Static IP and Dynamic IP Point-to-Point VPNs

I used to use a router for each P2P VPN tunnel before I realized that these can be kept on one router. So I have move all of our P2P VPNs (besides one) to a Cisco ISR 2811 and any new VPNs are terminated here. So recently, I was tasked with getting a Home user a constant connection to allow their hard phone to connect to our internal 3com NBX. The phones use a network connection to talk to the NBX through the data link layer (layer 2) by default, but can be programmed to communicate through IP (layer 3). So a constant connection that uses Layer 3 and is external pretty much says VPN tunnel all over it, and I want to keep the same design of using one end point to terminate the VPN tunnels.

I’ve setup many a VPN tunnel for clients and a few to our call centers through the web, but never a P2P to a home user. The problem here is that the home user may not always come from the same IP address. So I need to find a way to allow connections from any IP address using a specific key, while allowing connections from specific IPs using their own keys. Searching for this I found a few Cisco sites using ISAKMP profiles. I configured this and got it to work for the home P2P tunnel, but the other client P2P tunnels failed. The reason for this is that profiles take precedence over ISAKMP policies and the profile is setup to accept connections from Therefore, the client P2P VPNs would try to match their key to the key setup for the home P2P, which would obviously fail. Did some more looking and profiles are good for allowing more than one type of authentication, where here I am only using one type of authentication, pre-shared keys (PSK).

Nonetheless, after a lot of trial and error and googling I finally found the one command I was looking for: crypto isakmp key $key address [b][/b]

Apparently, the term for this is called “wildcard keys”, where any end point meeting the Phase1 parameters with the proper key can create a VPN tunnel. Using this allowed both the current P2P VPN sessions and the home session to connect at the same time. If you want some more info and bit more of the walk through of my through process you can have a look see at the post: . Also, here’s the final code that I used to get this connection working on my side:

crypto isakmp policy 200
encr 3des
authentication pre-share
group 2
crypto isakmp policy 900
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key $KEY address 65.x.x.x
crypto isakmp key $KEY address 113.x.x.x
crypto isakmp key $KEY address 190.x.x.x
crypto isakmp key $KEY address
crypto isakmp keepalive 20 periodic
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
crypto dynamic-map ZachHome 1000
set transform-set esp-3des-sha
crypto map external_ipsec 200 ipsec-isakmp
set peer 65.x.x.x
set transform-set esp-3des-sha esp-3des-md5
match address
crypto map external_ipsec 900 ipsec-isakmp
set peer 113.x.x.x
set transform-set esp-aes-sha
match address
crypto map external_ipsec 65000 ipsec-isakmp
set peer 190.x.x.x
set transform-set esp-3des-sha
match address
crypto map external_ipsec 65500 ipsec-isakmp dynamic ZachHome
interface FastEthernet0/0
ip address
ip access-group inside_allowed_in in
ip access-group outbound_to_inside out
ip nat inside
interface FastEthernet0/1
ip address 64.x.x.x
ip access-group inbound_from_outside in
ip nat outside
crypto map external_ipsec

About Richard Svensson

Richard is the Sr Network Administrator at an international automotive interiors manufacturer. View all posts by Richard Svensson

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: