Router-to-Router Dynamic-to-Static IPSec with NAT

Hi Experts
I got Simple VPN setup but have problem getting Tunnel up with Dynamic IP.
Any input is appreciated.
To simplify the setup I labled the sites as A,B,C. here goes the details
and my configuration.

Site-A connects to Site-C [ Firewall-to-Router Static-to-Dynamic IPSec with
NAT ]
Site-B connects to Site-C [ Router-to-Router Static-to-Dynamic IPSec with
NAT ]

Site-A terminates the VPN on Pix 525
Site-B terminates the VPN on IOS Router with static Public IP
site-C terminates the VPN on IOS Router with Dynamic Public IP
Site A - 217.18.1.x
Site B - 217.90.12.x
Site C - 0.0.0.0 [ Dynamic IP ]

%%%%%%%%%%%%
Site-C configuration %%
%%%%%%%%%%%%%

crypto isakmp policy 10
 hash md5
 authentication pre-share

crypto isakmp policy 11
 encr 3des
 hash md5
 authentication pre-share

crypto isakmp key cisco address 217.18.1.X
crypto isakmp key cisco address 217.90.12.X
crypto isakmp keepalive 300
!
!
crypto ipsec transform-set trans1 esp-des esp-md5-hmac
crypto ipsec transform-set trans2 esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
 set peer 217.18.1.X
 set transform-set trans1
 match address FL1

crypto map CMAP 10 ipsec-isakmp
 set peer 217.90.12.X
 set transform-set trans2
 match address GW1

interface Ethernet0
 ip address 172.20.245.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1300
 hold-queue 100 out
!
interface Ethernet2
 no ip address
 pppoe enable
 pppoe-client dial-pool-number 1
 hold-queue 100 out
!
interface ATM0
 bandwidth 4160
 no ip address
 load-interval 30
 shutdown
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 0/50
  encapsulation aal5mux ppp dialer
  dialer pool-member 1

interface Dialer0
 bandwidth 4160
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp chap refuse
 ppp pap sent-username cisco password 7 cisco
 ppp ipcp address accept
 crypto map CMAP

ip route 0.0.0.0 0.0.0.0 Dialer0

ip nat source list INTERNET interface Dialer0 overload
!
!
ip access-list extended INTERNET
 deny ip 172.20.245.0 0.0.0.255 172.20.100.0 0.0.1.255
 deny ip 172.20.245.0 0.0.0.255 192.168.30.0 0.0.0.255
 deny ip 172.20.245.0 0.0.0.255 172.20.20.0 0.0.0.255
 deny ip 172.20.245.0 0.0.0.255 192.168.2.0 0.0.0.255
 permit ip 172.20.245.0 0.0.0.255 any

ip access-list extended FL1
 permit ip 172.20.245.0 0.0.0.255 172.20.100.0 0.0.1.255
 permit ip 172.20.245.0 0.0.0.255 192.168.30.0 0.0.0.255

ip access-list extended GW1
 permit ip 172.20.245.0 0.0.0.255 172.20.20.0 0.0.0.255
 permit ip 172.20.245.0 0.0.0.255 192.168.2.0 0.0.0.255

I have no problems on the Tunnel between Site-A and Site-C

Thanks
A Khan

Blogs and organic groups at http://www.ccie.net
Received on Thu Nov 24 2011 - 13:03:03 ART