2 Replies Latest reply on Aug 23, 2013 9:34 AM by david

    Dynamic VPN

    sour New Member

      im trying to figure out how to do a dynamic VPN between a cisco of witch may have a ip address that changes frequently and a adtran 908e that has a public.  it seems to me that this should be possable?  i have already tryed the setup guides but they dont detal how to handle the situation when the peer ip address is unknwon..

       

      i have 4 locations that have dynamic ip addresses and a primary with static.  im trying to get PBX's at each location to talk

       

      THX!

        • Re: Dynamic VPN
          jayh Hall_of_Fame

          You'll need to have the remotes initiate and set the remote ID to something other than an IP address such as FQDN.  Hub end needs a static IP programmed into the remotes.

           

          crypto ike policy 100

            no initiate

            respond anymode

            local-id fqdn adtran.example.com

            peer any

          !

          crypto ike remote-id fqdn cisco1.example.com preshared-key itsasecret1 ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

          crypto ike remote-id fqdn cisco2.example.com preshared-key itsasecret2 ike-policy 100 crypto map VPN 20 no-mode-config no-xauth

          !      

          crypto ipsec transform-set esp-aes-192-cbc-esp-sha-hmac esp-aes-192-cbc esp-sha-hmac mode tunnel

          !      

          crypto map VPN 10 ipsec-ike

            description Cisco1

            match address VPN-10-vpn-selectors

            set transform-set esp-aes-192-cbc-esp-sha-hmac

            ike-policy 100

          !      

          crypto map VPN 20 ipsec-ike

            description Cisco2

            match address VPN-20-vpn-selectors

            set transform-set esp-aes-192-cbc-esp-sha-hmac

            ike-policy 100

           

          ip access-list extended VPN-10-vpn-selectors

            permit ip 10.10.10.0 0.0.0.255  192.168.1.0 0.0.0.255   

          !

          ip access-list extended VPN-20-vpn-selectors

            permit ip 10.10.10.0 0.0.0.255  192.168.2.0 0.0.0.255   

          !

           

          There are a lot of variables with IPSec that all have to match, and it gets trickier with different vendors.  I'd try building it to a known IP address first to ensure that your PFS, D-H group, transform set, PSK, etc. are all good and then change to the dynamic model.

           

          If there isn't "interesting" traffic over the VPN, consider building a ping probe running every few minutes to keep the tunnel up on the remote ends.  Otherwise when it times out the hub won't be able to initiate to the spokes with unknown IPs. 

          • Re: Dynamic VPN
            david Employee

            Sour,

             

            I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

             

            Thanks!

            David