Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers

CONFIGURING CISCO SITE TO SITE IPSEC VPN WITH DYNAMIC IPENDPOINT CISCO ROUTERSWRITTEN BY ADMINISTRATOR. POSTED IN CISCO ROUTERS - CONFIGURING CISCO ROUTERS (/CISCO-TECHNICAL-KNOWLEDGEBASE/CISCO-ROUTERS.HTML)

(http://www.firewall.cx)

FRIDAY, 11 MARCH 2016

FIREWALL.CX TEAM

(/MEET-THE-TEAM.HTML)

NEWS

(/NEWS.HTML)

ALTERNATIVE MENU

(/SITE-MAP.HTML)

RECOMMENDED SITES

(/RECOMMENDED-SITES.HTML)

CONTACT US - FEEDBACK

(/CONTACT-US.HTML)

HOME(/)

NETWORKING(/networking-topics.html)

CISCO(/cisco-technical-knowledgebase.html)

MICROSOFT(/microsoft-knowledgebase.html)

LINUX(/linux-knowledgebase-tutorials.html)

MORE CONTENT(/general-topics-reviews.html)

DOWNLOADS(/downloads.html)

FORUM(/forums.html)

HOT DOWNLOADS

(http://clixtrac.com/goto/?99230)

NETWORK FORENSICANALYSIS(HTTP://CLIXTRAC.COM


NETWORKVULNERABILITY SCANNER(HTTP://CLIXTRAC.COM


NETWORK SECURITYSCANNER

(HTTP://CLIXTRAC.COM

(/component/banners/click/2.html)

Rating 4.61 (23 Votes)

Configuring Cisco Site to Site IPSec VPN with Dynamic IP Endpoint Cisco Routers http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/936-cisco-router-vpn-dyn...

1 of 11 3/11/2016 4:33 PM

This article serves as an extension to our popular Cisco VPN topics covered here on Firewall.cx. While we’ve covered Site to Site IPSec

VPN Tunnel Between Cisco Routers (/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html) (using

static public IP addresses), we will now take a look on how to configure our headquarter Cisco router to support remote Cisco routers

with dynamic IP addresses. One important note to keep in mind when it comes to this implementation, is that Site-to-Site VPN

networks with Dynamic remote Public IP addresses can only be brought up by the remote site routers as only they are aware of

the headquarter's router Public IP address.

IPSec VPN tunnels can also be configured using GRE (Generic Routing Encapsulation) Tunnels with IPsec encryption. GRE tunnels

greatly simply the configuration and administration of VPN tunnels and are covered in our Configuring Point-to-Point GRE VPN Tunnels

(/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-gre-ipsec.html) article. Lastly, DMVPNs – a new VPN trend that provide

outstanding flexibility and almost no administration overhead can also be examined by reading our Understanding Cisco Dynamic Multipoint

VPN (DMVPN) (/cisco-technical-knowledgebase/cisco-services-tech/896-cisco-dmvpn-intro.html), Dynamic Multipoint VPN (DMVPN)

Deployment Models & Architectures (/cisco-technical-knowledgebase/cisco-services-tech/908-cisco-dmvpn-models.html) and Configuring

Cisco Dynamic Multipoint VPN (DMVPN) - Hub, Spokes , mGRE Protection and Routing - DMVPN Configuration (/cisco-technical-

knowledgebase/cisco-routers/901-cisco-router-dmvpn-configuration.html)articles.

ISAKMP (Internet Security Association and Key Management Protocol) and IPSec (/networking-topics/protocols/127-ip-security-

protocol.html) are essential to building and encrypting the VPN tunnel. ISAKMP, also called IKE (Internet Key Exchange), is the negotiation

protocol that allows two hosts to agree on how to build an IPsec security association. ISAKMP negotiation consists of two phases: Phase

1 and Phase 2.

Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data.

IPSec then comes into play to encrypt the data using encryption algorithms and provides authentication, encryption and anti-replay

services.

IPSEC VPN REQUIREMENTS

To help make this an easy-to-follow exercise, we have split it into two required steps to get the Site-to-Site IPSec Dynamic IP Endpoint

VPN Tunnel to work.

