From: Curt Girardin (curt.girardin@chicos.com)
Date: Wed Oct 03 2007 - 12:13:59 ART
In my opinion, I think the simplest would be a dynamic crypto map at the
"head-end" that has a static IP address, and use a static crypto-map at
the "spoke" with the dynamic ip address. For example:
ROUTER-A ("head-end")
========
Interface fa0/1
description inside
ip address 10.1.1.1 255.255.255.0
ip nat inside
Interface fa0/0
description outside
ip address 76.54.32.1 255.255.255.252
ip nat outside
crypto map IPSEC
Ip route 0.0.0.0 0.0.0.0 76.54.32.2
Ip nat inside source route-map NATME interface fa0/0 overload
Ip Access-list ext VPN-TO-ROUTER-B
permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
Ip access-list ext NAT
permit ip 10.1.1.0 0.0.0.255 any
Route-map NATME deny 10
mat ip address VPN-TO-ROUTER-B
Route-map NATME permit 20
mat ip address NAT
Crypto isakmp key CISCO123 address 0.0.0.0 <---- you could use
certificates instead to avoid this bad-practice.
Crypto isakmp policy 10
auth pre-share
group 2
encry 3des
hash md5
Crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
Crypto dynamic DYNMAP 10
match address VPN-TO-ROUTER-B
set transform-set 3DES-MD5
Crypto map IPSEC 10 ipsec-isakmp dynamic DYNMAP
Crypto map IPSEC 20 ipsec-isakmp
match address blah
set peer blah
set tranform-set blah
(you could add other static crypto maps here if you wanted)
ROUTER-B "spoke"
========
Interface fa0/1
description inside
ip address 10.2.2.1 255.255.255.0
ip nat inside
Interface fa0/0
description outside
ip address dhcp
ip nat outside
crypto map IPSEC
Ip nat inside source route-map NATME interface fa0/0 overload
Ip Access-list ext VPN-TO-ROUTER-A
permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
Ip access-list ext NAT
permit ip 10.2.2.0 0.0.0.255 any
Route-map NATME deny 10
mat ip address VPN-TO-ROUTER-A
Route-map NATME permit 20
mat ip address NAT
Crypto isakmp key CISCO123 address 76.54.32.1
Crypto isakmp policy 10
auth pre-share
group 2
encry 3des
hash md5
Crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
Crypto map IPSEC 10 ipsec-isakmp
match address VPN-TO-ROUTER-A
set peer 76.54.32.1
set tranform-set 3DES-MD5
I just typed this config out, and haven't pasted it, or tested it in any
actual routers, so forgive me if my syntax isn't quite exact.
Basically a dynamic crypto map is, by and large, a crypto map that
doesn't have ALL the required information. The minimum requirement is
to specify a transform-set. Once the routers the isakmp tunnel, the
head-end will gather any missing information (peer-ip, proxyacl, etc)
from the remote (I think this happens in "phase-2" while negotiating
IPSEC-SA's). You could even leave out the "match address
VPN-TO-ROUTER-B" on the dynamic map if you wanted to. However I would
then move it to the end of your crypto map: "Crypto map IPSEC 65000
ipsec-isakmp dynamic DYNMAP" - using 65000 instead of 10. This allows
any of your static crypto maps (maps with ALL the necessary info
present) to "match" before your dynamic map matches. I hope this makes
sense to you. If not, there is a VERY good book I would suggest you
look at, by Richard Deal - "The Complete Cisco VPN Configuration Guide"
- ISBN 1-58705-204-0.
Using dynamic crypto maps this way is not all that different than
configuring for an EZVPN client. With an EZVPN client you will need to
set up some aaa, and a few more isakmp commands. I personally find
EZVPN a tad more difficult to troubleshoot when things don't go right,
however, if you're more familiar with EZVPN, then by all means that may
be the better solution for you.
I've also added a simple NAT configuration that I like. it works well
when you have multiple IPSEC tunnels because you can use the same ACL
for both the cyrpto-map, as well as the nat route-map. Less ACL's.
Making sure you exclude your crypto traffic from NAT is important "only
if you want it to work". :) (or make sure you're "crypto-acl's" take
into account NATTED traffic).
In a production network on the Internet, of course, you might want to
use CBAC as well (ip inspect) - however I didn't want to over-complicate
things in this example, so I left it out.
Using this dynamic crypto-map solution, users at router-b would have to
initiate the tunnel. If you had a requirement where a tunnel needed to
be up full-time, I would go with a DMVPN solution, where
tunnel-keepalives and/or routing protocols and/or NHRP would keep the
tunnel up. DMVPN is also discussed in detail in the same book.
