Goal:
Establish L2L tunnel between two hosts with dynamic IP. In this case both are registered to a dynamic DNS service (dyndns, no-ip or others).
Problem.
IOS does not do name resolution when it's IKE responder. Documented here:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsc92917
Usual resolution:
Use "dynamic" keyword on one peer side and dynamic crypto map on other.
Resulting in only one peer being able to initiate.
A solution when both peers are able to initiate:
This will require having both static and dynamic crypto maps, but with dynamic being first (to account for responding) and static crypto map later (to account for initiating).
Configuration in a nutshell:
R1:
crypto dynamic-map DynamicMAP 10 set transform TRANSFORM
crypto map StaticMAP 100 ipsec-isakmp dynamic DynamicMAP
crypto map StaticMAP 110 ipsec-isakmp
set peer R2.provider.tld dynamic set transform-set TRANSFORM
match address 150
R2:
crypto dynamic-map DynamicMAP 10 set transform TRANSFORM crypto map StaticMAP 100 ipsec-isakmp dynamic DynamicMAP
crypto map StaticMAP 110 ipsec-isakmp
set peer R1.provider.tld dynamic set transform-set TRANSFORM match address 150
Please note:
Note1: You need to have DNS resolution enabled on routers.
Note2: Remote access IPsec VPN should also work.
Note3: While in theory, isakmp key and identity with hostname should work. This has only been tested with identity address and a wildcard isakmp key.
No comments:
Post a Comment