These steps are:

(1) Configure ISAKMP (ISAKMP Phase 1)

(2) Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP)

Our example setup consists of the headquarter router R1 which is assigned a static public IP address, and two remote routers, R2 &

R3. Both remote routers (R2 & R3) connect to the Internet and have a dynamic public IP address assigned by the ISP, as shown in the

diagram below:

NETWORK SECURITYSCANNER

(http://clixtrac.com

/goto/?99232)

FREE HYPER-V &VMWARE BACKUP


/goto/?210273)

RECOMMENDEDDOWNLOADS

Web Security


/goto/?99233)

Free Hyper-V & VMware

Backup (http://clixtrac.com

/goto/?210270)

Server AntiSpam


/goto/?99234)

Network Scanner


/goto/?99235)

IDS Security Manager


/goto/?99236)

Web-Proxy Monitor


/goto/?99237)

Network Analyzer - Sniffer


/goto/?195370)

Cisco VPN Client

(/downloads/cisco-tools-

a-applications.html)

Network Fax Server

Tweet

(//pinterest.com/pin/create/button/?url=http%3A%2F%2Fwww.firewall.cx%2Fcisco-technical-knowledgebase%2Fcisco-routers%2F936-cisco-router-vpn-dynamic-endpoint.html&media=http%3A%2F

%2Fwww.firewall.cx%2Fimages%2Fstories%2Fcisco-router-ipsec-vpn-dynamic-endpoint-1.png&

description=%26amp%3Bnbsp%3BThis%20article%20serves%20as%20an%20extension%20to%20our%20popular%20Cisco%20VPN%20topics%20covered%20here%20on%20Firewall.cx.%20While%20we%26rsquo%3Bve%20covered%

Share

106 people like this. Be thefirst of your friends.

LikeLike ShareShare


2 of 11 3/11/2016 4:33 PM

Our Headquarters is assigned an internal network of 10.10.10.0/24, while Remote Site 1 has been assigned network 20.20.20.0/24.

and Remote Site 2 network 30.30.30.0/24. The goal is to securely connect both remote sites with our headquarters and allow full

communication, without any restrictions.

CONFIGURE ISAKMP (IKE) - (ISAKMP PHASE 1)

IKE exists only to establish SAs (Security Association) for IPsec. Before it can do this, IKE must negotiate an SA (an ISAKMP SA)

relationship with the peer.

To begin, we’ll start working on the Headquarter router (R1).

First step is to configure an ISAKMP Phase 1 policy:

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 86400

The above commands define the following (in listed order):

3DES - The encryption method to be used for Phase 1.

MD5 - The hashing algorithm

Pre-share - Use Pre-shared key as the authentication method

Group 2 - Diffie-Hellman group to be used

86400 – Session key lifetime. Expressed in either kilobytes (after x-amount of traffic, change the key) or seconds. Value set is the default

value.

We should note that ISAKMP Phase 1 policy is defined globally. This means that if we have five different remote sites and configured five

different ISAKMP Phase 1 policies (one for each remote router), when our router tries to negotiate a VPN tunnel with each site it will send

all five policies and use the first match that is accepted by both ends. Since we only have one ISAKMP policy, this will be used for all

remote VPN routers.

Next we are going to define a pre-shared key for authentication with our peers (R2 & R3 routers) by using the following command:

crypto isakmp key firewallcx address 0.0.0.0 0.0.0.0

The peers pre-shared key is set to firewallcx and note that we are defining a remote public IP address of 0.0.0.0 0.0.0.0. This tells our

headquarter router that the remote routers have dynamic public IP addresses and ensures it will try to negotiate and establish a VPN


/goto/?100607)

Forensic Security Analysis


/goto/?195375)

Web Vulnerability Scanner


/goto/?191594)

WEBSITE SCANNER


/goto/?211418)

NETWORK ANALYZER


/goto/?195373)

(http://feeds.feedburner.com

/firewallcx)

(http://twitter.com

/firewallcx)

(https://www.facebook.com

/firewallcx)

(http://www.linkedin.com

/groups?home=&

gid=1037867)

JOIN US:

FACEBOOK - LIKE US!

