VPN to ASA from remote site with DDNS

Unanswered Question
Feb 12th, 2009


I am trying to find the best way to setup a VPN between a remote C800 series router and an ASA5505 at the headend. The remote router has a dynamic WAN IP and I want to be able to connect back down the tunnel to the router's LAN from the LAN at the ASA end. I have the remote router registering with dnyDNS but can't get the ASA to use a domain-name for the peer.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Thu, 02/12/2009 - 11:52

The only way your ASA will use hostnames for the vpn connection is when using Digital certificates for IKE authentication or if the connection is coming via aggressive mode. That means that the use of domain name for the peer on under the crypto map is something the ASA does not support.

shailen-tpnl Mon, 02/16/2009 - 15:22

Thank you for that feedback. So I have tried to setup an easy vpn connection and have been able to use the reverse router feature to install a route on the ASA. This seems to provide me with the connectivity in both directions however it seems to only work if the remote site initiates traffic first. Then the head end can communicate with the remote LAN. Can you please tell me how else I can achieve this i.e. VPN with the Headend able to initiate traffic while the remote site is not using a static IP address.



Ivan Martinon Mon, 02/16/2009 - 15:32

Unfortunately since the remote end has a dynamic ip address the central side will not be able to start the vpn connection, it is the one with the dynamic ip address the one that has to do it.

shailen-tpnl Mon, 02/16/2009 - 15:39

From what I have seen the remote client intiates the VPN session as soon as it boots up and the session will stay up for the configured idle time. When the tunnel is up the headend can only communicate with the remote LAN when traffic initiated from the remote LAN. Communication is only available for a small period of time. The tunnel never goes down and the SA's are still present. I have setup the remote site to get NTP of the headend LAN so this way there is always some traffic initiated from the remote device. This is a work around until I can find a proper solution.

Ivan Martinon Mon, 02/16/2009 - 15:46

OK let me see if I got it right, when the remote end initiates the tunnel it can pass traffic fine but then after a period of time the tunnel is not able to pass any more traffic regardless of the fact that the tunnel shows up along with the SA active?

shailen-tpnl Mon, 02/16/2009 - 15:51

Yep that is correct. When that happens I need to get onto the remote router and either clear the ISKAMP SA or try do an extended ping to the headend.


This Discussion