Re: Dynamic VPN Tunnels

From: Chamara Peris (dimsyboy@gmail.com)
Date: Wed Oct 03 2007 - 19:23:36 ART

Thanks so much curt.

I will try it out during the weekend.

Thanks
CP

On 10/4/07, Curt Girardin <curt.girardin@chicos.com> wrote:
>
>
>
> In my opinion, I think the simplest would be a dynamic crypto map at the
> "head-end" that has a static IP address, and use a static crypto-map at
> the "spoke" with the dynamic ip address. For example:
>
>
> ROUTER-A ("head-end")
> ========
> Interface fa0/1
> description inside
> ip address 10.1.1.1 255.255.255.0
> ip nat inside
> Interface fa0/0
> description outside
> ip address 76.54.32.1 255.255.255.252
> ip nat outside
> crypto map IPSEC
>
> Ip route 0.0.0.0 0.0.0.0 76.54.32.2
>
> Ip nat inside source route-map NATME interface fa0/0 overload
>
> Ip Access-list ext VPN-TO-ROUTER-B
> permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
> Ip access-list ext NAT
> permit ip 10.1.1.0 0.0.0.255 any
>
> Route-map NATME deny 10
> mat ip address VPN-TO-ROUTER-B
> Route-map NATME permit 20
> mat ip address NAT
>
> Crypto isakmp key CISCO123 address 0.0.0.0 <---- you could use
> certificates instead to avoid this bad-practice.
>
> Crypto isakmp policy 10
> auth pre-share
> group 2
> encry 3des
> hash md5
>
> Crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
>
> Crypto dynamic DYNMAP 10
> match address VPN-TO-ROUTER-B
> set transform-set 3DES-MD5
>
> Crypto map IPSEC 10 ipsec-isakmp dynamic DYNMAP
> Crypto map IPSEC 20 ipsec-isakmp
> match address blah
> set peer blah
> set tranform-set blah
> (you could add other static crypto maps here if you wanted)
>
>
>
> ROUTER-B "spoke"
> ========
> Interface fa0/1
> description inside
> ip address 10.2.2.1 255.255.255.0
> ip nat inside
> Interface fa0/0
> description outside
> ip address dhcp
> ip nat outside
> crypto map IPSEC
>
> Ip nat inside source route-map NATME interface fa0/0 overload
>
> Ip Access-list ext VPN-TO-ROUTER-A
> permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
> Ip access-list ext NAT
> permit ip 10.2.2.0 0.0.0.255 any
>
> Route-map NATME deny 10
> mat ip address VPN-TO-ROUTER-A
> Route-map NATME permit 20
> mat ip address NAT
>
> Crypto isakmp key CISCO123 address 76.54.32.1
>
> Crypto isakmp policy 10
> auth pre-share
> group 2
> encry 3des
> hash md5
>
> Crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
>
> Crypto map IPSEC 10 ipsec-isakmp
> match address VPN-TO-ROUTER-A
> set peer 76.54.32.1
> set tranform-set 3DES-MD5
>
>
>
> I just typed this config out, and haven't pasted it, or tested it in any
> actual routers, so forgive me if my syntax isn't quite exact.
>
> Basically a dynamic crypto map is, by and large, a crypto map that
> doesn't have ALL the required information. The minimum requirement is
> to specify a transform-set. Once the routers the isakmp tunnel, the
> head-end will gather any missing information (peer-ip, proxyacl, etc)
> from the remote (I think this happens in "phase-2" while negotiating
> IPSEC-SA's). You could even leave out the "match address
> VPN-TO-ROUTER-B" on the dynamic map if you wanted to. However I would
> then move it to the end of your crypto map: "Crypto map IPSEC 65000
> ipsec-isakmp dynamic DYNMAP" - using 65000 instead of 10. This allows
> any of your static crypto maps (maps with ALL the necessary info
> present) to "match" before your dynamic map matches. I hope this makes
> sense to you. If not, there is a VERY good book I would suggest you
> look at, by Richard Deal - "The Complete Cisco VPN Configuration Guide"
> - ISBN 1-58705-204-0.
>
> Using dynamic crypto maps this way is not all that different than
> configuring for an EZVPN client. With an EZVPN client you will need to
> set up some aaa, and a few more isakmp commands. I personally find
> EZVPN a tad more difficult to troubleshoot when things don't go right,
> however, if you're more familiar with EZVPN, then by all means that may
> be the better solution for you.
>
> I've also added a simple NAT configuration that I like. it works well
> when you have multiple IPSEC tunnels because you can use the same ACL
> for both the cyrpto-map, as well as the nat route-map. Less ACL's.
> Making sure you exclude your crypto traffic from NAT is important "only
> if you want it to work". :) (or make sure you're "crypto-acl's" take
> into account NATTED traffic).
>
> In a production network on the Internet, of course, you might want to
> use CBAC as well (ip inspect) - however I didn't want to over-complicate
> things in this example, so I left it out.
>
> Using this dynamic crypto-map solution, users at router-b would have to
> initiate the tunnel. If you had a requirement where a tunnel needed to
> be up full-time, I would go with a DMVPN solution, where
