Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1120
Views
0
Helpful
4
Replies

Site-to-Site VPN 1800 to ASA (8.4) both peers DHCP

Go to solution
stuart.geoghegan
Level 1
Level 1

‎08-06-2012 09:21 AM

Hi All,

I am trying to set up a site-to-site VPN between an 1841 Router and an ASA5510 running 8.4. Both ends negotiate their outside interface IP addresses via DHCP and are connected to ADSL lines.

I have setup the 1841 to an ASA with a fixed IP address using Aggresive mode and that works fine, however when i try to replicate the config on the ASA with the negotiated IP address it is as if there is no interesting traffic for the encryption domain and it fails at Phase 1.

I have re-used the same crypto maps, dynamic maps, transform sets, ACL format and static NAT exception as on the working fixed outside addressed ASA, but i cannot seem to get the tunnel to initiate from either side.

From the ASA end debugging i see

(crypto_map_check)-1: Error: No crypto map matched.

from the 1841 end i see

Aug  6 15:57:39.268: ISAKMP:(0:104:SW:1): retransmitting phase 1 AG_INIT_EXCH...

Aug  6 15:57:39.268: ISAKMP (0:134217832): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

Aug  6 15:57:39.268: ISAKMP:(0:104:SW:1): retransmitting phase 1 AG_INIT_EXCH

Aug  6 15:57:39.268: ISAKMP:(0:104:SW:1): sending packet to x.x.x.x my_port 500 peer_port 500 (I) AG_INIT_EXCH

Is this even possible to setup with both ends having negotiated addresses? I have seen a few posts that seem to suggest not.

Please see attached for configurations,

many thanks

Stuart

Labels:
132838-configs for netpro.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎08-07-2012 12:54 AM

No, you've guessed it correctly.

You can't have both end having dynamic ip address to be setup with VPN tunnel because if both ends do not know what the IP Address is, it won't be able to establish the VPN tunnel.

You can only have 1 end dynamic, and the other end static IP Address.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎08-07-2012 12:54 AM

No, you've guessed it correctly.

You can't have both end having dynamic ip address to be setup with VPN tunnel because if both ends do not know what the IP Address is, it won't be able to establish the VPN tunnel.

You can only have 1 end dynamic, and the other end static IP Address.

0 Helpful

Go to solution
stuart.geoghegan
Level 1
Level 1
In response to Jennifer Halim

‎08-07-2012 01:02 AM

Hi Jennifer,

Thank you for clarifying this,

regards,

Stuart

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to stuart.geoghegan

‎08-07-2012 01:13 AM

Cheers, pls kindly mark the post answered so others can learn from your question. Thank you.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎08-07-2012 01:14 AM

There could be a solution for that. But it's really dirty and probably not worth it to try:

  • The ASA has to be registered in a service like DynDNS. That hast to be done by an inside host as the ASA can't do that.
  • On the ASA you need a dynamic crypto map to accept connections from any peers.

  • The IOS-router can be configured to use an FQDN as the peer-address that gets resolved at the time of the connection-attempt.

  • The connection has to be authenticated with digital certificates so that the peer-ID can be matched without knowing the peer-IP.

So, better get a static IP for your box.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents