3G – Creating a S2S VPN when the 3G card uses DHCP and not static?

55 pts.
Tags:
3G
ASA
Cisco
Cisco 1841
Cisco ASA
Cisco ASA 5520
Firewalls
IP
IPsec
IPsec VPN
Routing
VPN
I have a 3G WIC card (HWIC-3G-GSM) in a Cisco 1841 and need to create an IPSEC tunnel to a Cisco ASA5520

Normally creating a S2S tunnel would be relatively easy if both peers used static IP's, however my 3G provider uses dynamic addressing. If I try and create an IPSEC S2S VPN peer on a Cisco ASA it states that I must use aggressive mode however this is a problem because this would then mean our penetration tests would fail and this in turn impacts PCI compliance.

Can I create a S2S IPSEC VPN tunnel with only one static peer (ASA) and one dynamic peer (3G) or do I need to change to a 3G provider that can supply static IP's or is there another device/application that can support a secure tunnel (at least triple DES).

I have got as far as successfully connecting the 3G to the internet and the debugs show that the peers communicate and the transform set matches, but then phase 1 fails. I'm wondering if I can use a certificate of some sort rather than a PSK.

Once I can get this working, then I can modify the configuraton to use this link as a final backup link (primary would be a frame-relay satellite, back-up would be a VPN link via another satellite and then if all else fails to use the 3G for essential data only).

Can anyone help?

Thanks in advance.



Software/Hardware used:
Cisco 1841 with an HWIC-3GSM, Cisco ASA5520
ASKED: March 2, 2010  10:19 PM
UPDATED: November 17, 2010  5:02 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

I have spoken directly to a Vodafone engineer that has set this up a couple of times.
The 3G data connection is a connection into Vodafone’s network and then this is broken out onto the internet via:
NAT
IPS-ID
Content cacheing
Content filtering
Under a standard 3G data service a different dynamic IP address is allocated on each connection attempt, the only reliable solution is to request and pay for a private access point name (APN), which can then be set-up to use a Vodafone Radius server which then passes the authentication requests to our Radius server which can then in-turn assign a specific IP address to the specific 3G device. Once this is done, then a GRE or IPSEC tunnel can then be created because we then have a specific IP address for a specific SIM.
The engineer did mention that in theory Cisco’s EasyVPN solution can be used with dynamically assigned IP’s however whenever he has attempted using this with 3G he regularly sees the tunnel drop for no apparent reason so he would not advise using it.

Discuss This Question: 5  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • RGunther
    When using the ASDM for my ASA5520 and setting up a Site to Site VPN tunnel, there is an option to uncheck Peer IP Address as static. At that point it looks to be using the Connection Name as the point to authenticate if you should be able to setup a tunnel. You can still use a PSK or a Indentity Cert at that point to secure your connection as well. I have never used this feature as everytime I have made a vpn tunnel both sides have the a static IP address. Hope that helps you. Ryan Gunther www.onlinetech.com
    650 pointsBadges:
    report
  • Coledej
    Hello, Just wanted to know if someone eventually had a way around how to establish the vpn from the ASA to the Router with vodafone SIM card ,i am facing the same challenge and i spoke with the Vodafone engineer that says they dont assign static ip address to the SIMs anymore. Thanks
    20 pointsBadges:
    report
  • pkpatel1151
    You can do IPSec VPN between your router with DHCP address and ASA with static address. I have about sites with Cisco 871 on 3G doing VPN with ASA based on pre-shared key. The only thing to keep in mind is that the VPN can only be initiated by Cisco 871 since this is dynamic VPN. If it times out, you won;t be able to get to site with Cisco 871 unlesse 871 rebuilds VPN by sending interesting traffic. We use SLA to keep IPSec VPN active all the time and prevent it from timing out.
    430 pointsBadges:
    report
  • Coledej
    Hi PKpatel, Can you put me through how you are able to achieve this please I have set my 1941 router to use aggressive mode to establishe the vpn and has a dynamic crypto map on my ASA with the pre-shared key on the default group.But I still get error with the phase 1 failing just as someone(orange newbie) complained earlier. Error from ASA STV-5520-01(config)# Nov 13 12:54:39 [IKEv1]: IP = 212.183.140.25, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name '212.183.140.25'. Nov 13 12:54:39 [IKEv1]: Group = DefaultRAGroup, IP = 212.183.140.25, Removing peer from peer table failed, no match! Error from Router *Nov 13 12:57:12.259: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH *Nov 13 12:57:12.259: ISAKMP:(0): sending packet to 195.89.37.162 my_port 500 peer_port 500 (I) AG_INIT_EXCH *Nov 13 12:57:12.259: ISAKMP:(0):Sending an IKE IPv4 Packet. *Nov 13 12:57:13.695: ISAKMP (0): received packet from 195.89.37.162 dport 500 sport 500 Global (I) AG_INIT_EXCH *Nov 13 12:57:13.695: ISAKMP:(0):Notify has no hash. Rejected. *Nov 13 12:57:13.695: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_AM1 *Nov 13 12:57:13.695: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Nov 13 12:57:13.695: ISAKMP:(0):Old State = IKE_I_AM1 New State = IKE_I_AM1 Thanks for your help.
    20 pointsBadges:
    report
  • pkpatel1151
    Coledej, Send me your config's - minus password - for router and ASA to pkpatel@icon-networks.com.
    430 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following