HTH,
Curt Girardin, CCIE2 (R/S, Security) #15972
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Chamara Peris
Sent: Monday, October 01, 2007 5:38 PM
To: Curt Girardin
Cc: v.shekhar@yahoo.com; shiran guez; Joseph Brunner; Cisco
certification
Subject: Re: Dynamic VPN Tunnels
Hi Curt,
Both ends terminated with routers. All these secenarios needs require
Dynamic end to initiate the tunnel?.
Which solution is most feasable and any good examples?
Thanks heaps guys
CP
On 10/2/07, Curt Girardin <curt.girardin@chicos.com> wrote:
>
>
> With one side static and one side dynamic (DHCP) you have the
following
> options (there may be more):
>
> 1) DMVPN
> 2) Dynamic crypto-map on the static side, with static-crypto-map on
the
> DHCP side.
> 3) EZVPN
>
> Are both sides terminated with routers? ASA's? Pix's? Or VPN
> Concentrators? That makes a difference in your choices.
>
> 1) DMVPN is only do-able on routers. ASA's, pix's and concentrators
do
> not have a concept of a tunnel interface, or NHRP.
> 2) This is do-able if you're not using concentrators. I'm not
certain
> about pix's and asa's.
> 3) This is do-able if your DHCP side is a router, and some pix/asa
> platforms as an EZVPN client. Your EZVPN servers can be routers, vpn
> concentrators, and some pix/asa platforms.
>
>
> Thanks,
>
> Curt Girardin, CCIE2 (R/S, Security) #15972
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> v.shekhar@yahoo.com
> Sent: Monday, October 01, 2007 10:28 AM
> To: Chamara Peris; shiran guez
> Cc: Joseph Brunner; Cisco certification
> Subject: Re: Dynamic VPN Tunnels
>
> if u can manage to get one side on public Static IP, u can go for
> EZVPN, but in this case the tunnel HAS to be initiated from the
dynamic
> IP side ONLY. (but thats the only option anyways) :)
>
> Thanx,
> -sHekHar.
> CCIE#17589/CISSP/RHCE.
>
> ----- Original Message ----
> From: Chamara Peris <dimsyboy@gmail.com>
> To: shiran guez <shiranp3@gmail.com>
> Cc: Joseph Brunner <joe@affirmedsystems.com>; Cisco certification
> <ccielab@groupstudy.com>
> Sent: Monday, October 1, 2007 4:02:51 AM
> Subject: Re: Dynamic VPN Tunnels
>
> Hi Guys,
>
>
> If I can get one end with a static. what's best solution to get this
> scenario working?. Can someone point me to a good example in this
> situation.
>
> Cheers,
> CP
>
>
> On 10/1/07, shiran guez <shiranp3@gmail.com> wrote:
> >
> > with DMVPN you must have at least one Static Public IP address for
the
> Hub
> >
> > he is specfying a case where he so not have Static IP in the only 2
> > location he have.
> > I suggest that he will use DDNS with No-IP Service and create a
simple
> GRE
> > tunnel with no problem
> >
> >
> > On 10/1/07, Joseph Brunner <joe@affirmedsystems.com> wrote:
> >
> > > There really is only 1 way worth doing - DMVPN
> > >
> > > You can read all about it here.
> > >
> > >
> > >
>
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_
> guid
> > > e09186a0080110ba1.htmlv
> > >
> > >
> > > and in layman's terms...
> > >
> > >
>
http://en.wikipedia.org/wiki/Dynamic_Multipoint_Virtual_Private_Network
> > >
> > > -Joe
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com] On
> Behalf Of
> > > Chamara Peris
> > > Sent: Sunday, September 30, 2007 5:46 PM
> > > To: Cisco certification
> > > Subject: Dynamic VPN Tunnels
> > >
> > > Hi Group,
> > >
> > > I have a requirment to connect two sites via VPN. My problem is
> these
> > > two
> > > sites come with dynamic IP addreses. Tried few simulations as
> mentioned
> > > in
> > > cisco site without a luck.
> > >
> > > Anyone can shed some light how to connect two sites with dynamic
IP
> > > addreses.
> > >
> > >
> > >
> > > LAN---172.16.10.0 <--->Router (Dynamic Public IP)
> > > ------[Internet]---------(Dynamic Public
> IP)Router<---->172.16.11.0--LAN
> > >
> > >
> > > Cheers,
> > > CP
> > >
> > >
>
This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:11 ART