Home > IT Answers > VoIP > 3G – Creating a S2S VPN when the 3G card uses DHCP and not static?
OrangeNewbie
55 pts.
 3G – Creating a S2S VPN when the 3G card uses DHCP and not static?
3G, ASA, Cisco, Cisco 1841, Cisco ASA, Cisco ASA 5520, Firewalls, IP, IPsec, IPsec VPN, Routing, VPN
I have a 3G WIC card (HWIC-3G-GSM) in a Cisco 1841 and need to create an IPSEC tunnel to a Cisco ASA5520

Normally creating a S2S tunnel would be relatively easy if both peers used static IP's, however my 3G provider uses dynamic addressing. If I try and create an IPSEC S2S VPN peer on a Cisco ASA it states that I must use aggressive mode however this is a problem because this would then mean our penetration tests would fail and this in turn impacts PCI compliance.

Can I create a S2S IPSEC VPN tunnel with only one static peer (ASA) and one dynamic peer (3G) or do I need to change to a 3G provider that can supply static IP's or is there another device/application that can support a secure tunnel (at least triple DES).

I have got as far as successfully connecting the 3G to the internet and the debugs show that the peers communicate and the transform set matches, but then phase 1 fails. I'm wondering if I can use a certificate of some sort rather than a PSK.

Once I can get this working, then I can modify the configuraton to use this link as a final backup link (primary would be a frame-relay satellite, back-up would be a VPN link via another satellite and then if all else fails to use the 3G for essential data only).

Can anyone help?

Thanks in advance.



Software/Hardware used:
Cisco 1841 with an HWIC-3GSM, Cisco ASA5520
ASKED: March 2, 2010  10:19 PM
UPDATED: November 17, 2010  5:02 PM
RELATED QUESTIONS
Answer Wiki:
I have spoken directly to a Vodafone engineer that has set this up a couple of times. The 3G data connection is a connection into Vodafone's network and then this is broken out onto the internet via: NAT IPS-ID Content cacheing Content filtering Under a standard 3G data service a different dynamic IP address is allocated on each connection attempt, the only reliable solution is to request and pay for a private access point name (APN), which can then be set-up to use a Vodafone Radius server which then passes the authentication requests to our Radius server which can then in-turn assign a specific IP address to the specific 3G device. Once this is done, then a GRE or IPSEC tunnel can then be created because we then have a specific IP address for a specific SIM. The engineer did mention that in theory Cisco's EasyVPN solution can be used with dynamically assigned IP's however whenever he has attempted using this with 3G he regularly sees the tunnel drop for no apparent reason so he would not advise using it.
Last Wiki Answer Submitted:  March 5, 2010  3:06 pm  by  OrangeNewbie   55 pts.
All Answer Wiki Contributors:  OrangeNewbie   55 pts.
To see all answers submitted to the Answer Wiki: View Answer History.


RSS - Discussions Help
Discuss This Question:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

 

When using the ASDM for my ASA5520 and setting up a Site to Site VPN tunnel, there is an option to uncheck Peer IP Address as static. At that point it looks to be using the Connection Name as the point to authenticate if you should be able to setup a tunnel. You can still use a PSK or a Indentity Cert at that point to secure your connection as well.

I have never used this feature as everytime I have made a vpn tunnel both sides have the a static IP address.

Hope that helps you.
Ryan Gunther
http://www.onlinetech.com

RGunther
 650 pts.
 

Hello,

Just wanted to know if someone eventually had a way around how to establish the vpn from the ASA to the Router with vodafone SIM card ,i am facing the same challenge and i spoke with the Vodafone engineer that says they dont assign static ip address to the SIMs anymore.

Thanks

Coledej
 20 pts.
 

You can do IPSec VPN between your router with DHCP address and ASA with static address. I have about sites with Cisco 871 on 3G doing VPN with ASA based on pre-shared key. The only thing to keep in mind is that the VPN can only be initiated by Cisco 871 since this is dynamic VPN. If it times out, you won;t be able to get to site with Cisco 871 unlesse 871 rebuilds VPN by sending interesting traffic.

We use SLA to keep IPSec VPN active all the time and prevent it from timing out.

pkpatel1151
 430 pts.
 

Hi PKpatel,
Can you put me through how you are able to achieve this please I have set my 1941 router to use aggressive mode to establishe the vpn and has a dynamic crypto map on my ASA with the pre-shared key on the default group.But I still get error with the phase 1 failing just as someone(orange newbie) complained earlier.
Error from ASA

STV-5520-01(config)# Nov 13 12:54:39 [IKEv1]: IP = 212.183.140.25, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name ’212.183.140.25′.
Nov 13 12:54:39 [IKEv1]: Group = DefaultRAGroup, IP = 212.183.140.25, Removing peer from peer table failed, no match!

Error from Router
*Nov 13 12:57:12.259: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
*Nov 13 12:57:12.259: ISAKMP:(0): sending packet to 195.89.37.162 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Nov 13 12:57:12.259: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Nov 13 12:57:13.695: ISAKMP (0): received packet from 195.89.37.162 dport 500 sport 500 Global (I) AG_INIT_EXCH
*Nov 13 12:57:13.695: ISAKMP:(0):Notify has no hash. Rejected.
*Nov 13 12:57:13.695: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_AM1
*Nov 13 12:57:13.695: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Nov 13 12:57:13.695: ISAKMP:(0):Old State = IKE_I_AM1 New State = IKE_I_AM1

Thanks for your help.

Coledej
 20 pts.
 

Coledej,

Send me your config’s – minus password – for router and ASA to pkpatel@icon-networks.com.

pkpatel1151
 430 pts.