Re: VTI site to site with one end having a dynamic IP

sylvain.munaut · ‎07-09-2011

Hi,

I'm using VTI between different site to interconnect their LANs securely and it works great when both site have a static IPs. The configuration is very simple:

interface Tunnel0

ip address 192.168.0.1 255.255.255.0

tunnel source 80.80.80.1

tunnel destination 90.90.90.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI_profile

Now, what would be the best solution is one of the end of the tunnel has a dynamic IP ?

I've tried to use a mixed static / dynamic VTI like this :

At the static IP site (HQ office):

crypto isakmp profile isakmp_s2s

virtual-template 1

match identity address 0.0.0.0 0.0.0.0

interface Loopback0

ip address 192.168.0.1 255.255.255.0

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI_profile

At the dynamic IP site (Branch office)

interface Tunnel0

ip address 192.168.0.2 255.255.255.0

tunnel source FastEthernet 1/0

tunnel destination 90.90.90.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile VT_profile

But this doesn't work at all, so I must have mis-understood something.

Cheers,

Sylvain

rnbutturini · ‎07-09-2011

There are a couple of ways to approach the problem:

1. Allow DNS resolution by the router and use a dynamic DNS name (ie services provided by dyndns.org, no-ip.com, etc.) and Use the hostname for the ISAKMP identity.

2. Use EZVPN to connect the client end and make the head end an EZVPN server. This will not work if there is a requirement to run dynamic routing protocols over the tunnel.

Hope tHis helps get you on the right track.

Sent from Cisco Technical Support iPad App

sylvain.munaut · ‎07-10-2011

1) In the example I posted above, I'm not even trying to filter the peer yet and just used a match address 0.0.0.0 and the tunnel doesn't come up. (protocol is down, and I don't see a Virtual-Access 2 interface being up).

2) I need OSPF to run, so that rules this out.

sylvain.munaut · ‎07-10-2011

Ok, got it working in the end.

The two issues were:

Need to use ip unnumbered with a Loopback to set the tunnel address on the client static VTI config as well
Need to use a keyring and not just global key

The final configuration is :

Server:

crypto keyring WPSK

pre-shared-key address 0.0.0.0 0.0.0.0 key rvH0cnVLUGe8naVY

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto ipsec transform-set TS esp-3des esp-sha-hmac

crypto ipsec profile VTI

set transform-set TS

crypto isakmp profile DVTI

keyring WPSK

match identity address 0.0.0.0

virtual-template 1

interface Loopback0

ip address 192.168.0.1 255.255.255.0

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

Client:

crypto keyring WPSK

pre-shared-key address 0.0.0.0 0.0.0.0 key rvH0cnVLUGe8naVY

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto ipsec transform-set TS esp-3des esp-sha-hmac

crypto ipsec profile VTI

set transform-set TS

interface Loopback0

ip address 192.168.0.2 255.255.255.0

interface Tunnel0

ip unnumbered Loopback0

tunnel source FastEthernet1/0

tunnel destination 172.16.0.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI