Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3334
Views
0
Helpful
5
Replies

VPN IPSec Site-to-Site Aggressive Mode on Cisco1905

Go to solution
marlonvr1973
Level 1
Level 1

‎12-29-2011 03:35 PM - edited ‎02-21-2020 05:47 PM

Hello everyone, you can configure a cisco 1905 router with vpn ipsec site-to-site in an aggressive mode? If so, someone may indicate a link to what I do? The VPN works well, but on site A, I had to configure a crypto map associating the IP address for site B (wich is dynamic), so if the connection on site B broken, I will have to configure another crypto map.

The scenario is:

Site A - ASA 5510 configured as a VPN concentrator and firewall for enterprise.

Site B - Cisco 1905 connected to Internet through a ADSL through a dynamic IP address and starting connection to Site A, bellow is the configuration:

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxxxxxxxxx address W.X.Y.Z

crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac

crypto map VPN_2_SITE_A 10 ipsec-isakmp

set peer W.X.Y.Z

set transform-set ESP-3DES

match address 100

interface GigabitEthernet0/0

description LINK_MODEM_ADSL

ip address dhcp

ip nat inside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

interface GigabitEthernet0/1

description LAN SITE_B

ip address 172.16.20.252 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

interface Dialer1

description $FW_OUTSIDE$

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname siteb@enterprise.com

ppp chap password 7 [omitted]

ppp pap sent-username siteb@enterprise.com password 7 [omitted]

crypto map VPN_2_SITE_A

ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 172.16.0.0 255.255.255.0 Z.Y.X.W

!

access-list 100 permit ip 172.16.20.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 111 deny   ip 172.16.20.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 111 permit ip 172.16.20.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 111

Best regards, and I appreciate a lot a help :-)

Marlon V. Resende

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎12-29-2011 08:56 PM

Marlon

I do not believe that aggressive mode will solve your issue. Site to site VPN where one peer uses dynamic address is a situation that occurs with some frequency. The usual solution is to configure the peer using fixed address with a dynamic entry in the crypto map. This allows the VPN to be initiated from the dynamic peer and does not require the fixed address peer to specify the peer address of the dynamic peer.

HTH

Rick

Sent from Cisco Technical Support iPad App

HTH

Rick

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎12-29-2011 08:56 PM

Marlon

I do not believe that aggressive mode will solve your issue. Site to site VPN where one peer uses dynamic address is a situation that occurs with some frequency. The usual solution is to configure the peer using fixed address with a dynamic entry in the crypto map. This allows the VPN to be initiated from the dynamic peer and does not require the fixed address peer to specify the peer address of the dynamic peer.

HTH

Rick

Sent from Cisco Technical Support iPad App

HTH

Rick
0 Helpful

Go to solution
marlonvr1973
Level 1
Level 1
In response to Richard Burts

‎01-24-2012 03:22 AM

    Hello, I configured the dynamic crypto, but the peer can't find a valid tunnel-group and then is aborted.

    I already have the configuration below applied in concentrator:

tunnel-group VPN_2_SITE_A type ipsec-l2l

tunnel-group VPN_2_SITE_A ipsec-attributes

pre-shared-key *

How can I configure the peer using fixed address? Would be with the command below?

crypto map OUTSIDE_MAP 5 set peer W.X.Y.Z.

    If not, wich are the commands?

Thanks

Marlon

0 Helpful

Go to solution
lav_vishu
Level 1
Level 1

‎11-18-2013 05:02 AM

Hi, we are havin one issue related to ipsec. Could you tell me which IOS version are using for cisco 1905?

basically we need to configure ipsec site-to-site vpn on cisco 1905? hence need the IOS name or URL would be great

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to lav_vishu

‎11-18-2013 06:14 AM

I would think that any of the versions of code supported on the 1905 would support IPSec VPN. Since the 1900 routers run the Universal image it is less important what version of code and more important to be sure that you have the Security license applied on the router for it to support IPSec tunnels.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
sahseth
Level 1
Level 1

‎11-18-2013 01:27 PM

Hello,

Please share Isakmp debug logs.

Thanks,

0 Helpful
Customers Also Viewed These Support Documents