POPULAR SECURITYARTICLES

Implications of Unsecure

Webservers & Websites

(/general-topics-reviews

/security-articles/1072-

implications-of-unsecure-

webservers-and-websites-

for-oganizations-

companies.html)

The Importance of

Firewall.…


3 of 11 3/11/2016 4:33 PM

tunnel with any router that requests it.

CONFIGURE IPSEC

To configure IPSec we need to setup the following in order:

- Create extended ACL

- Create IPSec Transform

- Create Dynamic Crypto Maps

- Apply crypto map to the public interface

Let us examine each of the above steps.

CREATING EXTENDED ACL

Next step is to create an access-list and define the traffic we would like the router to pass through each VPN tunnel. In this example, for

the first VPN tunnel it would be traffic from headquarters (10.10.10.0/24) to remote site 1 (20.20.20.0/24) and for the second VPN tunnel

it will be from our headquarters (10.10.10.0/24) to remote site 2 (30.30.30.0/24). Access-lists that define VPN traffic are sometimes

called crypto access-list or interesting traffic access-list.

Because we are dealing with two separate VPN tunnels, we’ll need to create one set of access-lists for each:

ip access-list extended VPN1-TRAFFIC

permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255

!

ip access-list extended VPN2-TRAFFIC

permit ip 10.10.10.0 0.0.0.255 30.30.30.0 0.0.0.255

CREATE IPSEC TRANSFORM (ISAKMP PHASE 2 POLICY)

Now we need to create the transform set used to protect our data. We’ve named our transform set TS:

crypto ipsec transform-set TS esp-3des esp-md5-hmac

The above command defines the following:

- ESP-3DES - Encryption method

- MD5 - Hashing algorithm

CREATE DYNAMIC CRYPTO MAPS

The Crypto Map is the last step of our setup and connects the previously defined ISAKMP and IPSec configuration together. We will

need one dynamic crypto map for each remote endpoint, which means a total of two crypto maps for our setup.

First we create a crypto map named VPN which will be applied to the public interface of our headquarter router, and connect it with the

dynamic crypto maps we named as hq-vpn.

crypto map VPN 1 ipsec-isakmp dynamic hq-vpn

The ipsec-isakmp tag tells the router that this crypto map is an IPsec crypto map. Now we create our two dynamic crypto maps using

the following configuration commands:

Automating Web Security-

Penetration Testing


/security-articles/1074-

automation-

web-application-security-

testing.html)

Choosing a Web

Application Security

Scanner (/general-topics-

reviews/security-articles

/1083-choosing-

web-application-security-

scanner.html)

Statistics Highlight the State

of Security of Web

Applications (/general-

topics-reviews/security-

articles/1073-state-

of-security-of-web-

applications.html)

Comparing Netsparker

Cloud & Desktop based

Security Software


/cloud-based-solutions

/1079-cloud-based-

vs-desktop-based-security-

solutions.html)

How to Protect your

Websites and Web Server

from Hackers (/general-

topics-reviews/security-

articles/1092-security-

tips-how-to-protect-

your-websites-

and-webservers-

from-hackers.html)

CISCO PRESS REVIEWPARTNER

(/site-news/316-firewall-

ciscopress.html)


4 of 11 3/11/2016 4:33 PM

crypto dynamic-map hq-vpn 10

set security-association lifetime seconds 86400

set transform-set TS

match address VPN1-TRAFFIC

!

crypto dynamic-map hq-vpn 11

set security-association lifetime seconds 86400


match address VPN2-TRAFFIC

Notice how we create one dynamic map for each remote network. The configuration is similar for each dynamic crypto map, with only the

instance number (10 , 11) and match address (VPN1-TRAFFIC , VPN2-TRAFFIC) changing.

Adding additional remote sites in the future is as easy as simply adding more dynamic crypto maps, incrementing the index number and

specifying the match address extended access-lists for each remote network.

APPLY CRYPTO MAP TO THE PUBLIC INTERFACE

The final step is to apply our crypto map to the public interface of the headquarter router, which is FastEthernet0/1. In many cases, this

might be a serial or ATM (ADSL - Dialer) interface:

interface FastEthernet0/1

crypto map VPN

Note that you can assign only one crypto map to an interface.

