In a previous post I’d covered doing site-to-site IPSec tunnels on Cisco routers when one or both devices are behind NAT.  But what if multiple spoke routers are behind the same NAT address?  Or simply have dynamic IP addresses?

The solution is to have the spoke routers authenticate using FQDN hostname rather than IP address.  I’ve seen lots of examples which overly complicate how to do this.  It’s actually pretty simple and only requires minor changes.  Let’s assume the spoke routers have dynamic IPs and the hub has a static IP of…


On spoke routers with IKEv1, simply replace  the “crypto keyring” statement with “crypto isakmp peer” to use IKE aggressive mode, like this:

hostname spoke1
no crypto keyring MyHub
crypto isakmp peer address [vrf InternetVRFName]
 set aggressive-mode password XXXXXXXX
 set aggressive-mode client-endpoint fqdn 

Note the “fqdn” name doesn’t necessarily need to match the router’s hostname


On the Spoke router, its local hostname is configured in the IKEv2 profile.

hostname spoke1
crypto ikev2 profile MY_IKEV2_PROFILE
 [match fvrf InternetVRFName]
 match address local interface GigabitEthernet0/0
 match identity remote address 
 identity local fqdn
 authentication remote pre-share
 authentication local pre-share
 keyring local MY_IKEV2_KEYRING
 dpd 20 2 periodic

The pre-shared-key is still set in the IKEv2 keyring.  It simply needs the IP address and PSK of the hub:

crypto ikev2 keyring MY_IKEV2_KEYRING
 peer MyHub
  pre-shared-key MySecretKey1234    ! Must be 16 chars or longer