In a previous post I’d covered doing site-to-site IPSec tunnels on Cisco routers when one or both devices are behind NAT. But what if multiple spoke routers have dynamic IP addresses? Or how about many behind the same NAT address?
The solution is to have the spoke routers authenticate using FQDN hostname rather than IP address. I’ve seen lots of examples which overly complicate how to do this. It’s actually pretty simple and only requires minor changes. Let’s assume the spoke routers have dynamic IPs and the hub has a static IP of 203.0.113.222…
On spoke routers with IKEv1, simply replace the “crypto keyring” statement with “crypto isakmp peer” to use FQDN authentication and IKE aggressive mode, like this:
hostname spoke1 ! no crypto keyring MyHub crypto isakmp peer address 203.0.113.222 [vrf InternetVRFName] set aggressive-mode password XXXXXXXX set aggressive-mode client-endpoint fqdn spoke1.mydomain.com !
Note the fqdn hostname doesn’t necessarily need to match the router’s hostname
Set the Hub’s IP address and pre-shared key in an IKEv2 keyring:
crypto ikev2 keyring MY_IKEV2_KEYRING peer MyHub address 203.0.113.222 pre-shared-key MySecretKey1234 ! Must be 16 chars or longer
The identity (hostname) in the IKEv2 profile via the identity local line:
hostname spoke1 ! crypto ikev2 profile SPOKE_IKEV2_PROFILE match address local interface GigabitEthernet0/0 match identity remote address 203.0.113.222 255.255.255.255 identity local fqdn spoke1.spokedomain.com authentication remote pre-share authentication local pre-share keyring local MY_IKEV2_KEYRING dpd 20 2 periodic !
crypto ipsec profile SPOKE_IPSEC_PROFILE set security-association lifetime kilobytes disable set pfs group14 set ikev2-profile SPOKE_IKEV2_PROFILE !
Tunnel Interface and static route to 10.0.0.0/8:
interface Tunnel1 ip address 169.254.1.100 255.255.255.0 ip tcp adjust-mss 1379 keepalive 10 3 tunnel source GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel destination 203.0.113.222 tunnel protection ipsec profile SPOKE_IPSEC_PROFILE ! ip route 10.0.0.0 255.0.0.0 Tunnel1
Each Spoke will need an entry. Use identity in the entry, not hostname
crypto ikev2 keyring SPOKES_IKEV2_KEYRING peer spoke1 identity fqdn spoke1.spokedomain.com pre-shared-key MySecretKey1234 !
The IKEv2 profile will be a bit different. The domain is used to match multiple spokes:
crypto ikev2 profile HUB_IKEV2_PROFILE match address local interface GigabitEthernet0/0 match identity remote fqdn domain spokedomain.com identity local fqdn myhub.hubdomain.com authentication remote pre-share authentication local pre-share keyring local SPOKES_IKEV2_KEYRING dpd 10 2 on-demand virtual-template 1
The IPSec profile is almost the same but is responder-only (passive):
crypto ipsec profile HUB_IPSEC_PROFILE set security-association lifetime kilobytes disable set pfs group14 set ikev2-profile HUB_IKEV2_PROFILE responder-only
Rather than a regular tunnel interface, a virtual template one is used:
interface Virtual-Template1 type tunnel ip unnumbered Loopback0 tunnel source GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel destination dynamic tunnel protection ipsec profile HUB_IPSEC_PROFILE