As soon as we apply crypto map on the interface, we receive a message from the router that confirms isakmp is on: “ISAKMP is ON”.

At this point, we have completed the IPSec VPN configuration on our headquarter router and we can move to the remote endpoint

routers.

CONFIGURING REMOTE ENDPOINT ROUTERS (DYNAMIC PUBLIC IP ADDRESSES)

Our remote routers connect to the Internet and are assigned a dynamic IP address which changes periodically by the ISP. In most part,

the configuration is similar to that of the headquarter router, but with a few minor changes.

In the configuration below, IP address 74.200.90.5 represents the public IP address of our headquarter router.

Remote Site 1 Router


encr 3des

hash md5


group 2

lifetime 86400

!

crypto isakmp key firewallcx address 74.200.90.5

!

ip access-list extended VPN-TRAFFIC

permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

!


!

Notify me of new articles

Subscribe

CISCO MENU

CISCO ROUTERS

(/cisco-technical-

knowledgebase/cisco-

routers.html)

CISCO SWITCHES

(/cisco-technical-


switches.html)

CISCO VOIP/CCME -

CALLMANAGER

(/cisco-technical-


voice.html)

CISCO FIREWALLS

(/cisco-technical-


firewalls.html)

CISCO WIRELESS

(/cisco-technical-


wireless.html)

CISCO SERVICES &

TECHNOLOGIES

(/cisco-technical-


services-tech.html)

CISCO AUTHORS & CCIE

INTERVIEWS

(/cisco-technical-

knowledgebase/ccie-

experts.html)

POPULAR CISCOARTICLES

DMVPN Configuration (/cisco-

technical-knowledgebase

/cisco-routers/901-cisco-

router-dmvpn-

configuration.html)

Cisco IP SLA (/cisco-



5 of 11 3/11/2016 4:33 PM

crypto map vpn-to-hq 10 ipsec-isakmp

set peer 74.200.90.5


match address VPN-TRAFFIC

!


crypto map vpn-to-hq

Remote Site 2 Router


encr 3des

hash md5


group 2

lifetime 86400

!

crypto isakmp key firewallcx address 74.200.90.5

!

ip access-list extended VPN-TRAFFIC

permit ip 30.30.30.0 0.0.0.255 10.10.10.0 0.0.0.255

!


!

crypto map vpn-to-hq 10 ipsec-isakmp

set peer 74.200.90.5


match address VPN-TRAFFIC

!


crypto map vpn-to-hq

It is noticeable that the only major difference between the two routers configuration is the extended access list.

NETWORK ADDRESS TRANSLATION (NAT) AND IPSEC VPN TUNNELS

Network Address Translation (NAT) is most likely to be configured to provide Internet access to internal hosts. When configuring a

Site-to-Site VPN tunnel, it is imperative to instruct the router not to perform NAT (deny NAT) on packets destined to the remote VPN

networks.

This is easily done by inserting a deny statement at the beginning of the NAT access lists as shown below:

For the headquarter router, deny NAT for packets destined to the remote VPN networks, but allow NAT for all other networks (Internet):

ip nat inside source list 100 interface fastethernet0/1 overload

!

access-list 100 remark -=[Define NAT Service]=-

access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255


access-list 100 permit ip 10.10.10.0 0.0.0.255 any

access-list 100 remark

For Remote Site 1 Router, deny NAT for packets destined to the headquarter network:


router-ipsla-basic.html)

VLAN Security (/cisco-


/cisco-switches/818-cisco-

switches-vlan-security.html)

4507R-E Installation (/cisco-


/cisco-switches/948-cisco-

switches-4507re-ws-x45-

sup7l-e-installation.html)

CallManager Express Intro

(/cisco-technical-


voice/371-cisco-ccme-part-

1.html)

Secure CME - SRTP & TLS

(/cisco-technical-


voice/956-cisco-voice-

cme-secure-voip.html)

