Dynamic to static L2L IPSec VPN

Hello

I've implemented a dynamic to static IPSec Site to Site VPN between a branch (ship) ASA5505 and headquarters. Now, this solution does not allow HQ initiate the IPsec connection.

There is a router behind the ASA5505. I heard that if I want to keep the tunnel upward, so that the HQ customers can switch the traffic to remote clients through the tunnel, I would need to run ALS IP icmp probes on the router behind the ASA.

Could someone explain how to implement it?

Thanks for your help.

Frank

The ICMP probe can be done through any device that is able to do ping, not only of the router.

The reason is that it is interesting traffic triggers the traffic is encrypted by the vpn tunnel, tunnel will stay up, so you will be able to open the connection to the AC to your remote site.

Hope that helps.

Tags: Cisco Security

Similar Questions

l2l ipsec vpn - problem XAUTH need-based policy

Hello

I have a problem that I see a few solutions but they do not work.

I have a p2p IPSec vpn, which worked until I added access remote VPN configuration (which works perfectly).

According to the documents, I used isakmp policy allowing mixed tunnels. Now, whenever I try to send traffic through the l2l link I get the following debugging results telling me that the remote router is demanding XAUTH.

September 8 09:53:12: ISAKMP: (2015): the total payload length: 12

September 8 09:53:12: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) MM_KEY_EXCH

September 8 09:53:12: ISAKMP: (2015): sending a packet IPv4 IKE.

September 8 09:53:12: ISAKMP: (2015): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

September 8 09:53:12: ISAKMP: (2015): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE

September 8 09:53:12: ISAKMP: (2015): need XAUTH

September 8 09:53:12: ISAKMP: node set 1635909437 to CONF_XAUTH

September 8 09:53:12: ISAKMP/xauth: application XAUTH_USER_NAME_V2 attribute

September 8 09:53:12: ISAKMP/xauth: application XAUTH_USER_PASSWORD_V2 attribute

September 8 09:53:12: ISAKMP: (2015): launch peer config [source]. ID = 1635909437

September 8 09:53:12: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) CONF_XAUTH

September 8 09:53:12: ISAKMP: (2015): sending a packet IPv4 IKE.

September 8 09:53:12: ISAKMP: (2015): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

September 8 09:53:12: ISAKMP: (2015): former State = new State IKE_P1_COMPLETE = IKE_XAUTH_REQ_SENT

September 8 09:53:12: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH

September 8 09:53:20: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH

September 8 09:53:27: ISAKMP: (2015): transmit phase 2 CONF_XAUTH 1635909437...

September 8 09:53:27: ISAKMP (2015): increment the count of errors on the node, try 1 5: retransmit the phase 2

September 8 09:53:27: ISAKMP (2015): increment the count of errors on his, try 1 5: retransmit the phase 2

September 8 09:53:27: ISAKMP: (2015): transmit phase 2 1635909437 CONF_XAUTH

September 8 09:53:27: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) CONF_XAUTH

September 8 09:53:27: ISAKMP: (2015): sending a packet IPv4 IKE.

September 8 09:53:28: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH

September 8 09:53:36: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH

September 8 09:53:42: ISAKMP: (2015): transmit phase 2 CONF_XAUTH 1635909437...

September 8 09:53:42: ISAKMP (2015): increment the count of errors on the node, try 2 of 5: retransmit the phase 2

September 8 09:53:42: ISAKMP (2015): increment the count of errors on his, try 2 of 5: retransmit the phase 2

September 8 09:53:42: ISAKMP: (2015): transmit phase 2 1635909437 CONF_XAUTH

September 8 09:53:42: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) CONF_XAUTH

September 8 09:53:42: ISAKMP: (2015): sending a packet IPv4 IKE.

September 8 09:53:44: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH

September 8 09:53:44: ISAKMP: node set 2054552354 to CONF_XAUTH

September 8 09:53:44: ISAKMP: (2015): HASH payload processing. Message ID = 2054552354

September 8 09:53:44: ISAKMP: (2015): treatment of payload to DELETE. Message ID = 2054552354

September 8 09:53:44: ISAKMP: (2015): peer does not paranoid KeepAlive.

So, it seems that Phase 1 ends without XAUTH.

