In a previous post I’d covered doing site-to-site IPSec tunnels on Cisco routers when one or both devices are behind NAT. But what if multiple spoke routers have dynamic IP addresses? Or how about many behind the same NAT address?
The solution is to have the spoke routers authenticate using FQDN hostname rather than IP address. I’ve seen lots of examples which overly complicate how to do this. It’s actually pretty simple and only requires minor changes. Let’s assume the spoke routers have dynamic IPs and the hub has a static IP of 203.0.113.222…
IKEv1
Spoke Router
On spoke routers with IKEv1, simply replace the “crypto keyring” statement with “crypto isakmp peer” to use FQDN authentication and IKE aggressive mode, like this:
hostname spoke1 ! no crypto keyring MyHub crypto isakmp peer address 203.0.113.222 [vrf InternetVRFName] set aggressive-mode password XXXXXXXX set aggressive-mode client-endpoint fqdn spoke1.mydomain.com !
Note the fqdn hostname doesn’t necessarily need to match the router’s hostname
IKEv2
Spoke Router
Set the Hub’s IP address and pre-shared key in an IKEv2 keyring:
crypto ikev2 keyring MY_IKEV2_KEYRING
peer MyHub
address 203.0.113.222
pre-shared-key MySecretKey1234 ! Must be 16 chars or longerThe identity (hostname) in the IKEv2 profile via the identity local line:
hostname spoke1
!
crypto ikev2 profile SPOKE_IKEV2_PROFILE
match address local interface GigabitEthernet0/0
match identity remote address 203.0.113.222 255.255.255.255
identity local fqdn spoke1.spokedomain.com
authentication remote pre-share
authentication local pre-share
keyring local MY_IKEV2_KEYRING
dpd 20 2 periodic
!IPSec profile:
crypto ipsec profile SPOKE_IPSEC_PROFILE
set security-association lifetime kilobytes disable
set pfs group14
set ikev2-profile SPOKE_IKEV2_PROFILE
!Tunnel Interface and static route to 10.0.0.0/8:
interface Tunnel1
ip address 169.254.1.100 255.255.255.0
ip tcp adjust-mss 1379
keepalive 10 3
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 203.0.113.222
tunnel protection ipsec profile SPOKE_IPSEC_PROFILE
!
ip route 10.0.0.0 255.0.0.0 Tunnel1Hub Router
Each Spoke will need an entry. Use identity in the entry, not hostname
crypto ikev2 keyring SPOKES_IKEV2_KEYRING peer spoke1 identity fqdn spoke1.spokedomain.com pre-shared-key MySecretKey1234 !
The IKEv2 profile will be a bit different. The domain is used to match multiple spokes:
crypto ikev2 profile HUB_IKEV2_PROFILE
match address local interface GigabitEthernet0/0
match identity remote fqdn domain spokedomain.com
identity local fqdn myhub.hubdomain.com
authentication remote pre-share
authentication local pre-share
keyring local SPOKES_IKEV2_KEYRING
dpd 10 2 on-demand
virtual-template 1The IPSec profile is almost the same but is responder-only (passive):
crypto ipsec profile HUB_IPSEC_PROFILE
set security-association lifetime kilobytes disable
set pfs group14
set ikev2-profile HUB_IKEV2_PROFILE
responder-onlyRather than a regular tunnel interface, a virtual template one is used:
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile HUB_IPSEC_PROFILE
Layer 77 