcp any any established
access-list 101 permit udp host 129.132.2.21 eq ntp host 11.11.11.11 eq ntp
access-list 101 permit udp host 130.60.75.52 eq ntp host 11.11.11.11 eq ntp
access-list 101 permit udp host 8.8.8.8 eq domain host 11.11.11.11
access-list 101 remark INT DIALER0 INCOMING

 

11.11.11.11 = > Local Branch WAN IP

22.22.22.22 => Remote Headquarter WAN IP

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thiland
Level 3
Level 3

‎04-22-2015 11:21 AM

If your HQ has a dynamic IP (rare) then you'd need to do 3 things:

1.  Setup a dynamic DNS hostname for your HQ VPN peer (dyndns.org, etc.)

2.  Make your crypto map peer dynamic by using "set peer hqddns.company.com dynamic"

3.  Make your isakmp key for the peer a wildcard ("crypto isakmp key addr 0.0.0.0")

 

If you're saying this is a one-time planned IP change at the HQ side, then perhaps:

1.  Add in the new IP to your "access-list 101" ACL (consider using a named instead of numbered ACL for ease of readability)

2.  Add another crypto isakmp key with the new IP

3.  Add new IP as secondary peer:

crypto map BranchMap 10 ipsec-isakmp
 set peer 22.22.22.22 default
 set peer 3.3.3.3

View solution in original post

0 Helpful
1 Reply 1

Go to solution
thiland
Level 3
Level 3

‎04-22-2015 11:21 AM

If your HQ has a dynamic IP (rare) then you'd need to do 3 things:

1.  Setup a dynamic DNS hostname for your HQ VPN peer (dyndns.org, etc.)

2.  Make your crypto map peer dynamic by using "set peer hqddns.company.com dynamic"

3.  Make your isakmp key for the peer a wildcard ("crypto isakmp key addr 0.0.0.0")

 

If you're saying this is a one-time planned IP change at the HQ side, then perhaps:

1.  Add in the new IP to your "access-list 101" ACL (consider using a named instead of numbered ACL for ease of readability)

2.  Add another crypto isakmp key with the new IP

3.  Add new IP as secondary peer:

crypto map BranchMap 10 ipsec-isakmp
 set peer 22.22.22.22 default
 set peer 3.3.3.3

0 Helpful
Customers Also Viewed These Support Documents