Config example: Static to dynamic IPSec

Posted on March 20, 2010 by jimmy

(Topology here)

Ok. So we have established a static VPN-tunnel between two routers. But what if r1 has a dynamic or unknown peer ip? Let´s change the previous configuration to reflect this:

The config on r1 will be the same. The changes will be done on r3. First, remove what we don´t need anymore:

r3(config)#no crypto map CMAP 10 r3(config)#no crypto isakmp key cisco address 10.10.11.1

Next, let´s compensate for that. Since we cannot use a standard crypto map we need to create a dynamic one instead. Into that we ties the proxy-acl (acl_vpn) as well as the transform-set. What´s the difference? Well it doesn´t have any set peer statement…

r3(config)#crypto dynamic-map DYNMAP 10 r3(config-crypto-map)#set transform-set TSET r3(config-crypto-map)#match address acl_vpn

Also, we must have a pre-shared key. But we don´t know which host ip to tie it to, so it must be a wildcard key.

r3(config)#crypto isakmp key cisco address 0.0.0.0

We still need a crypto map into which we ties the dynmap. Let´s make it with the highest sequence-number available since we might add more tunnels in the future, and this “wildcard”-alike dynmap need to be put as a last resort to not match all other tunnels…

r3(config)#crypto map CMAP 65535 ipsec-isakmp dynamic DYNMAP

One thing left. Remember that reverse-route in the crypto-map of our previous config? Can we put it into the dynmap instead?

r3(config)#crypto dynamic-map DYNMAP 10 r3(config-crypto-map)#reverse-route static %Static keyword not applicable to dynamic maps, re-enter cmd r3(config-crypto-map)#

Darn! Then we have to use a static route to point out the direction of the remote network:

r3(config)#ip route 192.168.1.50 255.255.255.255 10.10.30.1

Now the tunnel goes up! But only if we try to initiate it from 192.168.1.50. It cannot be initiated from 10.3.3.3 since r3 doesn´t have a clue how to contact r1. However, as long as the tunnel is up traffic can be generated from both ends.

Here are the relevant parts of configurations:

r1
ip access-list extended acl_vpn permit ip host 192.168.1.50 host 10.3.3.3 ! crypto isakmp policy 10 encr aes authentication pre-share group 5 crypto isakmp key cisco address 10.10.30.3 ! crypto ipsec transform-set TSET esp-aes esp-sha-hmac ! crypto map CMAP 10 ipsec-isakmp set peer 10.10.30.3 set transform-set TSET match address acl_vpn reverse-route static ! interface FastEthernet0.11 ip address 10.10.11.1 255.255.255.0 crypto map CMAP

r3
ip access-list extended acl_vpn permit ip host 10.3.3.3 host 192.168.1.50 ! crypto isakmp policy 10 encr aes authentication pre-share group 5 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set TSET esp-aes esp-sha-hmac ! crypto dynamic-map DYNMAP 10 set transform-set TSET match address acl_vpn crypto map CMAP 65535 ipsec-isakmp dynamic DYNMAP ! interface FastEthernet0.30 ip address 10.10.30.3 255.255.255.0 crypto map CMAP

(and the full configs for r1 and r3)

Posted in Cisco Security

Cisco ASA hairpinning

Cisco Pix/ASA hairpinning The term hairpinning comes from the fact that the traffic comes from one source into a router or similar devices, makes a U-turn and goes back the same way it came. Visualize this and you see something that looks like a hairpin. Hairpinning is only relevant when the firewall is in routed mode since the "turnaround" of Continue Reading →

Cisco ASA Anyconnect licensing for dummies, updated!

The picture below should be self-explaining. Click it for a larger version. Edit 2014: There was some errors in the logics around AEA-licenses. The picture below is now corrected. Please do not use the old version (v1.1). Let me explain this. First of all, Advanced Endpoint Assessment (AEA) is a feature where you can do advanced posture checks Continue Reading →

Config example: Static to dynamic IPSec

New posts

Popular Posts

Signuppp

Config example: Static to dynamic IPSec

New posts

Popular Posts

Tags

Signuppp