Here's my cryptographic configurations:

Keyring cryptographic s2s

pre-shared key key address [source] [key]

!

crypto ISAKMP policy 3

BA 3des

preshared authentication

Group 2

lifetime 28800

!

crypto ISAKMP policy 5

BA 3des

preshared authentication

lifetime 28800

!

crypto ISAKMP policy 10

preshared authentication

lifetime 28800

!

Configuration group customer crypto isakmp [RA_GROUP]

key [key2]

DNS 192.168.7.7

win 192.168.7.222

ninterface.com field

pool SDM_POOL_1

ACL 100

Max-users 6

netmask 255.255.255.0

ISAKMP crypto ciscocp-ike-profile-1 profile

identity group match [RA_GROUP]

client authentication list ciscocp_vpn_xauth_ml_1

ISAKMP authorization list ciscocp_vpn_group_ml_1

client configuration address respond

virtual-model 1

Crypto isakmp ISA_PROF profile

S2S keyring

function identity [source] address 255.255.255.255

ISAKMP crypto unified profile

identity group match [RA_GROUP]

client authentication list ciscocp_vpn_xauth_ml_1

ISAKMP authorization list ciscocp_vpn_grop_ml_1

client configuration address respond

!

86400 seconds, duration of life crypto ipsec security association

!

Crypto ipsec transform-set esp-3des esp-sha-hmac VPN_T_BW

Crypto ipsec transform-set MY - SET esp - aes 256 esp-sha-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac trans-rem

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec df - bit clear

!

Profile of crypto ipsec CiscoCP_Profile1

game of transformation-ESP-3DES-SHA

set of isakmp - profile ciscocp-ike-profile-1

!

!

Crypto dynamic-map [RA_GROUP] 77

the transform-set trans-rem value

Isakmp profile unified set

market arriere-route

!

!

!

list of authentication of card crypto clientmap client RAD_GRP

map clientmap isakmp authorization list rtr crypto / remote

client configuration address map clientmap crypto answer

card crypto clientmap 77-isakmp dynamic ipsec [RA_GROUP]

!

client configuration address card crypto [RA_GROUP] answer

!

Crypto card remote isakmp authorization list rtr / remote

!

RTP 10 ipsec-isakmp crypto map

set peer [source]

MY - Set transform-set

PFS group2 Set

match address 111

It is a bit of a breakfast dogs because I'm at the time of implementation of policies.

I managed to block xauth before I used policy by adding no_xauth the end of my speech key but I can't work out how to add this using the strategy.

I'm something simple Paris that I missed.

Thanks for your help!

Hi Bruno.

Thanks for the brief explanation.

What crypto map is applied on the external interface?

I think the "crypto isakmp profile" solution is the best way and they seem to be ok, however, we must remember that you cannot have a single card encryption by interface, so you should have something like this:

1 - crypto dynamic-map outside_dynamic 10

game of transformation-ESP-AES-SHA

2-outside_map 10 ipsec-isakmp crypto map

the value of xxxx.xxxx.xxxx.xxxx peer

Map 3-crypto outside_map 65535-isakmp ipsec dynamic outside_dynamic

4-interface f0/0

outside_map card crypto

* I'm not configure all of the cryptographic configuration, I wanted to give you a better idea.

Please correct your configuration to accommodate one card encryption.

Just to add more information on isakmp profiles:

ISAKMP profile overview

Let me know.

Thank you.

Portu.

L2l IPSec VPN blocks SQL (ASA v8.4)

Good evening everyone,

I have an ASA 5510 8.4 (2) which has an IPSec VPN site to a 3rd party who run a form any checkpoint running. VPN establishes and allows to access a server in our demilitarized zone on all the ports that we tested (so far HTTP, FTP, SSL, RDP), with the exception of SQL that does not even reach the server. I've got Wireshark running on the DMZ server and if the 3rd party initiates a conversation of TCP of their server on any of the ports on the server I see all desired packages come with the correct IPs ETC (without NAT takes place through the VPN), but when an ODBC client attempts to query the SQL Server on our DMZ zone packets do not reach the level of the server. What I see is the number of bytes of RX on the VPN increases whenever the query is run, but certainly not arriving on the SQL Server.

Also if I come back to the ASA to the old PIX, it replaced with the same VPN configuration but on version 7.x, then it works fine.

While I find some time to clean up the config this weekend, I have ideas.

