site to site vpn over dyanmic ip addresses on both sides

Unanswered Question
Jun 19th, 2010

Hi Guys,

I just wanted to know whether we can make site-to-site vpn on 2 routers/asa if both sides are having dynamic ip addresses.

its a strange requirement of my client..

I was thinking it is possible if we can do dyn-dns on both the sides but not sure if we can??

Is it possible guys??



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Sat, 06/19/2010 - 11:28


I know that you can establish the site to site when one side has a dynamic IP.

But I think that you cannot make a site-2-site vpn with dynamic IPs on both sides.

This is because dynamic crypto maps don't allow you to initiate connections.

If both sides have dynamic crypto maps, who will initiate the connection?

Unfortunately not possible as far as I've seen.


jvalin__s Sat, 06/19/2010 - 11:30

but as we configure ezvpn  - the dynamic side only initiates the connection right?


Federico Coto F... Sat, 06/19/2010 - 11:35


WIth EzVPN the dynamic (or client) side initiates the connection (just as a VPN client).

But the configuration on the Hardware Client does not uses dynamic crypto maps, it uses an EzVPN hardware client configuration.

Even EzVPN cannot be established if both sides uses dynamic IPs.


Federico Coto F... Sat, 06/19/2010 - 11:51

From what I've seen it won't work,  but I'll have to try it again and see if there's any way now to make it work, because when I did it, everytime an IP changed, the VPN won't come up until clearing the dynamic peer and setting it again.



This Discussion