[c-nsp] dynamic crypto maps and multiple endpoints?

Thu Apr 21 17:23:05 EDT 2005

Hi,

I've today inherited an "interesting" problem in a customer VPN, and
before I go wrecking their setup tomorrow, I'd like to collect some
wisdom.

The problem part of the setup can be reduced to:

  - IPSEC VPN
  - hub-and-spoke
  - two spoke routers with dynamic IP addresses

if I look at

http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml

the setup for a single "dynamic IP" spoke router is fairly trivial.

What I'm wondering now is: how do I configure this for two spoke
routers?  Will this work (based on the example above):

crypto isakmp policy 1
  hash md5
  authentication pre-share

! this is the key for the first spoke router
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
! this is the key for the second spoke router
crypto isakmp key OtherCisco address 0.0.0.0 0.0.0.0

crypto ipsec transform-set rtpset esp-des esp-md5-hmac

! this is for the first spoke (ACL 115 defines acceptable SA proxy values)
crypto dynamic-map rtpmap 10
  set transform-set rtpset
  match address 115

! this is for the second spoke (ACL 116 defines SA proxies)
crypto dynamic-map rtpmap 20
  set transform-set rtpset
  match address 116

!
crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap

will that work? 

How does the router match incoming IKE requests to isakmp keys?  Will
it just try decrypting the IKE packets with both pre-shared keys, until
it gets a match?

How will it match the crypto map ACLs?  Just walk through the 
"dynamic map rtpmap" until it finds one where the ACL matches the
SA proxy in the phase 2 proposal?

thanks...

gert

PS: I've already told the customer that the most reasonable way to get 
this fixed is to get a static IP on the spoke sites.  But they are willing 
to pay serious money to fix the mess, instead of paying a little bit of 
money to get a static IP, and not cause a mess...
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de