Thank you very much

Simon.

Hi Simon,.

If you look at the options sys in the ASDM he advises that you still need ACL for traffic. As I understand it, in the old days, when you were in as you pointed out. If you set the ports in this group then Yes, it's a whole and potentially your only protection is the NAT or his absence.

I would like to add an another ACE to the external interface, which allows the source to you DMZ host (see below)

Object-group service GROUP SQL-tcp PORTS

EQ port 1433 object

EQ object Port 1434

Port-object eq 1521

outside_access extended access list permit tcp host 192.168.100.30 DMZ_158-group of objects SQL-PORTS object

Concerning

L2l IPSec VPN 3000 and PIX 501

Hello

I have a remote site that has a broadband internet connection and uses a PIX 501. We wanted to connect them with our main office using our VPN 3000 via VPN site-to-site.

I followed the following documentation:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml#tshoot

However the L2L session does not appear on the hub when I check the active sessions.

The network diagram, as well as the PIX config and the screenshots of the VPN configuration for the IPSec-L2L tunnel is attached.

Any help or advice are appreciated.

I just noticed that the PIX firewall, the phase 1 paramateres are not configured. You must configure the same PASE 1 and phase 2 settings on both ends of the tunnel.

For example, on CVPN 3000, you have configured settings Phase 1 as 3DES, pre-shared key etc... We have the same configuration on the PIX firewall too.

Here is an example of sample config

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

I hope this helps!

Impossible to establish L2L ipsec VPN

Hi all

I have a PIX firewall in which 20 VPN are completed. one of my new requirment is to establish a vpn tunnel to another location in which I do not have access. my side, I will have a private IP pool that is allowed through the tunnel. I set up a nat with one of the IP from the pool and my server internal.

I tried a lot of VPN tunnel is not coming

Please check the configuration of the memory and the complete configuration attached. In my config 10.66.100.208 255.255.255.248 is the ip pool and 192.168.0.239 is my server. When I try to ping 192.168.108.75 192.168.0.239 County acl VPN increases but tunnel is not coming

Please look for it and help me to sourt on this issue.

==============================================================
NAT ip 10.66.100.208 access list allow 255.255.255.248 host 192.168.108.75
NAT ip 10.66.100.208 access list allow 255.255.255.248 host 10.67.1.5

OR ip 10.66.100.208 access list permit 255.255.255.248 host 192.168.108.75
OR ip 10.66.100.208 access list permit 255.255.255.248 host 10.67.1.5

Crypto ipsec transform-set OR esp-3des esp-sha-hmac

part of pre authentication ISAKMP policy 25
ISAKMP policy 25 3des encryption
ISAKMP policy 25 sha hash
25 5 ISAKMP policy group
ISAKMP living 25 1440 duration strategy

Forsberg 38 ipsec-isakmp crypto map
card crypto forsberg 38 match OR address
forsberg 38 crypto map peer set 1.1.1.250

card crypto forsberg 38 transform-set OR
3600 seconds, duration of life card crypto forsberg 38 set - the security association

public static 10.66.100.209 (Interior, exterior) 192.168.0.239 netmask 255.255.255.255 0 0

ISAKMP key Fa$1xx!@$ address 1.1.1.250 netmask 255.255.255.255

======================================================================================

pixfirewall # sh OR access list
OR access list; 2 items
permit for line or access-list 1 ip 10.66.100.208 255.255.255.248 host 192.168.108.75 (hitcnt = 87)
permits for Access-list OR line 2 ip 10.66.100.208 255.255.255.248 host 10.67.1.5 (hitcnt = 0)
pixfirewall #.

Hello

The reason for this can be many. You can paste him debugs together here? Just ' clear crypto isakmp his ' and ' clear crypto ipsec his "and then open the tunnel to get the complete set of debugs.

Thank you and best regards,

Assia

several L2L ipsec VPN to the same destination (ip address)

Hi all

im lookin to establish an a L2L ips multiple tunnels (a tunnel for each subnet) of my cisco asa 5510 to the same destination.

should the cisco asa capable of this?

How can I do?

concerning

You can do this if you want to say-

Lets say site A - got 3 subnet and Site B has had a.

In this case, you need to do is to add ACL to crypto.

