Site to site vpn with dynamic IP on both site

Unanswered Question
Nov 20th, 2009
User Badges:

Hello everybody,

I have to configure a site to site VPN with dynamic IP on both end: I have a Pixv7 in the central site and a router with Firewall Software on another site.
Is it possible to do so with using dns names?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
mopaul Fri, 11/20/2009 - 17:32
User Badges:
  • Bronze, 100 points or more

Hi ,

@ Patrick : If you mean this ain't possible on PIX then yeah you are right. Else this may surprise you :-

You can built an Ipsec VPN tunnel between Cisco routers, both on Dynamic IP addresses

In order to configure a LAN-to-LAN Virtual Private Network (VPN) tunnel between two routers with dynamic IP addresses, complete these steps apart from the basic configuration:

  1. Configure the set peer dynamic command on one side of the tunnel with the use of the static crypto map.
  2. On the remote router, configure the dynamic crypto map without the use of the peer statement.

With the use of the set peer dynamic command, the host name of the IP Security (IPsec) peer is resolved through a domain name server (DNS) lookup before the router establishes the IPsec tunnel.


1. Only a router with a static crypto map can initiate the tunnel with the dynamic DNS resolution of the peer statement.

2. This works on Cisco IOS router code 12.3 and above


The following example shows a crypto map configuration when IKE will be used to establish the security associations (SAs). In this example, an SA could be set up to either the IPSec peer at or the peer at

crypto map mymap 10 ipsec-isakmp
 match address 101
 set transform-set my_t_set1
 set peer
 set peer

The following example shows how to configure a router to perform real-time Domain Name System (DNS) resolution with a remote IPSec peer; that is, the host name of peer is resolved via a DNS lookup right before the router establishes a connection (an IPSec tunnel) with the peer.

crypto map secure_b 10 ipsec-isakmp
  match address 140
  set peer dynamic 
  set transform-set xset
interface serial1
  ip address
  crypto map secure_b
access-list 140 permit ...

The following example shows that the first peer, at IP address, is the default peer.

crypto map tohub 1 ipsec-isakmp 
 set peer default 
 set peer 

The following example shows that the peer with the host name fred is the default peer.

crypto map tohub 2 ipsec-isakmp 
 set peer fred dynamic default 
 set peer barney dynamic 

Refer the Command Reference to know more about the set peer dynamic command.

Refer to the R2 (Cisco 2811 Router) section of Router-to-PIX Dynamic-to-Static IPsec with NAT Configuration Example in order to configure a dynamic crypto map on the router.

Refer to the Mop (Cisco 7204 Router) section of Router-to-PIX Dynamic-to-Static IPsec with NAT Configuration Example in order to configure a static crypto map on the router.

There is one more thing to add here, i.e Tunnel End point Discovery, though this had gone obsolete but if you got a minute, refer this too. To be honest i have never tried this before but yes this used to be in place long time back

Sorry nothing can be done on PIX , this set up works on Cisco routers as per the information posted above. I am sure the information given above will help you if not now, may be sometime later as many people do not know if this works.

"Knowledge is always an addition " :-)


Patrick0711 Fri, 11/20/2009 - 18:08
User Badges:
  • Bronze, 100 points or more

Good to know, I was simply refering to the fact that the PIX cannot resolve DNS hostnames for a VPN peer but I can see how this would work with the router initiating to the PIX.  Very informative update!

elyesfayache Fri, 11/20/2009 - 23:19
User Badges:

Thank you very much paul I will try this between 2 routeurs and let you know

mopaul Sat, 11/21/2009 - 10:04
User Badges:
  • Bronze, 100 points or more

Hey elyesfayache,

Anytime .... Please do let us know at your earliest conveninece so that this post can be picked up as ANSWERED and other users who got the same question can implement this solution in their network (as and when required).



ahmedchohan Thu, 05/20/2010 - 04:32
User Badges:

Would it then be possible to do it on the asa instead of the pix. I'm talking version 8.

Patrick0711 Fri, 11/20/2009 - 13:48
User Badges:
  • Bronze, 100 points or more

The PIX does not have the ability to initiate a VPN tunnel to a dynamic DNS hostname.  The PIX can only initiate to a hostname defined by the 'name' command in the configuration.

xulqi2765 Sat, 06/08/2013 - 14:19
User Badges:

Hi Dear Friends,

I have a sonerio and few questions please do reply me will be greatfull to you .

i have Two RV Series Router
1. RV082
2. RV 042
i dont have Dynamic IP's On both side and i have an account on dyndns .. My Question is how can i create a VPN on these Dynamic IP's ? Is it possible .. Please do let me know.

if some body can guide me step by step i will be greatfull to you . Thanks


jessemi01 Tue, 01/07/2014 - 18:50
User Badges:

Hi Buddies,

I saw the Key words in Discussion title is "on both side", actually I'm working on a project for a customer, both sides don't have static IP addresses, I awared site to site VPN over Internet can be done when one side has static IP but another side doesn't.

So hope some one can clarify me whether I can deploy it when both sides via DDNS without static IP address.

I'm planning to use ASA firewalls 5505 or 5510

Thanks a lot!

Gerardo Marcial... Wed, 01/08/2014 - 06:05
User Badges:

Hi Jesse

It is possible with both side receiving IP address by DHCP, I have this case in my costumers.

In my experience, set IP SLA is good practice to maintaining UP the Crypto MAP if is your case.

Never have I worked with ASA, at the moment I worked only with Routers, different IOS (12.4, 15++)

If you tell me the version of soft in your ASA I can try to make the Lab in GNS.

Are you interested in this config in Routers?


32768H65536 Wed, 01/08/2014 - 19:37
User Badges:

Thank you very much for reply Gerardo,

The firewall I'm planning to use is ASA5505-BUN-K9 with OS: asa847-k8.bin

Routers will be connected behind the FW for Intranet routing, actually there is no hardware on hands, I have to make sure this can be done for this option then I can go ahead to order the devices.

I am also going to try it in Lab GNS, hope it can work, and update you later.

Thanks a  lot !

mahin1985 Fri, 08/08/2014 - 10:36
User Badges:

Hi GMarciales

Would you share whole config of Routers.

One more scenario, one side ASA holding pppoe with ddns configuration and another side Router holding pppoe with ddns; is it possible to make site-to-site vpn with this scenario?


This Discussion