cflcrosland
IS-IT--Management
- Apr 3, 2012
- 35
The Problem
Hi,
I am trying to create a site to site vpn using Dynamic VTI interfaces.
I have followed the guides here
The reason I want to use a Dynamic VTI on the router "MAIN-SITE" is because router "REMOTE" has a dynamic IP WAN IP that changes daily.
I have managed to configure and setup a site-to-site connection using Static VTI's on both ends and my config is below.
When i create the dynamic tunnel The connection comes up between the sites but I cannot pass any traffic, I think it is as simple as a routing issue, for testing purposes I only want static routes (no routing protocols).
Can someone help me adapt the working static VTI config's below to enable dynamic VTI's - I think the bulk of the changes need to be made on the router "MAIN-SITE"
Main Site Config
MAIN-SITE#sh run
Building configuration...
Current configuration : 1379 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MAIN-SITE
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxx
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 8.8.4.4
ip name-server 8.8.8.8
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TSET
!
!
!
!
!
interface Tunnel0
ip address 192.168.10.1 255.255.255.0
tunnel source 92.237.119.115
tunnel destination 92.22.178.247
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
interface Ethernet0/0
ip address 92.237.119.115 255.255.255.248
ip mtu 1460
half-duplex
!
interface FastEthernet0/0
ip address 192.168.75.1 255.255.255.0
speed auto
!
interface Serial1/0
no ip address
shutdown
!
ip route 0.0.0.0 0.0.0.0 92.237.119.113
ip route 10.0.0.0 255.0.0.0 192.168.10.2
!
no ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 30 0
password XXXXXX
login
transport input telnet
line vty 5 15
exec-timeout 30 0
password XXXXX
login
transport input telnet
!
end
Remote Site Config
REMOTE#sh run
Building configuration...
Current configuration : 1843 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname REMOTE
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1
ip dhcp excluded-address 10.0.0.2
!
ip dhcp pool KILN
network 10.0.0.0 255.0.0.0
default-router 10.0.0.1
dns-server 8.8.4.4
!
!
ip name-server 8.8.4.4
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXX address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TSET
!
!
!
!
interface Tunnel0
ip address 192.168.10.2 255.255.255.0
tunnel source Dialer1
tunnel destination 92.237.119.115
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
interface Ethernet0/0
no ip address
half-duplex
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/0
ip address 10.0.0.1 255.0.0.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
speed 100
full-duplex
!
interface Serial1/0
no ip address
shutdown
!
interface Dialer1
ip address negotiated previous
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname XXX
ppp chap password 0 XXXXXX
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.75.0 255.255.255.0 192.168.10.1
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
!
access-list 1 permit 10.0.0.0 0.255.255.255
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
end
Hi,
I am trying to create a site to site vpn using Dynamic VTI interfaces.
I have followed the guides here
The reason I want to use a Dynamic VTI on the router "MAIN-SITE" is because router "REMOTE" has a dynamic IP WAN IP that changes daily.
I have managed to configure and setup a site-to-site connection using Static VTI's on both ends and my config is below.
When i create the dynamic tunnel The connection comes up between the sites but I cannot pass any traffic, I think it is as simple as a routing issue, for testing purposes I only want static routes (no routing protocols).
Can someone help me adapt the working static VTI config's below to enable dynamic VTI's - I think the bulk of the changes need to be made on the router "MAIN-SITE"
Main Site Config
MAIN-SITE#sh run
Building configuration...
Current configuration : 1379 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MAIN-SITE
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxx
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 8.8.4.4
ip name-server 8.8.8.8
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TSET
!
!
!
!
!
interface Tunnel0
ip address 192.168.10.1 255.255.255.0
tunnel source 92.237.119.115
tunnel destination 92.22.178.247
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
interface Ethernet0/0
ip address 92.237.119.115 255.255.255.248
ip mtu 1460
half-duplex
!
interface FastEthernet0/0
ip address 192.168.75.1 255.255.255.0
speed auto
!
interface Serial1/0
no ip address
shutdown
!
ip route 0.0.0.0 0.0.0.0 92.237.119.113
ip route 10.0.0.0 255.0.0.0 192.168.10.2
!
no ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 30 0
password XXXXXX
login
transport input telnet
line vty 5 15
exec-timeout 30 0
password XXXXX
login
transport input telnet
!
end
Remote Site Config
REMOTE#sh run
Building configuration...
Current configuration : 1843 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname REMOTE
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1
ip dhcp excluded-address 10.0.0.2
!
ip dhcp pool KILN
network 10.0.0.0 255.0.0.0
default-router 10.0.0.1
dns-server 8.8.4.4
!
!
ip name-server 8.8.4.4
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXX address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TSET
!
!
!
!
interface Tunnel0
ip address 192.168.10.2 255.255.255.0
tunnel source Dialer1
tunnel destination 92.237.119.115
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
interface Ethernet0/0
no ip address
half-duplex
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/0
ip address 10.0.0.1 255.0.0.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
speed 100
full-duplex
!
interface Serial1/0
no ip address
shutdown
!
interface Dialer1
ip address negotiated previous
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname XXX
ppp chap password 0 XXXXXX
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.75.0 255.255.255.0 192.168.10.1
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
!
access-list 1 permit 10.0.0.0 0.255.255.255
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
end