Thank you

Ajay

communications between IPSec VPN and AnyConnect SSLVPN

Hi all

I have 2 ASAs and interconnected with ipsec VPN.

one of the ASA has SSLVPN users to access intranet resources.

but do not know how to get inside the network on an another ASA

my network architecture is less to:

192.168.1.0/24---ASA1---Internet---ASA2---172.24.0.0/16

SSLVPN use 192.168.55.0/24 ip on the external interface

L2L IPSec VPN is established between ASA1 and ASA2

192.168.1.x could access 172.24.0.0/16 via NATing to of ASA2 inside the ip interface

But now I want 192.168.55.0/24 access 172.24.0.0/16, some set up but does not work...

Are there any suggestions?

Thank you very much

Hi the split tunnel, you add with the ASA2 network should allow vpn clients send the traffic through the tunnel when they want to reach the remote subnet.

Can add you this too

nonat_outside ip access list allow

NAT (outside) 0-list of access nonat_outside

Also in the config you have not added the crypto to ASA1 acl entry. who is 192.168.55.0 to 172.24.0.0

See if that helps

The poll by IPSEC VPN SNMP

Hi all

I am trying to add remote Cisco switches to our Analyzer from Solarwinds network performance and I'm unable to see the community strings of switches behind our Firewall ASA across L2L IPSEC vpn tunnels.

First of all, I can ping and see all the traffic behind the firewall. Configuration manager (NCM) works fine, it can download and download configs of the remote switches. It's just the SNMP which does not seem to talk. Here are the lines of configuration of the remote switches:

SNMP-server community * RO

SNMP-server community * RW

This configuration works fine on the other our network switches that are not accessible via a VPN tunnel. Y at - it another line I need to add that pointing to the server from SolarWinds SNMP traffic?

When I try to add the switch to Solarwinds, he sees the IP perfectly but once I added community strings RO and RW it performs a test fails every time and will not let me continue to add the device.

Any help would be GREATLY appreciated! Thank you!

Matt

Exit to Windows firewall and check the Antivirus on Solarwinds as well. This may be the origin of the problem (a working time or does not not once). Another possibility (can be), if you have all IPS inline and inspect traffic, this could cause the issue. Check to see if any program/device in the path is kinetically limiting ICMP/SNMP packets #of.

What version of NPM?

THX

MS

Help with dynamic static L2L

I'm having some trouble with a L2L tunnel where the remote end has a address DHCP on the external interface, this is a

WRVS4400N Wireless - N Gigabit Security Router with VPN, and I am locked into a particular to this end configuration. My end is an ASA5540, who must accept a dynamic connection, and I can do everything I need of to get this up and running...

Remote endpoint in Rome

192.168.252.0/24 within the network and must be able to talk to my end 192.168.240.0/24; 192.168.241.0/24; and 192.168.242.0/24

Setting up IPSec in Rome which cannot be changed:

IKE with preshared key

Phase 1 3DES, MD5, DH 2, key to life 86400

Phase2 3DES, MD5, activate the PFS, 2 DH, life 28800, pre-shared key XXXXX

On my end, I have immunity from the ACL and NAT correct... I can actually treat the current remote outside intellectual property as static and bring the tunnel up without problem. My problem is getting the correct dynamic Cryptography.

Here is what I currently have (or should I say have configured previously) on the SAA in the measurement of the dynamic crypto:

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto dynamic-map cisco 1 set of transformation-ESP-3DES-MD5

Crypto dynamic-map cisco 1 lifetime of security association set seconds 28800

kilobytes of life crypto dynamic-map cisco 1 set security-association 4608000

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 5

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

Therefore my isakmp policy 5 is my stage 1 Kit. My ESP-3DES-MD5 transformation corresponds to my need phase 2 encryption/authentication...

I think that all I'm missing is a way to match the PFS and DH 2 for phase2?

And since my ACL is named in Rome, then my tunnel-group must be named Rome as well?

Thank you.

I don't think that we can have several dynamic IP counterparts use diff pre-shared in these settings.

-

Sourav

9.0 can a dynamic nat be used via ipsec vpn?

9.0 can a dynamic nat be used via ipsec vpn?

We have a vpn and work between asa and when we run traffic through a static nat rule traffic goes over the vpn. When we use a dynamic nat traffic does not get picked up by the ACL vpn.

We disable the nat rules to switch back and just so, even when we use the same destination to source the result is the same.

