Site to Site VPN

I am doing some labbing with site to site vpn's and ran into an issue. I have the following config:

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2

crypto isakmp key test address 100.100.1.1
crypto isakmp key test2 address 0.0.0.0 0.0.0.0

ip access-list extended VPN1-TRAFFIC
 permit 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended VPN2-TRAFFIC
 permit 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255


crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac

crypto map VMAP 10 ipsec-isakmp
 set peer 100.100.1.1
 set transform-set TS
 match address VPN1-TRAFFIC
crypto map VMAP 100 ipsec-isakmp dynamic test-dynamic

crypto dynamic-map test-dynamic 50
 set transform-set TS
 match address VPN2-TRAFFIC

int f0/0
 crypto map VMAP

When I configure the opposite end of the tunnel it works. If I wanted to add a second 'branch office' that has a dynamic public IP, how would I add it to this headquarter router? I was able to setup multiple tunnels if both end points have a static IP, but ran in to issues when one is static, and the other is dynamic.

Find more posts tagged with

Comments

tomtom1

As far as my knowledge goes, you need something like DMVPN.
Dynamic Multipoint VPN (DMVPN) - Products & Services - Cisco

Dieg0M

tomtom1 wrote: »

As far as my knowledge goes, you need something like DMVPN.
Dynamic Multipoint VPN (DMVPN) - Products & Services - Cisco

I believe he's talking about a DHCP address, not mGRE

Use the next hop interface instead of the next hop IP, in this case it would be the tunnel interface. This will discover its IP through an ARP request. I've had some problems with pointing to next hop interface when they are tunnels.

krjay

That's correct, one spoke has a DHCP public IP, the other has a static public IP (changed to 100.100.1.1 in the config as I was playing with it in GNS3). Not sure what you're referring to with your resolution, my configurations have been unable to bring the tunnel up on the spoke that has a DHCP public IP.

I edited the code so you can kind of tell what I was trying to do. It failed though.

Dieg0M

Sorry, I misunderstood, I thought the routing was your problem. If you are using a DHCP address as tunnel endpoint for your spoke, then use mGRE and it will resolve that problem.

krjay

mGRE appears to accomplish what I'm trying to do. I will play around with that a little bit, thank you

SecurityThroughObscurity

you can also try dynamic VTI.

krjay

I will read into both mGRE and dynamic VTI. Is one better than the other for the simple scenario I outlined?

SecurityThroughObscurity

IPsec VTI advantages compared with DMVPN:
1. Less overhead (GRE+key+IPsec > IPsec VTI)
2. Easy configuration
3. No need NHRP

IPsec VTI disadvantages compared with DMVPN:
1. Doesn't provide Spoke-to-Spoke communication