Cisco Password Crack

(/cisco-technical-

knowledgebase/cisco-routers

/358-cisco-type7-password-

crack.html)

Site-to-Site VPN (/cisco-



router-site-to-site-ipsec-

vpn.html)

FREE CISCO LABPARTNER


/goto/?99238)

POPULAR LINUXARTICLES

Linux Init & RunLevels (/linux-

knowledgebase-tutorials/linux-

administration/845-linux-

administration-runlevels.html)

Linux Groups & Users (/linux-



groups-user-accounts.html)

Linux Performance Monitoring

(/linux-knowledgebase-

tutorials/linux-administration

/837-linux-system-resource-


6 of 11 3/11/2016 4:33 PM


!





For Remote Site 2 Router, deny NAT for packets destined to the headquarter network:


!





BRINGING UP AND VERIFYING THE VPN TUNNEL

At this point, we’ve completed our configuration and the VPN Tunnel is ready to be brought up. To initiate the VPN Tunnel, we need to

force one packet to traverse the VPN and this can be achieved by pinging from one router to another. There is however one caveat that

was mentioned in the beginning of this article:

Site to Site VPN networks with Dynamic remote Public IP addresses can only be brought up by the remote sites.

The reason for this is simple and logical. Only the remote site routers are aware of the headquarter’s public IP address (74.200.90.5)

because it is static, and therefore only the remote router can initiate the VPN tunnel.

From Remote Site 1, let’s ping the headquarter router:

R2# ping 10.10.10.1 source fastethernet0/1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:

Packet sent with a source address of 73.54.120.100

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 42/46/5

The first ping received a timeout, but the rest received a reply, as expected. The time required to bring up the VPN Tunnel is sometimes

slightly more than 2 seconds, causing the first ping to timeout.

To verify the VPN Tunnel, use the show crypto session command:

R2# show crypto session

Crypto session current status

Interface: FastEthernet0/1

Session status: UP-ACTIVE

Peer: 74.200.90.5 port 500

IKE SA: local 73.54.120.100/500 remote 74.200.90.5 /500 Active

IPSEC FLOW: permit ip 20.20.20.0/255.255.255.0 10.10.10.0/255.255.255.0

Active SAs: 2, origin: crypto map

From Remote Site 2, let’s ping the headquarter router:

monitoring.html)

Linux Vim Editor (/linux-



vi.html)

Linux Samba (/linux-

knowledgebase-tutorials

/system-and-network-services

/848-linux-services-

samba.html)

Linux DHCP Server (/linux-

knowledgebase-tutorials

/system-and-network-services

/849-linux-services-

dhcp-server.html)

Linux Bind DNS (/general-

topics-reviews/linuxunix-

related/829-linux-

bind-introduction.html)

Linux File & Folder

Permissions (/general-topics-

reviews/linuxunix-related

/introduction-to-linux/299-linux-

file-folder-permissions.html)

Linux OpenMosix (/general-

topics-reviews/linuxunix-

related/openmosix-linux-

supercomputer.html)

Linux Network Config (/linux-



services-tcpip.html)

BANDWIDTHMONITORING


/goto/?99758)

RSS SUBSCRIPTION

Subscribe to Firewall.cx RSS

Feed by Email

(http://feedburner.google.com

/fb/a/mailverify?uri=firewallcx&

loc=en_US)


7 of 11 3/11/2016 4:33 PM

R3# ping 10.10.10.1 source fastethernet0/1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:

Packet sent with a source address of 85.100.120.5

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 47/50/53 ms

Again, the first ping received a timeout, but the rest received a reply, as expected. The time required to bring up the VPN Tunnel is

sometimes slightly more than 2 seconds, causing the first ping to timeout.

To verify the VPN Tunnel, use the show crypto session command:

R3# show crypto session

Crypto session current status

Interface: FastEthernet0/1

Session status: UP-ACTIVE

Peer: 74.200.90.5 port 500

IKE SA: local 85.100.120.5/500 remote 74.200.90.5 /500 Active

IPSEC FLOW: permit ip 30.30.30.0/255.255.255.0 10.10.10.0/255.255.255.0

Active SAs: 2, origin: crypto map

Issuing the show crypto session command at the headquarter router will reveal all remote routers public IP addresses. This is usually

a good shortcut when trying to figure out the public IP address of your remote routers.

