Configuring Dynamic IP Addressing

To enter privileged EXEC mode, enter the enable user EXEC command.

To enter global configuration mode, enter the configure privileged EXEC command. To configure the terminal attached at console port, enter the terminal keyword.

To define a default domain name that the Cisco IOS software uses to complete unqualified host names, use the ip domain-name global configuration command. An unqualified host name is a host name without a dotted-decimal domain name.

In this example, example.com is defined as the default domain name.

To specify or modify the host name for the network server, enter the hostname global configuration command. The host name is used in prompts and default configuration filenames.

In this example, hq_sanjose is defined as the host name. The hq_sanjose host name replaces the default router host name.

hq-sanjose(config)# crypto ipsec transform-set vpn-transform esp-des ah-md5-hmac

To define a combination of security associations to occur during IPSec negotiations and enter crypto transform configuration mode, enter the crypto ipsec transform-set global configuration command.

In this example, the transform set named vpn-transform is defined with two security algorithms: esp-des and ah-md5-hmac.

Note There are complex rules defining which entries you can use for the transform arguments. These rules are explained in the command description for the crypto ipsec transform-set command. You can also use the crypto ipsec transform-set global configuration command to view the available transform arguments.

hq-sanjose(cfg-crypto-trans)# mode tunnel

To specify IPSec encapsulation between the gateway and the VPN Client, enter the mode crypto transform configuration command. The mode command is only applicable to traffic whose source and destination addresses are the IPSec peer addresses; it is ignored for all other traffic. (All other traffic is in tunnel mode only.)

In this example, tunnel mode is configured for vpn-transform for an IPSec encrypted tunnel.

hq-sanjose(cfg-crypto-trans)# exit

To exit crypto map configuration mode, enter the exit crypto transform configuration command.

To define a dynamic crypto map entry and enter the crypto map configuration mode, enter the crypto dynamic-map command.

In this example, the dynamic map name is vpn-dynamic, and the sequence number (or priority) is 1.

To specify which transform sets are allowed for the crypto map entry, enter the set transform-set crypto map configuration command.

In this example, the transform set previously defined in Defining an IPSec Transform Set, vpn-transform is applied to the vpn-dynamic dynamic crypto map.

Note You can list multiple transform sets in order of priority (highest priority first).

To specify an extended access list for a crypto map entry, enter the match address crypto map configuration command. This access list determines which traffic should be protected by IPSec and which traffic should not be protected by IPSec. If this is configured, the data flow identity proposed by the IPSec peer must fall within a permit statement for this crypto access list. If this is not configured, the router will accept any data flow identity proposed by the IPSec peer. However, if this is configured but the specified access list does not exist or is empty, the router will drop all packets.

To exit crypto map configuration mode, enter the exit crypto map configuration command.

To define a local IP address pool for VPN Clients, enter the ip local pool command. You can use existing local address pools to define a set of addresses. The IP address pool must be within the IP range of the corporate subnet.

In this example, the pool name is vpn-pool. This IP address pool has a range from 10.1.2.1---10.1.2.254. The local address pool for VPN Clients is defined.

To configure the local IP address pool for VPN Clients to reference IKE on your router, use the crypto isakmp client configuration address-pool local global configuration command. In this example, the pool name is vpn-pool.

The IP address pool for VPN Clients is set to reference IKE on your router.

To configure IKE Mode Configuration on the static crypto map, use the crypto map client configuration address global configuration command. In this example, the crypto map is vpnclient. To indicate that IKE Mode Configuration is to be gateway-initiated, use the initiate keyword.

Note Cisco supports gateway-initiated IKE Mode Configuration only. Client-initiated IKE Mode Configuration is not currently supported.

A crypto map is defined for gateway-initiated IKE Mode Configuration.

To exit global configuration mode, enter the exit global configuration command.

To define a static crypto map and add a dynamic crypto map set to a static crypto map set, enter the crypto map global configuration command. In this example, the vpn-dynamic dynamic map (child) is applied to the vpnclient static crypto (parent) map.

(Optional) To permit all IP traffic between the host and the gateway when using static IP addressing on the VPN Client, use the extended version of the access-list global configuration command.

Note An access-list must be configured for each VPN Client configured with static IP addresses on a corporate subnet.

In this example, all IP traffic is permitted between the two IPSec peers.

To configure an interface, enter the interface global configuration command. This command invokes the interface (config-if) configuration mode.

To indicate an IP address to the interface, enter the ip address interface configuration command.

In this example, 10.1.1.1 is specified as the IP address of the Ethernet 0/0 interface.

To apply a previously defined crypto map set to an interface, enter the crypto map interface configuration command.

In this example, crypto map vpnclient is applied to outbound packets from Ethernet interface 0/0.