| VPN between DG834GB and Cisco Soho99 / Dynamic addresses ?Hi,
I'm struggling to get a VPN tunnel between my Netgear and Cisco routers.
Both endpoints are using dynamic IP addresses, and used to be Netgear devices (DG834GB). This worked fine.
At one end, I'm now replacing the Netgear router with a Cisco Soho99.
Internet access, and dyndns is working fine. No VPN tunnel between the two sites though.
I found and followed an old posting on this forum: »Do I need a VPN, if so how do I setup??? but am unable to get the tunnel up. Probably due to the fact both endpoints use dynamic addresses.
Am I trying to do something impossible, or just missing something ?
Specific to my config:
crypto isakmp key key hostname myremotehost.homelinux.com no-xauth
set peer myremotehost.homelinux.com dynamic
|
|
|
|
| My config (changed some private details)
mylocalhost.homelinux.com#sh ru
Building configuration...
Current configuration : 3179 bytes
!
version 12.3
no parser cache
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname mylocalhost.homelinux.com
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
enable secret 5 secret
enable password 7 secret
!
username admin password 7 secret
ip subnet-zero
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.1 192.168.1.150
!
ip dhcp pool DHCPPool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name domain.eu
option 66 ip 192.168.1.2
option 150 ip 192.168.1.2
!
!
ip domain name homelinux.com
ip name-server 195.238.2.21
ip name-server 195.238.2.22
ip ssh time-out 60
ip ssh authentication-retries 2
ip ddns update method ddns-upd
HTTP
add http://Userr:passwd@members.dyndns.org/nic/update?system=dyndns&hostname=mylocalhost.homelinux.com&myip=
interval maximum 28 0 0 0
!
aaa new-model
!
!
aaa session-id common
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key key hostname myremotehost.homelinux.com no-xauth
crypto isakmp identity hostname
crypto isakmp keepalive 3600
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set remotehost esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map remotehost 110 ipsec-isakmp
set peer myremotehost.homelinux.com dynamic
set transform-set remotehost
set pfs group2
match address 150
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface BRI0
no ip address
shutdown
!
interface ATM0
no ip address
ip tcp adjust-mss 1452
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Virtual-Template1
no ip address
!
interface Virtual-PPP1
no ip address
!
interface Dialer1
ip ddns update hostname mylocalhost.homelinux.com
ip ddns update ddns-upd host members.dyndns.org
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname ISP-USER
ppp chap password 7 ISP-PASSWD
ppp ipcp dns request
crypto map remotehost
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip dns spoofing
!
ip nat inside source list 100 interface Dialer1 overload
!
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
snmp-server community public view internet-router RO
!
control-plane
!
!
line con 0
exec-timeout 120 0
transport preferred all
transport output all
stopbits 1
line vty 0 4
exec-timeout 0 0
password 7 password
transport preferred none
transport input ssh
transport output none
!
scheduler max-task-time 5000
!
end
|
|
| reply to ACS
#
[180001]"VPN Version"=2
[180001]"VPN policy"=1ToHome1024192.168.0.1...255.255.255.02mylocalhost.homelinux.com4192.168.1.1...255.255.255.0key0000022013600192.168.1.1500 |
|