Am I missing something with 9.0 versions of code? If I disable all the nats and pass traffic it goes via the vpn.

So, it seems that when you use the dynamic nat statement, it pushes traffic to the external interface without looking at the acl of vpn. Please let me know if I'm crazy, I'm a newb on 8.3 zip code.

Thank you

Have you included in the ACL crytop natted ip address or range?

You allowed natted ip address or range to the other end of the tunnel?

ASA IPSEC VPN with public IP dynamic

Hey,.

I have never deployed IPSEC VPN tunnel using ASA on two sides of a side using public IP dynamic production. I normally deploy VPN Tunnels with both sides using public static IP addresses (not always a public IP address on ASA directly however).

So I wonder how stable it works with a static public IP and the other side uses dynamic public IP?

Thank you

Shuai

If you use certificates and psk or main mode and aggressive it will work very well. I have a number of production sites using this method.

Sent by Cisco Support technique iPad App

Remote IPSec VPN with L2L

Hello.

I work at Sunrise a site to site VPN, but I'm running a problem when I apply the plan of the cry to the external interface.

I already have a remote IPSec VPN access to the top with this cry map applied to the external interface. When I apply the plan that I created for the L2L, it will drop the RA VPN when applied to this interface. I was wondering how I can make this work with the two IPSec VPN.

Crypto ipsec transform-set esp-3des esp-sha-hmac IPSec ikev1

Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 l2lvpn

Crypto dynamic-map IPSecVPNDM 1 set ikev1 IPSec transform-set

Crypto-map dynamic IPSecVPNDM 1jeu reverse-road

card crypto IPSecVPNCM 1-isakmp dynamic ipsec IPSecVPNDM

IPSecVPNCM interface card crypto outside

card crypto IPSecL2L 1 corresponds to the address CSM_IPSEC_ACL_1

card crypto IPSecL2L 1 set counterpart x.x.x.x

card crypto IPSecL2L 1 set transform-set l2lvpn ikev1

Crypto ca trustpoint ASDM_TrustPoint0

registration auto

full domain name no

name of the object CN = IPSec-SMU-5505

Configure CRL

Crypto ikev1 allow outside

IKEv1 crypto policy 1

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 2

preshared authentication

3des encryption

sha hash

Group 2

life 43200

Thank you

Hello

I guess that you may need to remove these also

Crypto dynamic-map IPSecVPNDM 1 set ikev1 IPSec transform-set

Crypto-map dynamic IPSecVPNDM 1jeu reverse-road

card crypto IPSecVPNCM 1-isakmp dynamic ipsec IPSecVPNDM

And again with the sequence number of 65535 for example instead of 1

Dynamic crypto map IPSecVPNDM 65535 define ikev1 IPSec transform-set

Crypto-map dynamic IPSecVPNDM 65535 the value reverse-road

map of crypto IPSecVPNCM 65535 - isakmp dynamic ipsec IPSecVPNDM

Then use a different number of VPN L2L sequence. For example, the sequence number indicates where order ASA tries to find a match for a VPN connection. Also, it probably gives this error message because you have dynamic configurations already with this sequence number and try to use the same with VPN L2L configurations.

Yet once if you can configure a second VPN L2L at some point then again would you use a different sequence number for this connection

-Jouni

Easy VPN with IPSec VPN L2L (Site - to - Site) in the same ASA 5505

Hi Experts,

We have an ASA 5505 in our environment, and currently two IPSec VPN L2L tunnels are established. But we intend to connect with VPN (Network Extension Mode) easy to another site as a customer. Is it possible to configure easy VPN configurations by keeping the currently active IPSec L2L VPN(Site-to-Site) tunnels? If not possible is there any work around?

Here's the warning we get then tried to configure the easy VPN Client.

NOCMEFW1 (config) # vpnclient enable

* Delete "nat (inside) 0 S2S - VPN"

* Detach crypto card attached to the outside interface

* Remove the tunnel groups defined by the user

* Remove the manual configuration of ISA policies

CONFLICT of CONFIG: Configuration that would prevent the Cisco Easy VPN Remo success

you

operation was detected and listed above. Please solve the

above a configuration and re - activate.

Thanks and greetings

ANUP sisi

"Dynamic crypto map must be installed on the server device.

