In a previous post I’d covered doing site-to-site IPSec tunnels on Cisco routers when one or both devices are behind NAT.  But what if multiple spoke routers are behind the same NAT address?  Or simply have dynamic IP addresses?

The solution is to have the spoke routers authenticate using FQDN hostname rather than IP address.  I’ve seen lots of examples which overly complicate how to do this.  It’s actually pretty simple and only requires minor changes.  Let’s assume the spoke routers have dynamic IPs and the hub has a static IP of 203.0.113.222…

IKEv1

On spoke routers with IKEv1, simply replace  the “crypto keyring” statement with “crypto isakmp peer” to use IKE aggressive mode, like this:

hostname spoke1
! 
no crypto keyring MyHub
crypto isakmp peer address 203.0.113.222 [vrf InternetVRFName]
 set aggressive-mode password XXXXXXXX
 set aggressive-mode client-endpoint fqdn spoke1.mydomain.com 
!

Note the “fqdn” name doesn’t necessarily need to match the router’s hostname

IKEv2

On the Spoke router, its local hostname is configured in the IKEv2 profile.

hostname spoke1
!
crypto ikev2 profile MY_IKEV2_PROFILE
 [match fvrf InternetVRFName]
 match address local interface GigabitEthernet0/0
 match identity remote address 0.0.0.0 
 identity local fqdn spoke1.mydomain.com
 authentication remote pre-share
 authentication local pre-share
 keyring local DMVPN-KEYRING
 dpd 20 2 periodic

The pre-shared-key is still set in the IKEv2 keyring.  It simply needs the IP address and PSK of the hub:

crypto ikev2 keyring MY_IKEV2_KEYRING
 peer MyHub
  address 203.0.113.222
  pre-shared-key MySecretKey1234    ! Must be 16 chars or longer

 

Advertisements