Comments on: 3G – Creating a S2S VPN when the 3G card uses DHCP and not static? http://itknowledgeexchange.techtarget.com/itanswers/3g-creating-a-s2s-vpn-when-the-3g-card-uses-dhcp-and-not-static/ Fri, 24 May 2013 07:13:09 +0000 hourly 1 By: pkpatel1151 http://itknowledgeexchange.techtarget.com/itanswers/3g-creating-a-s2s-vpn-when-the-3g-card-uses-dhcp-and-not-static/#comment-83981 pkpatel1151 Wed, 17 Nov 2010 17:02:18 +0000 #comment-83981 Coledej,

Send me your config’s – minus password – for router and ASA to pkpatel@icon-networks.com.

]]> By: coledej http://itknowledgeexchange.techtarget.com/itanswers/3g-creating-a-s2s-vpn-when-the-3g-card-uses-dhcp-and-not-static/#comment-83965 coledej Wed, 17 Nov 2010 09:43:04 +0000 #comment-83965 Hi PKpatel,
Can you put me through how you are able to achieve this please I have set my 1941 router to use aggressive mode to establishe the vpn and has a dynamic crypto map on my ASA with the pre-shared key on the default group.But I still get error with the phase 1 failing just as someone(orange newbie) complained earlier.
Error from ASA

STV-5520-01(config)# Nov 13 12:54:39 [IKEv1]: IP = 212.183.140.25, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name ’212.183.140.25′.
Nov 13 12:54:39 [IKEv1]: Group = DefaultRAGroup, IP = 212.183.140.25, Removing peer from peer table failed, no match!

Error from Router
*Nov 13 12:57:12.259: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
*Nov 13 12:57:12.259: ISAKMP:(0): sending packet to 195.89.37.162 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Nov 13 12:57:12.259: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Nov 13 12:57:13.695: ISAKMP (0): received packet from 195.89.37.162 dport 500 sport 500 Global (I) AG_INIT_EXCH
*Nov 13 12:57:13.695: ISAKMP:(0):Notify has no hash. Rejected.
*Nov 13 12:57:13.695: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_AM1
*Nov 13 12:57:13.695: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Nov 13 12:57:13.695: ISAKMP:(0):Old State = IKE_I_AM1 New State = IKE_I_AM1

Thanks for your help.

]]> By: pkpatel1151 http://itknowledgeexchange.techtarget.com/itanswers/3g-creating-a-s2s-vpn-when-the-3g-card-uses-dhcp-and-not-static/#comment-83944 pkpatel1151 Wed, 17 Nov 2010 01:07:26 +0000 #comment-83944 You can do IPSec VPN between your router with DHCP address and ASA with static address. I have about sites with Cisco 871 on 3G doing VPN with ASA based on pre-shared key. The only thing to keep in mind is that the VPN can only be initiated by Cisco 871 since this is dynamic VPN. If it times out, you won;t be able to get to site with Cisco 871 unlesse 871 rebuilds VPN by sending interesting traffic.

We use SLA to keep IPSec VPN active all the time and prevent it from timing out.

]]> By: coledej http://itknowledgeexchange.techtarget.com/itanswers/3g-creating-a-s2s-vpn-when-the-3g-card-uses-dhcp-and-not-static/#comment-83806 coledej Mon, 15 Nov 2010 12:10:35 +0000 #comment-83806 Hello,

Just wanted to know if someone eventually had a way around how to establish the vpn from the ASA to the Router with vodafone SIM card ,i am facing the same challenge and i spoke with the Vodafone engineer that says they dont assign static ip address to the SIMs anymore.

Thanks

]]> By: rgunther http://itknowledgeexchange.techtarget.com/itanswers/3g-creating-a-s2s-vpn-when-the-3g-card-uses-dhcp-and-not-static/#comment-74811 rgunther Fri, 12 Mar 2010 15:26:15 +0000 #comment-74811 When using the ASDM for my ASA5520 and setting up a Site to Site VPN tunnel, there is an option to uncheck Peer IP Address as static. At that point it looks to be using the Connection Name as the point to authenticate if you should be able to setup a tunnel. You can still use a PSK or a Indentity Cert at that point to secure your connection as well.

I have never used this feature as everytime I have made a vpn tunnel both sides have the a static IP address.

Hope that helps you.
Ryan Gunther
http://www.onlinetech.com

]]>