Yes, dynamic crypto is configured on the EasyVPN server.

Thank you

Dynamic to static IPSec with certificate-based authentication

I'm trying to implement a dynamic to static LAN2LAN vpn from an ASA 5505 (with a dynamic IP address) to an ASA5520 (with a static IP address)
I wish I had a small (/ 30) network on the side dynamics which I can connect to a larger (/ 24) network on the static side.
I also try to use the identity for authentication certificates.

I produced a root and intermediate CA signed of the intermediate CA with the certificate authority root and then created identity cases for
the ASAs, signed with the intermediate CA using OpenSSL and imported to a trustpoint

I tried to use the instructions on:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080930f21.shtml
to configure certificates (replacing MS with OpenSSL) and following the instructions to:

I tried the ASDM to set up the cert to identity appropriate on the external interface
[Configuration-> Device Management-> advanced-> SSL settings]

and establish a connection profile [Configuration-> Device Management-> connection profiles] on both devices,
setting the part that gets its IP via DHCP static and the side that has the IP permanently to accept dynamic.

I apply the settings, and nothing happens.

See the crypto isakmp just returns "there is none its isakmp.

I don't know where to start debugging it. How can I force the side DHCP to initiate a connection?

We are sure that both peers are using the same isakmp settings? It seems the policy that uses rsa - sig on one end uses a different Diffie-Hellman group.

IPSEC VPN with Dynamics to dynamic IP

Hello

I tried IPSEC VPN with dynamic IP to dynamic (router to router) for some time. But still can not auto-établir the tunnel.

Is someone can you please tell me if it is possible to do?

If so, please share with me the secret to do work.

Thank you!

Best regards

Rather than the Crypto map, I would use the profile of Crypto. Then, establish you an IPSEC tunnel. The beauty of the profile, is that you can run through it routing protocols, and you do not have to change constantly the cards whenever you change the topology of the network. The "* * *" in the timer event is "minute hour day week month" so "* * *" is updated every minute. In Tunnel destination, it's an IP address, not a hostname that is stored, but when you set it, you can put in a HOST name and it converts to the moment where you configure it to an IP address.

So, if you type:

config t

interface tunnel100
destination remote.dyndns.com tunnel

output

See the race int tunnel100

It shows:

interface Tunnel100
tunnel destination 75.67.43.79

That's why the event handler goes and becomes the destination of tunnel every minute what ever the DDNS says that is the new IP address.

I have seen that two of your routers running DDNS. They will have to do this.

Local router:

crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
!
!
Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
!
Profile of crypto ipsec CRYPTOPROFILE
game of transformation-ESP-AES-SHA
!
interface Tunnel100
Description of remote.dyndns.org
IP 10.254.220.10 255.255.255.252
IP virtual-reassembly
IP tcp adjust-mss 1400
source of Dialer0 tunnel
tunnel destination 75.67.43.79
ipv4 ipsec tunnel mode
Tunnel CRYPTOPROFILE ipsec protection profile

IP route 192.168.2.0 255.255.255.0 10.254.220.9

Change-tunnel-dest applet event handler
cron-event entry timer cron name "CHRON" * * *"
command action 1.0 cli 'enable '.
action 1.1 cli command "configures terminal.
Action 1.2 command cli "interface tunnel100".
Action 1.3 cli command "destination remote.dyndns.org tunnel".
!

--------

Remote router:

crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
!
!
Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
!
Profile of crypto ipsec CRYPTOPROFILE
game of transformation-ESP-AES-SHA
!
interface Tunnel100
Description of local.dyndns.org
IP 10.254.220.9 255.255.255.252
IP virtual-reassembly
IP tcp adjust-mss 1400
source of Dialer0 tunnel
tunnel destination 93.219.58.191
ipv4 ipsec tunnel mode
Tunnel CRYPTOPROFILE ipsec protection profile

IP route 192.168.1.0 255.255.255.0 10.254.220.10

Change-tunnel-dest applet event handler
cron-event entry timer cron name "CHRON" * * *"
command action 1.0 cli 'enable '.
action 1.1 cli command "configures terminal.
Action 1.2 command cli "interface tunnel100".
Action 1.3 cli command "destination local.dyndns.org tunnel".

Thank you

Bert

Dynamic to static L2L IPSec VPN

Similar Questions

Maybe you are looking for