07-09-2011 02:17 PM
Hi,
I'm using VTI between different site to interconnect their LANs securely and it works great when both site have a static IPs. The configuration is very simple:
interface Tunnel0
ip address 192.168.0.1 255.255.255.0
tunnel source 80.80.80.1
tunnel destination 90.90.90.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI_profile
Now, what would be the best solution is one of the end of the tunnel has a dynamic IP ?
I've tried to use a mixed static / dynamic VTI like this :
At the static IP site (HQ office):
crypto isakmp profile isakmp_s2s
virtual-template 1
match identity address 0.0.0.0 0.0.0.0
interface Loopback0
ip address 192.168.0.1 255.255.255.0
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI_profile
At the dynamic IP site (Branch office)
interface Tunnel0
ip address 192.168.0.2 255.255.255.0
tunnel source FastEthernet 1/0
tunnel destination 90.90.90.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VT_profile
But this doesn't work at all, so I must have mis-understood something.
Cheers,
Sylvain
07-09-2011 07:18 PM
There are a couple of ways to approach the problem:
1. Allow DNS resolution by the router and use a dynamic DNS name (ie services provided by dyndns.org, no-ip.com, etc.) and Use the hostname for the ISAKMP identity.
2. Use EZVPN to connect the client end and make the head end an EZVPN server. This will not work if there is a requirement to run dynamic routing protocols over the tunnel.
Hope tHis helps get you on the right track.
Sent from Cisco Technical Support iPad App
07-10-2011 02:30 AM
1) In the example I posted above, I'm not even trying to filter the peer yet and just used a match address 0.0.0.0 and the tunnel doesn't come up. (protocol is down, and I don't see a Virtual-Access 2 interface being up).
2) I need OSPF to run, so that rules this out.
07-10-2011 07:35 AM
Ok, got it working in the end.
The two issues were:
The final configuration is :
Server:
crypto keyring WPSK
pre-shared-key address 0.0.0.0 0.0.0.0 key rvH0cnVLUGe8naVY
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto ipsec transform-set TS esp-3des esp-sha-hmac
crypto ipsec profile VTI
set transform-set TS
crypto isakmp profile DVTI
keyring WPSK
match identity address 0.0.0.0
virtual-template 1
interface Loopback0
ip address 192.168.0.1 255.255.255.0
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
Client:
crypto keyring WPSK
pre-shared-key address 0.0.0.0 0.0.0.0 key rvH0cnVLUGe8naVY
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto ipsec transform-set TS esp-3des esp-sha-hmac
crypto ipsec profile VTI
set transform-set TS
interface Loopback0
ip address 192.168.0.2 255.255.255.0
interface Tunnel0
ip unnumbered Loopback0
tunnel source FastEthernet1/0
tunnel destination 172.16.0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: