Site to Site VPN

krjaykrjay Member Posts: 290
in CCNA Security
I am doing some labbing with site to site vpn's and ran into an issue. I have the following config:
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2

crypto isakmp key test address 100.100.1.1
crypto isakmp key test2 address 0.0.0.0 0.0.0.0

ip access-list extended VPN1-TRAFFIC
 permit 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended VPN2-TRAFFIC
 permit 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255


crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac

crypto map VMAP 10 ipsec-isakmp
 set peer 100.100.1.1
 set transform-set TS
 match address VPN1-TRAFFIC
crypto map VMAP 100 ipsec-isakmp dynamic test-dynamic

crypto dynamic-map test-dynamic 50
 set transform-set TS
 match address VPN2-TRAFFIC

int f0/0
 crypto map VMAP


When I configure the opposite end of the tunnel it works. If I wanted to add a second 'branch office' that has a dynamic public IP, how would I add it to this headquarter router? I was able to setup multiple tunnels if both end points have a static IP, but ran in to issues when one is static, and the other is dynamic.
2014 Certification Goals: 70-410 [ ] CCNA:S [ ] Linux+ [ ]
· Share on FacebookShare on Twitter

Comments

  • tomtom1tomtom1 Member Posts: 375
    As far as my knowledge goes, you need something like DMVPN.
    Dynamic Multipoint VPN (DMVPN) - Products & Services - Cisco
    · Share on FacebookShare on Twitter
  • Dieg0MDieg0M Member Posts: 861
    tomtom1 wrote: »
    As far as my knowledge goes, you need something like DMVPN.
    Dynamic Multipoint VPN (DMVPN) - Products & Services - Cisco

    I believe he's talking about a DHCP address, not mGRE

    Use the next hop interface instead of the next hop IP, in this case it would be the tunnel interface. This will discover its IP through an ARP request. I've had some problems with pointing to next hop interface when they are tunnels.
    Follow my CCDE journey at www.routingnull0.com
    · Share on FacebookShare on Twitter
  • krjaykrjay Member Posts: 290
    That's correct, one spoke has a DHCP public IP, the other has a static public IP (changed to 100.100.1.1 in the config as I was playing with it in GNS3). Not sure what you're referring to with your resolution, my configurations have been unable to bring the tunnel up on the spoke that has a DHCP public IP.


    I edited the code so you can kind of tell what I was trying to do. It failed though.
    2014 Certification Goals: 70-410 [ ] CCNA:S [ ] Linux+ [ ]
    · Share on FacebookShare on Twitter
  • Dieg0MDieg0M Member Posts: 861
    Sorry, I misunderstood, I thought the routing was your problem. If you are using a DHCP address as tunnel endpoint for your spoke, then use mGRE and it will resolve that problem.
    Follow my CCDE journey at www.routingnull0.com
    · Share on FacebookShare on Twitter
  • krjaykrjay Member Posts: 290
    mGRE appears to accomplish what I'm trying to do. I will play around with that a little bit, thank you
    2014 Certification Goals: 70-410 [ ] CCNA:S [ ] Linux+ [ ]
    · Share on FacebookShare on Twitter
  • SecurityThroughObscuritySecurityThroughObscurity Member Posts: 212 ■■■□□□□□□□
    you can also try dynamic VTI.
    · Share on FacebookShare on Twitter
  • krjaykrjay Member Posts: 290
    I will read into both mGRE and dynamic VTI. Is one better than the other for the simple scenario I outlined?
    2014 Certification Goals: 70-410 [ ] CCNA:S [ ] Linux+ [ ]
    · Share on FacebookShare on Twitter
  • SecurityThroughObscuritySecurityThroughObscurity Member Posts: 212 ■■■□□□□□□□
    IPsec VTI advantages compared with DMVPN:
    1. Less overhead (GRE+key+IPsec > IPsec VTI)
    2. Easy configuration
    3. No need NHRP

    IPsec VTI disadvantages compared with DMVPN:
    1. Doesn't provide Spoke-to-Spoke communication
    · Share on FacebookShare on Twitter
Sign In or Register to comment.