Implement VPN configuration for Dynamic IP addresses between sites

Using the Internet egress line to establish a VPN channel to achieve the interconnection between the total and branch offices is currently a popular solution for many companies. In the past, to establish such a VPN, at least one end must use a static IP address. Currently, many companies use the ADSL method to access the Internet. If China Telecom is required to provide static addresses, the cost will be greatly increased (for example, the ADSL with a fixed IP address of kb in Shenzhen ).

Using the Internet egress line to establish a VPN channel to achieve the interconnection between the total and branch offices is currently a popular solution for many companies. In the past, to establish such a VPN, at least one end must use a static IP address. Currently, many companies use the ADSL method to access the Internet. If China Telecom is required to provide static addresses, the cost will be greatly increased (for example, the ADSL with a fixed IP address of kb in Shenzhen ).

Establish a VPN channel using the Internet egress line ImplementationThe interconnection between general and branch offices is currently a popular solution for many companies. In the past, to establish such a VPN, at least one end must use a static IP address. Address. Currently, many companies use ADSL to access the Internet. Address, The fee will be greatly increased (for example, the monthly rent of ADSL for a fixed IP address in Shenzhen is RMB5000 ). Now, the command for creating a VPN peer based on the DNS name is added to Cisco IOS 12.3 (4) T, with the help of xiwang (3322.org), 88ip, etc. DynamicThe domain name interpretation system can be used at both ends of the VPN. Dynamic AddressTo save a lot of money.

Key commands:

Set peer {host-name [dynamic] | ip-address}

Note:

Host-name specifies the name of the IPSec peer DNS host, for example, myhost.example.com.

Dynamic (optional parameter) specifies the IPSec peer host name, which is interpreted as an IP address only when an IPSec channel needs to be established. Address.

Ip-address: the IP address of the IPSec peer. Address(Traditional ConfigurationMethod ).

In the actual environment, the LAN should run on one machine.DynamicDomain Name interpretation client program to register the host name nbo.3322.org to the server, registerAddressIs the Internet port of the routerAddress.

Configuration:

VPN-1 (Omitted partially irrelevantConfiguration):

Version 12.3:

!

Hostname vpn-1

!

Aaa new-model

!

Aaa authentication login authen group radius local

Aaa authorization network author local

Aaa session-id common

Ip subnet-zero

!

Ip cef

Ip name-server 202.96.134.20.

!

Crypto isakmp policy 10

Authentication pre-share

Group 2

Crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

Crypto ipsec transform-set s2s esp-des esp-sha-hmac

!

Crypto dynamic-map dymap 1

Set transform-set s2s

Match address 110

!

Crypto map mymap 1 ipsec-isakmp dynamic dymap

!

Interface FastEthernet0/0

Description VPN

Ip address 202.11.22.11 255.255.255.255.248

Ip nat outside

Crypto map mymap

!

Interface FastEthernet0/1

Description INSIDE_GATEWAY

Ip address 172.16.10.110 255.255.0.0

Ip nat inside

!

Ip nat inside source route-map nonat interface FastEthernet0/0 overload

Ip classless

Ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

No ip http server

!

Access-list 110 permit ip 172.16.0.0 0.0.255.255 172.30.1.0 0.0.0.255

Accesskeysecret 120 deny

Ip 172.16.0.0 0.0.255.255 172.30.1.0 0.0.0.255

Access-list 120 permit ip 172.16.0.0 0.0.255.255 any

Route-map nonat permit 10

Matches ip address 120

!

End

VPN-2 (Omitted partially irrelevantConfiguration):

Version 12.3:

!

Hostname vpn-2

!

Username mize password 0 http://mize.netbuddy.org

No aaa new-model

Ip subnet-zero

!

Ip cef

Ip name-server 202.96.134.20.

!

Crypto isakmp policy 1

Authentication pre-share

Group 2

Crypto isakmp key cisco hostname nbo.3322.org

!

Crypto ipsec transform-set s2s esp-des esp-sha-hmac

!

Crypto map mymap 10 ipsec-isakmp

Set peer nbo.3322.org dynamic

Set transform-set s2s

Match address 110

!

Interface FastEthernet0/0

Ip address 202.11.22.43 255.255.255.255.248

Ip nat outside

Crypto map mymap

!

Interface FastEthernet0/1

Ip address 172.30.1.1 255.255.255.0

Ip nat inside

!

Ip nat inside source route-map nonat interface FastEthernet0/0 overload

Ip classless

Ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

!

Access-list 110 permit ip 172.30.1.0 0.0.0.255 172.16.0.0 0.0.255.255

Accesskeysecret 120 deny

Ip 172.30.1.0 0.0.0.255 172.16.0.0 0.0.255.255

Access-list 120 permit ip 172.30.1.0 0.0.255 any

Route-map nonat permit 10

Matches ip address 120

!

End

Related Debugging commands:

Show cry isa sa

Show cry ipsec sa