cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
768
Views
10
Helpful
5
Replies

Remote party uses dynamic IP for site to site VPN - Any issues ?

alanchia2000
Level 1
Level 1

Hi,

I will be building a site to site IPSEC VPN tunnel with an external party who is using a dynamic IP address.
He is using dyndns to associate a domain to the IP.

May I know what are the issues of having a remote party using dynamic IP address?
Does IPSEC automatically rebuild the tunnel when the IP changes?

1 Accepted Solution

Accepted Solutions

Philip D'Ath
VIP Alumni
VIP Alumni

And to answer you other question, about rebuilding the VPN when the IP address changes; you want to make sure DPD (dead peer detection) is enabled.

I found this article about enabling it on the Cyberoam:

http://kb.cyberoam.com/default.asp?id=58

The VPN wont come back up again till the DNS is updated, and the CSR1000V sees the change.  If there are any caching DNS servers with a minimum TTL this will cause the VPN to break for an average of half the minimum TTL.

So if you ISP enforces a minimum TTL of 1 hour, and the IP addresses changes, on average it will take 30 minutes for the VPN to start working again, and a maximum of 1 hour.

View solution in original post

5 Replies 5

Philip D'Ath
VIP Alumni
VIP Alumni

What device you you have and what device do they have?

Remote party - CyberRoam CR-200i

Me - Cisco CSR 1000v

You are likely to have issues.

On modern Cisco IOS with IKEv1 you can use:

crypto map vpn 10 ipsec-isakmp
 set peer <FQDN> dynamic
...

which causes the router to a a dynamic DNS lookup.  I don't know if IOS-XE on the CSR-1000v supports this.

You could also use IKEv2 and an email or peer ID:

crypto ikev2 keyring kr-site-to-site

  peer remote-site

     identity email remote@email-identity.com

...

However I don't think the Cyberoam are very sophisticated in this area, so expect to have issues.  I'd personally use the IKEv2 approach if the Cyberoam can handle it.

I just did a Google for "Cyberoam IKEv2" and got pretty much nothing back.  I take that to mean it has little or poor VPN IKEv2 support.

Philip D'Ath
VIP Alumni
VIP Alumni

And to answer you other question, about rebuilding the VPN when the IP address changes; you want to make sure DPD (dead peer detection) is enabled.

I found this article about enabling it on the Cyberoam:

http://kb.cyberoam.com/default.asp?id=58

The VPN wont come back up again till the DNS is updated, and the CSR1000V sees the change.  If there are any caching DNS servers with a minimum TTL this will cause the VPN to break for an average of half the minimum TTL.

So if you ISP enforces a minimum TTL of 1 hour, and the IP addresses changes, on average it will take 30 minutes for the VPN to start working again, and a maximum of 1 hour.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: