Need Help! IPsec IKEv1/v2 with Dynamic IP wont work! Dome Pro w Dynamic IPaddress (Simcard) -2- Cisco C8200 Router with public static IPaddress

alexander.hensel · June 5, 2025, 3:28pm

Hi,
trying to establish a normal IPsec Tunnel between a Peplink Dome Pro with dynamic IP (Telekom.Simcard) and a Cisco Router C8200 with static public IP.
Cant use DynDNS cause of security reasons…

Cant figuere out a working configuration tryied it with Crypto Map dynamic Peer no chance it wont work.

Can anybody advise me or send me a propper how to?

1Love
Alexander

here is my configuration for Cisco C8200

a) Access-List für VPN-Traffic

ip access-list extended VPN-TRAFFIC

permit ip 0.0.0.0 255.255.255.255

b) IKEv2 Proposal und Policy

crypto ikev2 proposal IKEV2_PROPOSAL

encryption aes-cbc-256

integrity sha256

group 14

crypto ikev2 policy IKEV2_POLICY

proposal IKEV2_PROPOSAL

c) IKEv2 Keyring (mit dynamischem Peer)

Die Adresse 0.0.0.0 akzeptiert beliebige Initiatoren

crypto ikev2 keyring IKEV2_KEYRING

peer PEPLINK

address 0.0.0.0 0.0.0.0

pre-shared-key <GEHEIMER_PSK>

d) IKEv2 Profile mit statischer Peer-ID

Optional: Mit match identity remote fqdn kann eine feste Peer-ID verwendet werden, die auf beiden Seiten identisch sein muss.

crypto ikev2 profile IKEV2_PROFILE

match identity remote address 0.0.0.0 0.0.0.0

identity local address <CISCO_PUBLIC_IP>

authentication remote pre-share

authentication local pre-share

keyring local IKEV2_KEYRING

e) IPsec Transform Set und Profile

crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac

mode tunnel

crypto ipsec profile IPSEC_PROFILE

set transform-set TS

set ikev2-profile IKEV2_PROFILE

f) Crypto Map

crypto map VPN-MAP 10 ipsec-isakmp

set peer peplink.test dynamic

set transform-set TS

set ikev2-profile IKEV2_PROFILE

match address VPN-TRAFFIC

interface <WAN_INTERFACE>

crypto map VPN-MAP

ChristopherSpitler · June 5, 2025, 4:35pm

Howdy! Welcome to the forum!

so, DynDNS is not required as your spoke (the Peplink) will be dialing out to the hub (the cat8200).

Please share the configuration on the Peplink side (screenshots will work best). The one thing that stands out to me in your config is that your statement:

match identity remote address 0.0.0.0 0.0.0.0

should actually be

match identity remote fqdn [X]

where X is the local ID set on the Peplink. you can’t use a remote address here the way you did because it’s not an ACL, it’s using it to identify the remote peer. This is important because you don’t have a static IP or dynDNS on your spoke (the Peplink), so you need to use a “fake” FQDN, aka, Remote ID, as the identifier.

So, in short, change the line i mentioned above and make sure the remote fqdn in the cisco config (just use ‘peplink’), is the same as the local ID on the peplink side of the tunnel.

Also, in the future if posting about cisco, please ensure you mentioned software type and version. while i know that the cat8200 runs IOS-XE, i assumed you are on v17.x.

alexander.hensel · June 6, 2025, 11:01am

Thanks Christopher,
think u re right the issue is about the “local ID”.
First i tried to set the local ID to “PEPLINK” this wont work cause the peplink didnt accept “names/word”. (see screenshot).

Today i tried a FQDN “dome.peplink.local” and followed your advise. It´s still not working cant establisch the Tunnnel.

Dindt understand for which reason u choose the “peer” name under point c) IKEV2 Keyring. I took PEPLINK as a placeholder name…

Uc) IKEv2 Keyring (mit dynamischem Peer)

Die Adresse 0.0.0.0 akzeptiert beliebige Initiatoren

crypto ikev2 keyring IKEV2_KEYRING

peer PEPLINK??

alexander.hensel · June 6, 2025, 11:02am

Andrew_Fidel · June 6, 2025, 1:40pm

Is the Dome in Incontrol2? If so it has a dynamic identity through Peplink that can be set, no need for a 3rd party.

ChristopherSpitler · June 6, 2025, 2:07pm

I also noticed this:

encryption aes-cbc-256
integrity sha256

where your screenshot shows AES-CBC-256 / SHA1

These need to match.

Paul_Mossip · June 6, 2025, 3:16pm

I have used Local ID u-fqdn that is [email protected].
I don’t know if peplink sends just FQDN, it implies that DN is matched to client certificates.

That should also match the u-fqdn in the cisco. If you were using Ike v1 you would need aggressive mode.

figuring out the correct commands usually requires you to put the cisco into complete debugging mode and seeing exactly what is negotiated and what is rejected. Along with packet captures.

I have juniper examples for ike-v1.
gateway ta1-ike-gateway {
ike-policy ta1-ike-policy;
dynamic user-at-hostname “[email protected]”;
external-interface fe-0/0/0.0;
}

profile)# dynamic

profile)# identity local email [email protected]

alexander.hensel · June 11, 2025, 12:31pm

Still cant establish a connection this sucks after one week of try an error.
now the peplink says “remote network refused” i dying really.

i coudnt be so difficult just to build a VPN to Cisco.

Here is show run cisco c8200
!
!
crypto ikev2 keyring FLEXVPN_KEYRING
peer spoke
address 0.0.0.0 0.0.0.0
pre-shared-key local Cisco123
pre-shared-key remote Cisco123
!
!
!
crypto ikev2 profile FLEXVPN_PROFILE
match identity remote key-id vpn@peplink
identity local address 172.16.1.1
authentication remote pre-share
authentication local pre-share
keyring local FLEXVPN_KEYRING
aaa authorization group psk list FLEXVPN default
virtual-template 1
!
!
!
!
!
!
crypto keyring dynkey
pre-shared-key hostname vpn@peplink key 1234567890
!
!
!
!
!
!
!
crypto isakmp policy 10
encryption 3des
hash sha
authentication pre-share
group 2
crypto isakmp profile dynprofile
keyring dynkey
self-identity user-fqdn vpn@cisco
match identity user-fqdn vpn@peplink
initiate mode aggressive
!
!
crypto ipsec transform-set 3desset esp-3des esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile defualt
set ikev2-profile FLEXVPN_PROFILE
!
!
crypto dynamic-map dynmap 10
set transform-set 3desset
set pfs group2
set isakmp-profile dynprofile
match address 100
!
!
crypto map crymap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
!
!
interface Loopback1
ip address 192.168.1.1 255.255.255.0
!
interface Loopback10
ip address 10.10.10.10 255.255.255.255
!
interface GigabitEthernet0/0/0
ip address 87.129.XXX.XX 255.255.255.248
negotiation auto
crypto map crymap
!
interface GigabitEthernet0/0/1
ip address 192.168.227.1 255.255.255.0
negotiation auto
!

interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
tunnel protection ipsec profile default
!
no ip http server
ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 87.129.XXX.XX
!
!
ip access-list standard Flex-ACL
10 permit any log

ChristopherSpitler · June 13, 2025, 2:39pm

Please post BOTH sides of the configuration, not just one.