[c-nsp] dynamic crypto maps and multiple endpoints?

[Michael Markstaller]

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering
> 
> Hi,
> 
> I've today inherited an "interesting" problem in a customer VPN, and
> before I go wrecking their setup tomorrow, I'd like to collect some
> wisdom.
> 
> The problem part of the setup can be reduced to:
> 
>   - IPSEC VPN
>   - hub-and-spoke
>   - two spoke routers with dynamic IP addresses
> 
> if I look at
> 
> http://www.cisco.com/en/US/customer/tech/tk583/tk372/technolog
> ies_configuration_example09186a0080093f86.shtml
> 
> the setup for a single "dynamic IP" spoke router is fairly trivial.
> 
> What I'm wondering now is: how do I configure this for two spoke
> routers?  Will this work (based on the example above):
> 
...
> will that work? 
No, IMHO there's no way to put two PSK with 0.0.0.0 in, this wouldn't also make much sense to have separate PSK's for the peers as anything with preshared is highly insecure anyway..
A better way would be to use certificates, we've a pretty bunch of classic crypto-map VPN's & dynamic peers with certificates running fine..

> How does the router match incoming IKE requests to isakmp keys?  Will
> it just try decrypting the IKE packets with both pre-shared 
> keys, until
> it gets a match?
No

> How will it match the crypto map ACLs?  Just walk through the 
> "dynamic map rtpmap" until it finds one where the ACL matches the
> SA proxy in the phase 2 proposal?

yes, this works fine as long as IKE comes up and you have no duplicate address-pairs in the crypto ACL's.
Use "ntp server <remote inside ip> source <local-inside-ip>" to pull the VPN permanently up..

Michael