10-28-2011 06:55 AM
Hi
I got One HQ and 3 Remote Offices ; all branches would need to access application,Email from HQ.
At HQ I got 3845 VPN Server ; 2MB Internet Link with 2 Public IP
AT Branch #1 I got 2801 Router ; 1MB Internet link with 2 Public IP
At Branch #2 I got 887 DSL Router ; 4MB DSL Internet with Dynamic Public Ip
At Branch #3 I got ASA 5510 ; 1MB DSL Internet with 2 Public IP
Site to Site VPN between HQ and Branch# 1 is working ok. What configuration I need on HQ and Branch #2 to setup the VPN
HQ Subnets
192.168.150.0 255.255.255.0 - Users
192.168.151.0 255.255.255.0 - Application Server
192.168.152.0 255.255.255.0 - Windows Server
192.168.153.0 255.255.255.0 - Linux Server
Branch#1 Subnet
192.168.200.0 255.255.255.0 - Users
Branch#2 subnet
192.168.203.0 255.255.255.0 - Users
Branch#3 Subnets
192.168.206.0 255.255.255.0 - Users
HQ_VPN_Configuration
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key 123456 address 5.5.5.5
crypto ipsec transform-set VPN_Con_BR1 esp-3des esp-md5-hmac
crypto map VPN 10 ipsec-isakmp
set peer 5.5.5.5
set transform-set VPN_Con_BR1
match address BR1
Interface tunnel 15
description GRE_Tunel_to_BR1
ip address 10.100.200.1 255.255.255.252
Tunnel source 10.10.12.2
Tunnel destination 172.16.32.2
Interface GigabitEthernet0/0
Description "Connected to BackBone"
ip address 10.10.12.2 255.255.255.248
Interface GigabitEthernet0/1
Description "Public IP Interface"
ip address 1.1.1.1 255.255.255.252
no ip redirect
crypto map VPN
Router ospf 2
network 10.10.12.2 0.0.0.0 area 0
network 10.100.200.1 0.0.0.0 area 0
ip router 0.0.0.0 0.0.0.0 1.1.1.1
ip access-list extended BR1
permit gre host 1.1.1.1 host 5.5.5.5
10-28-2011 08:12 AM
What I would suggest is a bit of redesign.
Use DMVPN for IOS routers (or DVTI-SVTI) and a dynamic L2L for ASA.
10-28-2011 08:19 AM
thanks for your suggestion. For now we need to continue with site to site vpn.
10-28-2011 08:35 AM
Looking for support on configuring HQ Router for VPN with Dynamic IP on remote end
I managed to built up Branch#2 configuration
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key 123456 address 1.1.1.1
crypto isakmp keepalive 300
crypto ipsec transform-set VPN esp-des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set VPN
match address 115
interface Ethernet0
ip address 192.168.203 255.255.255.0
ip nat inside
interface ATM0
bandwidth 4160
no ip address
load-interval 30
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/50
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Dialer0
bandwidth 4160
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username ABCD password 7 ABCD
ppp ipcp address accept
crypto map VPN
!
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface Dialer0 overload
access-list 100 deny ip 192.168.203.0 0.0.0.255 192.168.151.0 0.0.0.255
access-list 100 deny ip 192.168.203.0 0.0.0.255 192.168.152.0 0.0.0.255
access-list 100 deny ip 192.168.203.0 0.0.0.255 192.168.153.0 0.0.0.255
access-list 115 Permit ip 192.168.203.0 0.0.0.255 192.168.151.0 0.0.0.255
access-list 115 Permit ip 192.168.203.0 0.0.0.255 192.168.152.0 0.0.0.255
access-list 115 Permit ip 192.168.203.0 0.0.0.255 192.168.153.0 0.0.0.255
dialer-list 1 protocol ip permit
10-28-2011 09:19 AM
What is the exactly problem you're facing?
Terminating dynamic peers on (dynamic) crypto map has been done numerous times.
Starting from the most basic:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml
or here:
https://supportforums.cisco.com/docs/DOC-4132
and here:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00807be6bc.shtml
10-28-2011 09:37 AM
Hi
At HQ VPN Router do I have to create seperate ISAKMP Policy for establishing VPN with DYNAMIC IP. What about encryption support for VPN on 887.What about group No, does it needs to be same on both ends. My concern is only HQ Router configuration for Dynamic VPN Peer. Was searching for a cisco link to look for VPN Router Sample config having L2L static and Dynamic Peer on the same Router.
10-28-2011 10:39 AM
on HQ side all you need is more crypto map entries (or in your case one enrty for all dynamic L2L).
You can share same ISAMP policies everywhere (note that ASA is using DH group 2 by default).
On every peer expert for HQ you have to build static L2L configuration, only difference is on HQ side where you have a few configuration examples I pasted before.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide