VPN between 2 sites with dynamic IP

Unanswered Question
Aug 25th, 2009

Hi everyone, I'm a newbie in CISCO systems but i'm actually excited to work these brand. I started working in a company and they assign me the task to find out if there is a possibility to stablish a VPN tunnel between to sites that are connected to Internet via ADSL modem and the ISP works with DHCP. I got two router CISCO 2811, with 2 FE, and an external ADSL modem. My 2 main questions are:

1)Is it possible to stablish the tunnel if I only have dynamic IPs?

2) Can I stablish a firewall policy with the IOS to allow only the traffic through the tunnel? Is that related with the no-splitting concept?

I appreciate every help and advise you can give me since I'm new with a lot a of these stuff, but i'm actually learning a lot. Fell free to ask me anything specific about my router configuration (which is really basic at the moment) or anything else you need to know to help me.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Paolo Bevilacqua Tue, 08/25/2009 - 14:38

Yes to both Qs.

For 1, you need to configure Dynamic DNS and Dynamic peer resolution in IPsec. You can find documentation for that with search box.

For 2, the crypto map ACL define wh9ich traffic goes into the tunnel and which not.

Please note, you're been given tasks that are normally done by trained and certified cisco technicians, so either consider have a professional do that for you, or spend a lot of time studying and trying before you get these 100% working.

gustavo-salazar Wed, 08/26/2009 - 07:38

Thanks a lot for the advise. Don't worry I know these tasks are difficult, I'm actually studying for the CCNA certification, and I have until December to get these 100% working. As these are not concepts that you usually learn within the CCNA level, I'm doing my best reading a lot of the documentation in the site.

Actually I found something interesting that actualy might be my best solution: DMVPN. The topology managed in the company is a star topology and we have some static IPs provided by the ISP in the central. We have dynamic IP in each branch office, and we want to stablish a backup connection just like the one in the attacched file. Now my new questions are:

1) Is this configuration a better solution for my case, or can I handle it with traditional IPSec tunnels applying Dynamic DNS and Dynamic peer resolution in IPsec?

2)Is it possible to implement BGP on a DMVPN? I ask these because we actually have a BGP configured in the network.

Thanks for the advise.


Paolo Bevilacqua Wed, 08/26/2009 - 10:49

No, you cannot do true DMVPN with all dynamic address. The hub must have a static address.

BGP has no use in DMVPN.

c.karl Sat, 09/26/2009 - 04:48

DMVPN is the best solution in your setup. Its quite easy to configure. But you need static ips for the dmvpn hub routers.

You could use bgp to advertise the local networks to the hubs, but I would prefer ospf.


This Discussion