In a previous post I’d covered doing site-to-site IPSec tunnels on Cisco routers when one or both devices are behind NAT. But what if multiple spoke routers are behind the same NAT address? Or simply have dynamic IP addresses?
The solution is to have the spoke routers authenticate using FQDN hostname rather than IP address. I’ve seen lots of examples which overly complicate how to do this. It’s actually pretty simple and only requires minor changes. Let’s assume the spoke routers have dynamic IPs and the hub has a static IP of 203.0.113.222…
On spoke routers with IKEv1, simply replace the “crypto keyring” statement with “crypto isakmp peer” to use IKE aggressive mode, like this:
hostname spoke1 ! no crypto keyring MyHub crypto isakmp peer address 203.0.113.222 [vrf InternetVRFName] set aggressive-mode password XXXXXXXX set aggressive-mode client-endpoint fqdn spoke1.mydomain.com !
Note the “fqdn” name doesn’t necessarily need to match the router’s hostname
On the Spoke router, its local hostname is configured in the IKEv2 profile.
hostname spoke1 ! crypto ikev2 profile MY_IKEV2_PROFILE [match fvrf InternetVRFName] match address local interface GigabitEthernet0/0 match identity remote address 0.0.0.0 identity local fqdn spoke1.mydomain.com authentication remote pre-share authentication local pre-share keyring local MY_IKEV2_KEYRING dpd 20 2 periodic
The pre-shared-key is still set in the IKEv2 keyring. It simply needs the IP address and PSK of the hub:
crypto ikev2 keyring MY_IKEV2_KEYRING peer MyHub address 203.0.113.222 pre-shared-key MySecretKey1234 ! Must be 16 chars or longer