[c-nsp] dynamic crypto maps and multiple endpoints?

Sebastian piestaga at aster.pl
Fri Apr 22 16:19:03 EDT 2005 

Hi Gert,

Did you try that way:

crypto keyring SITE_1
 crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto keyring SITE_2
 crypto isakmp key OtherCisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto isakmp profile SITE_1-profile
   keyring SITE_1
   match identity address 0.0.0.0 0.0.0.0
!
crypto isakmp profile SITE_2-profile
   keyring SITE_2
   match identity address 0.0.0.0 0.0.0.0
!
crypto dynamic-map SITE_1-map 10
 set transform-set rtpset
 set isakmp-profile SITE_1-profile
 reverse-route
!
crypto dynamic-map SITE_2-map 10
 set transform-set rtpset
 set isakmp-profile SITE_2-profile
 reverse-route
!
crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap

As I vreated it on the fly, it is possibel I made a mistake, but
basicly it is the way it works at my lab.
There is no ACL here, because I do not need them, if you do, please
try to apply them acc. to your needs.

Hope this helps

Sebastian


 

> Hi,

> I've today inherited an "interesting" problem in a customer VPN, and
> before I go wrecking their setup tomorrow, I'd like to collect some
> wisdom.

> The problem part of the setup can be reduced to:

>   - IPSEC VPN
>   - hub-and-spoke
>   - two spoke routers with dynamic IP addresses

> if I look at

> http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml

> the setup for a single "dynamic IP" spoke router is fairly trivial.

> What I'm wondering now is: how do I configure this for two spoke
> routers?  Will this work (based on the example above):


> crypto isakmp policy 1
>   hash md5
>   authentication pre-share

> ! this is the key for the first spoke router
> crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
> ! this is the key for the second spoke router
> crypto isakmp key OtherCisco address 0.0.0.0 0.0.0.0

> crypto ipsec transform-set rtpset esp-des esp-md5-hmac

> ! this is for the first spoke (ACL 115 defines acceptable SA proxy values)
> crypto dynamic-map rtpmap 10
>   set transform-set rtpset
>   match address 115

> ! this is for the second spoke (ACL 116 defines SA proxies)
> crypto dynamic-map rtpmap 20
>   set transform-set rtpset
>   match address 116

> !
> crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap

> will that work? 

> How does the router match incoming IKE requests to isakmp keys?  Will
> it just try decrypting the IKE packets with both pre-shared keys, until
> it gets a match?

> How will it match the crypto map ACLs?  Just walk through the 
> "dynamic map rtpmap" until it finds one where the ACL matches the
> SA proxy in the phase 2 proposal?

> thanks...

> gert

> PS: I've already told the customer that the most reasonable way to get
> this fixed is to get a static IP on the spoke sites.  But they are willing
> to pay serious money to fix the mess, instead of paying a little bit of
> money to get a static IP, and not cause a mess...

More information about the cisco-nsp mailing list