Comments for IPSEC Over a 3G WAN to ASA5510.

_________________
Find networking-forum.com on Facebook, LinkedIn, Twitter, Google+,or subscribe to the site's RSS feeds.

Great stuff Steve. Can you give me the part number of the SIM Cellular card. I can actually use this setup for a couple of tele-workers.


How stable is the VPN connection? would a phone(7975) behind the 881 work good as far as voice quality?

grichardson661 wrote it. The author is listed under the blog post titles.

_________________
Find networking-forum.com on Facebook, LinkedIn, Twitter, Google+,or subscribe to the site's RSS feeds.

I have some questions about this post.

1. How do you find out the 3G information for the cellular interface?

When you buy the cell card, do you buy a plan with it as well which gives you this information?

I am referring to the numbers in the string

chat-script t-mobile "" "ATDT*99*1#" TIMEOUT 30 "CONNECT

2. You use a dynamic crypto map under the Hub site, this means that only the hub site can start the IPSec VPN since it has the dynamic crypto map.

How do you ensure that the Hub site always tries to start the VPN?

Thanks

@mastarron



Are you talking about the cellular module that connects to the front of the 881? The cellular module is Cisco specific and comes as part as the 881 3G package.



How much bandwidth does voice need? We've been pushing audio and video over the VPN (with a propriety codec) to our core network and its pretty stable, not perfect but it will suffice for our requirements. Our application needs 300K for upload and its ok.

@ZeroZeroFourteen





We purchased a 3G data enabled card and i found the chat-script config from searching on the web. Your provider will issue the APN and username and password but the username and password are optional and generic.

A useful link for the chat-script config - http://inetpro.org/wiki/Initial_configu ... _interface



Well the hub doesn't have a peer address so it has no way of knowing its peer. Only the spoke (client) has the peer address which performs the dial in to the Easy VPN server.


Hope this Helps

Im still a little bit confused.

From what I can find on the web a dynamic crypto map is used when you do not know the IP address of the peer.

As a result, only the side that has the dynamic crypto map can initiate the VPN connection.

In this configuration, the hub has that dynamic crypto map and the remote has the regular crypto map.

So how can the remote initiate the ipsec connection?

Thanks

Erm, someone correct me if I'm wrong on this, but I would assume the side that has to have the dynamic entry configured would be the one that is expecting an IP/peer to come from anywhere, so can't configure anything static, and then the one which knows its endpoint (the hub) will have the static configuration, as it always knows the peer to establish to?

_________________
Router> show single women | inc without-drama
Router>

Working From My Shed, my networking blog
http://www.workingfrommyshed.co.uk

That does make more sense, I was doing off of this

https://learningnetwork.cisco.com/message/73485

That reads like the VPN can only be done from the side which is dynamic in nature, i.e. not fixed IP

_________________
Router> show single women | inc without-drama
Router>

Working From My Shed, my networking blog
http://www.workingfrommyshed.co.uk

That is what I was saying above, which is why I am confused.

Stuh84 is right.

Have a read of this document from Ciscos website.

https://www.cisco.com/en/US/docs/ios/12 ... #wp1069489

Notice these paragraphs

Thanks!

This is freaking awsome thanks!!

we have some projects coming up that we were wanting something like this it may very well save us alot of time and effort

_________________
Freedom to all the people. Brave, true and strong.
Freedom to all the people. Unless I think you're wrong

dhimes.com

Cool, hope it helps

Great work, one of the most useful I've come across in recent times.

However, I would like to know how this can be done from a 3G Router to a small edge router e.g. an 871W or 1900 series (not ASA). what I mean is how to use the 3G Router as remote and the 871 as HQ without SDM or CP, just plain simple IOS.

Anyone has an idea?

Cool I think this is what you are looking for - http://www.cisco.com/en/US/prod/collate ... 313bd6.pdf

Hello.

Im doing a lab trying to make this solution to work.

There is a 1921 as the EzVPN Server.
There is a 1841 as the EzVPN Client.

Everything is working just fine.
The EzVPN Client dials a public IP address and connects to the EzVPN Server.

The problem is:
If i renew the IP Address for whatever reason on the client, the EzVPN Server changes the IP Address aswell on the "show crypto session" output, but keeps the old Client IP Address on the current peer field from the "show crypto map" output.

With the crypto map pointing to the older IP, the VPN stays up but traffic cant pass.
Then, after 1min of a "clear crypto session", the "show crypto map" shows the correct new ip and traffic can pass normally.

Is there some hint to correct this issue? Or is this a limitation?
Many thanks.