Doing VPN is like creating a private path from one site to another so that you can transfer data between each other off the untrust network. In order to get VPN tunnel established, IP address of each end must be known. There should be three different cases for VPN setup.
- Static-to-Static: Each site have statically IP address assigned. This is the common scenario and much easy for people to configure.
- Static-to-Dynamic: One site of VPN end has static IP address while the other end is using dynamic method to obtain the IP address, like DHCP. In this case, we can use FQDN with a dynamic crypto map but the tunnel can only be brought up by the peer that has the dynamic IP address since the other peer does not know where to find its peer.
- Dynamic-to-Dynamic: This is what we are going to talk about in this article. Each site has dynamically IP address assigned, and FQDN will be used at both ends.
The Requirements
As mentioned earlier, VPN use only IP address to establish tunnel in whatever cases. Because we are focusing dynamic to dynamic VPN establishment, below are the requirements.
- Dynamic DNS (DDNS): why? This ensures that your services are always reachable using the same domain name even when your IP address is changed. DDNS is a method to automatically update the DNS records with your dynamic IP address every time it changes. www.noip.com is one of the DDNS providers that allow the registration and creation of Fully Qualified Domain Names (FQDN) which can be mapped to home or branch office Internet connections without cost.
- IPSec VPN: I tested it by using tunnel interface configuration and it did not work. After I configure FQDN under tunnel interface, the IOS resolve it to an IP address and stick it there in the configuration even the remote end IP is changed. So, I decided to use ACL and match it with crypto map configuration instead.
Network Topology
Network Configuration
Router-A
- DDNS Configuration
configure terminal ip dns server ip name-server 8.8.8.8 ! ip ddns update method no-ip HTTP add http://NoIPUsername:[email protected]/nic/update?hostname=<h>&myip=<a> interval maximum 0 0 5 0 ! interface FastEthernet0/0 ip ddns update hostname router-a.ddns.net ip ddns update no-ip !
Note: In order to put question mark (?) in the command, you have to press CTL+Shift+v then type ?.
- IPSec Configuration
crypto isakmp policy 10 encryption aes authentication pre-share group 2 ! ip access-list extended CRYPTO-ACL permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 ! crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set MYSET esp-aes esp-sha-hmac ! crypto dynamic-map DYNMAP 10 set transform-set MYSET ! crypto map MYMAP 10 ipsec-isakmp match address CRYPTO-ACL set peer router-b.ddns.net dynamic set transform-set MYSET ! crypto map MYMAP 65535 ipsec-isakmp dynamic DYNMAP ! interface FastEthernet0/0 ip address dhcp crypto map MYMAP
Router-B
- DDNS Configuration
configure terminal ip dns server ip name-server 8.8.8.8 ! ip ddns update method no-ip HTTP add http://NoIPUsername:[email protected]/nic/update?hostname=<h>&myip=<a> interval maximum 0 0 5 0 ! interface FastEthernet0/0 ip ddns update hostname router-b.ddns.net ip ddns update no-ip !
- IPSec Configuration
crypto isakmp policy 10 encryption aes authentication pre-share group 2 ! ip access-list extended CRYPTO-ACL permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 ! crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set MYSET esp-aes esp-sha-hmac ! crypto dynamic-map DYNMAP 10 set transform-set MYSET ! crypto map MYMAP 10 ipsec-isakmp match address CRYPTO-ACL set peer router-a.ddns.net dynamic set transform-set MYSET ! crypto map MYMAP 65535 ipsec-isakmp dynamic DYNMAP ! interface FastEthernet0/0 ip address dhcp crypto map MYMAP
Verification
To check if DDNS is sending update successfully, use debug ip ddns update.
Router-A# debug ip ddns update *Jan 17 08:07:00.421: DYNDNSUPD: Adding DNS mapping for router-a.ddns.net <=> 123.1.1.1 *Jan 17 08:07:00.421: HTTPDNS: Update add called for router-a.ddns.net <=>123.1.1.1
*Jan 17 08:07:00.421: HTTPDNSUPD: Session ID = 0x11 *Jan 17 08:07:00.421: HTTPDNSUPD: URL ='http://username:[email protected]/nic/ update?hostname=router-a.ddns.net&myip=123.1.1.1' *Jan 17 08:07:00.421: HTTPDNSUPD: Sending request
*Jan 17 08:07:07.329: HTTPDNSUPD: Response for update router-a.ddns.net <=>123.1.1.1
*Jan 17 08:07:07.329: HTTPDNSUPD: DATA START nochg 123.1.1.1
*Jan 17 08:07:07.329: HTTPDNSUPD: DATA END, Status is Response data recieved, successfully *Jan 17 08:07:07.329: HTTPDNSUPD: Call returned SUCCESS, update of router-a.ddns.net <=> 123.1.1.1 succeeded *Jan 17 08:07:07.329: DYNDNSUPD: Another update completed (outstanding=0, total=0) *Jan 17 08:07:07.329: HTTPDNSUPD: Clearing all session 17 info
Router-A# show crypto isakmp sa
IPv4 Crypto ISAKMP SA dst src state conn-id status 123.1.1.2 123.1.1.1 QM_IDLE 2019 ACTIVE IPv6 Crypto ISAKMP SA
Router-A#show crypto ipsec sa | in pkts
#pkts encaps: 4973, #pkts encrypt: 4973, #pkts digest: 4973 #pkts decaps: 4890, #pkts decrypt: 4890, #pkts verify: 4890 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0
root@R1-LAN> ping 192.168.20.254
PING 192.168.20.254 (192.168.20.254): 56 data bytes 64 bytes from 192.168.20.254: icmp_seq=27 ttl=62 time=7.017 ms 64 bytes from 192.168.20.254: icmp_seq=28 ttl=62 time=6.463 ms 64 bytes from 192.168.20.254: icmp_seq=29 ttl=62 time=6.125 ms 64 bytes from 192.168.20.254: icmp_seq=30 ttl=62 time=6.528 ms 64 bytes from 192.168.20.254: icmp_seq=31 ttl=62 time=6.624 ms 64 bytes from 192.168.20.254: icmp_seq=32 ttl=62 time=6.748 ms 64 bytes from 192.168.20.254: icmp_seq=33 ttl=62 time=6.242 ms ^C --- 192.168.20.254 ping statistics --- 34 packets transmitted, 34 packets received, 0% packet loss round-trip min/avg/max/stddev = 6.125/6.535/7.017/0.279 ms
root@R1-LAN> traceroute 192.168.20.254 traceroute to 192.168.20.254 (192.168.20.254), 30 hops max, 40 byte packets 1 192.168.10.1 (192.168.10.1) 3.804 ms 3.385 ms 2.307 ms 2 *** 3 *** 4 * 192.168.20.254 (192.168.20.254) 8.239 ms 16.354 ms
That’s it! Like and share to spread the words and let us know your thought in the comment below.