I have a 3G WIC card (HWIC-3G-GSM) in a Cisco 1841 and need to create an IPSEC tunnel to a Cisco ASA5520
Normally creating a S2S tunnel would be relatively easy if both peers used static IP's, however my 3G provider uses dynamic addressing. If I try and create an IPSEC S2S VPN peer on a Cisco ASA it states that I must use aggressive mode however this is a problem because this would then mean our penetration tests would fail and this in turn impacts PCI compliance.
Can I create a S2S IPSEC VPN tunnel with only one static peer (ASA) and one dynamic peer (3G) or do I need to change to a 3G provider that can supply static IP's or is there another device/application that can support a secure tunnel (at least triple DES).
I have got as far as successfully connecting the 3G to the internet and the debugs show that the peers communicate and the transform set matches, but then phase 1 fails. I'm wondering if I can use a certificate of some sort rather than a PSK.
Once I can get this working, then I can modify the configuraton to use this link as a final backup link (primary would be a frame-relay satellite, back-up would be a VPN link via another satellite and then if all else fails to use the 3G for essential data only).
Can anyone help?
Thanks in advance.
Software/Hardware used: Cisco 1841 with an HWIC-3GSM, Cisco ASA5520