(/cisco-technical-knowledgebase/cisco-routers.html)

Back to Cisco Routers Section (/cisco-technical-knowledgebase/cisco-routers.html)


8 of 11 3/11/2016 4:33 PM

33 Comments Sort by

Admasu Marie

it is really nice.

Like · Reply · 1 · 30 January 2013 15:20

Галч Отгонбилэг · Database Administrator at Monos group

Nice article.

Like · Reply · 1 · 4 February 2013 12:01

Demba Sonko · Maulana Azad National Institute of Technology, Bhopal

Great Article....

Like · Reply · 1 · 5 March 2013 00:10

Muneer Chakkalakkal · MAMO college manassery

System Admin Ict Qatar.

it is very help full.

Like · Reply · 1 · 25 February 2013 01:44

Edwin Pieters

For R1 (HQ router) I guess you ment :

interface fastethernet0/1

crypto map hq-vpn.

Small typo byt yet again excellent tutorial thanks a lot for this

Like · Reply · 1 · 28 March 2013 15:24

Chris Partsenidis · Founder, Editor-in-Chief at Firewall.cx

Thanks for the tip Edwin - small but important typo. We've also changed the crypto maps to ensure users do

not get confused with the remote R2/R3 routers. Thanks again!

Like · Reply · 28 March 2013 19:55

Derek Hyland

Shouldn't the WAN interface on the HQ router have the crypto map 'VPN' applied on it since 'hq-vpn' isn't a

crypto map in of itself?

Like · Reply · 1 · 18 May 2013 02:58

Chris Partsenidis · Founder, Editor-in-Chief at Firewall.cx

Derek Hyland, you are correct! There is a misconfiguration in the code. I've updated the article to reflect the

correct command. Thanks for your input!

Like · Reply · 1 · 18 May 2013 06:13

Show 2 more replies in this thread

Facebook Comments Plugin

OldestOldest

Add a comment...

Load 10 more comments


9 of 11 3/11/2016 4:33 PM

ARTICLES TO READ NEXT:


10 of 11 3/11/2016 4:33 PM

CCENT/CCNAROUTER BASICS (/CISCO-

TECHNICAL-

KNOWLEDGEBASE/CISCO-

ROUTERS/250-CISCO-

ROUTER-BASICS.HTML)

SUBNETTING

OSI MODEL

IP PROTOCOL

CISCO ROUTERSSSL WEBVPN

SECURING ROUTERS

POLICY BASED ROUTING

ROUTER ON-A-STICK

VPN SECURITYUNDERSTAND DMVPN

GRE/IPSEC CONFIGURATION

SITE-TO-SITE IPSEC VPN

IPSEC MODES

CISCO HELPVPN CLIENT WINDOWS 8

VPN CLIENT WINDOWS 7

CCP DISPLAY PROBLEM

CISCO SUPPORT APP.

WINDOWS 2012NEW FEATURES

LICENSING

HYPER-V / VDI

INSTALL HYPER-V

LINUXFILE PERMISSIONS

WEBMIN

GROUPS - USERS

SAMBA SETUP

FIREWALL.CX TEAM

(/MEET-THE-TEAM.HTML)

NEWS

(/NEWS.HTML)

ALTERNATIVE MENU

(/SITE-MAP.HTML)

RECOMMENDED SITES

(/RECOMMENDED-SITES.HTML)

CONTACT US - FEEDBACK

(/CONTACT-US.HTML)

© Copyright 2000-2016 Firewall.cx - All Rights Reserved

Information and images contained on this site is copyrighted material.

Firewall.cx - Cisco Networking, VPN - IPSec, Security, Cisco Switching, Cisco Routers, Cisco VoIP- CallManager Express & UC500, Windows Server, Virtualization, Hyper-V, Web Security, Linux Administration


11 of 11 3/11/2016 4:33 PM

Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers

Devices & Hardware

Transcript of Configuring cisco site to site ip sec vpn with dynamic ip endpoint cisco routers