> tunnel-keepalives and/or routing protocols and/or NHRP would keep the
> tunnel up. DMVPN is also discussed in detail in the same book.
>
> HTH,
>
> Curt Girardin, CCIE2 (R/S, Security) #15972
>
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Chamara Peris
> Sent: Monday, October 01, 2007 5:38 PM
> To: Curt Girardin
> Cc: v.shekhar@yahoo.com; shiran guez; Joseph Brunner; Cisco
> certification
> Subject: Re: Dynamic VPN Tunnels
>
> Hi Curt,
>
> Both ends terminated with routers. All these secenarios needs require
> Dynamic end to initiate the tunnel?.
>
> Which solution is most feasable and any good examples?
>
> Thanks heaps guys
> CP
>
>
> On 10/2/07, Curt Girardin <curt.girardin@chicos.com> wrote:
> >
> >
> > With one side static and one side dynamic (DHCP) you have the
> following
> > options (there may be more):
> >
> > 1) DMVPN
> > 2) Dynamic crypto-map on the static side, with static-crypto-map on
> the
> > DHCP side.
> > 3) EZVPN
> >
> > Are both sides terminated with routers? ASA's? Pix's? Or VPN
> > Concentrators? That makes a difference in your choices.
> >
> > 1) DMVPN is only do-able on routers. ASA's, pix's and concentrators
> do
> > not have a concept of a tunnel interface, or NHRP.
> > 2) This is do-able if you're not using concentrators. I'm not
> certain
> > about pix's and asa's.
> > 3) This is do-able if your DHCP side is a router, and some pix/asa
> > platforms as an EZVPN client. Your EZVPN servers can be routers, vpn
> > concentrators, and some pix/asa platforms.
> >
> >
> > Thanks,
> >
> > Curt Girardin, CCIE2 (R/S, Security) #15972
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > v.shekhar@yahoo.com
> > Sent: Monday, October 01, 2007 10:28 AM
> > To: Chamara Peris; shiran guez
> > Cc: Joseph Brunner; Cisco certification
> > Subject: Re: Dynamic VPN Tunnels
> >
> > if u can manage to get one side on public Static IP, u can go for
> > EZVPN, but in this case the tunnel HAS to be initiated from the
> dynamic
> > IP side ONLY. (but thats the only option anyways) :)
> >
> > Thanx,
> > -sHekHar.
> > CCIE#17589/CISSP/RHCE.
> >
> > ----- Original Message ----
> > From: Chamara Peris <dimsyboy@gmail.com>
> > To: shiran guez <shiranp3@gmail.com>
> > Cc: Joseph Brunner <joe@affirmedsystems.com>; Cisco certification
> > <ccielab@groupstudy.com>
> > Sent: Monday, October 1, 2007 4:02:51 AM
> > Subject: Re: Dynamic VPN Tunnels
> >
> > Hi Guys,
> >
> >
> > If I can get one end with a static. what's best solution to get this
> > scenario working?. Can someone point me to a good example in this
> > situation.
> >
> > Cheers,
> > CP
> >
> >
> > On 10/1/07, shiran guez <shiranp3@gmail.com> wrote:
> > >
> > > with DMVPN you must have at least one Static Public IP address for
> the
> > Hub
> > >
> > > he is specfying a case where he so not have Static IP in the only 2
> > > location he have.
> > > I suggest that he will use DDNS with No-IP Service and create a
> simple
> > GRE
> > > tunnel with no problem
> > >
> > >
> > > On 10/1/07, Joseph Brunner <joe@affirmedsystems.com> wrote:
> > >
> > > > There really is only 1 way worth doing - DMVPN
> > > >
> > > > You can read all about it here.
> > > >
> > > >
> > > >
> >
> http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_
> > guid
> > > > e09186a0080110ba1.htmlv
> > > >
> > > >
> > > > and in layman's terms...
> > > >
> > > >
> >
> http://en.wikipedia.org/wiki/Dynamic_Multipoint_Virtual_Private_Network
> > > >
> > > > -Joe
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com] On
> > Behalf Of
> > > > Chamara Peris
> > > > Sent: Sunday, September 30, 2007 5:46 PM
> > > > To: Cisco certification
> > > > Subject: Dynamic VPN Tunnels
> > > >
> > > > Hi Group,
> > > >
> > > > I have a requirment to connect two sites via VPN. My problem is
> > these
> > > > two
> > > > sites come with dynamic IP addreses. Tried few simulations as
> > mentioned
> > > > in
> > > > cisco site without a luck.
> > > >
> > > > Anyone can shed some light how to connect two sites with dynamic
> IP
> > > > addreses.
> > > >
> > > >
> > > >
> > > > LAN---172.16.10.0 <--->Router (Dynamic Public IP)
> > > > ------[Internet]---------(Dynamic Public
> > IP)Router<---->172.16.11.0--LAN
> > > >
> > > >
> > > > Cheers,
> > > > CP
> > > >
> > > >
> >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > >
> > >
> > >
> > > --
> > > Shiran Guez
> > > MCSE CCNP NCE1
> > > http://cciep3.blogspot.com
> > > http://www.linkedin.com/in/cciep3
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> ________________________________________________________________________
> > ____________
> > Don't let your dream ride pass you by. Make it a reality with Yahoo!
> > Autos.
> > http://autos.yahoo.com/index.html
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:11 ART