Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
393
Views
0
Helpful
4
Replies

ASA L2L VPN Dynamic Peers Both Ends

shelby.lindsey
Level 1
Level 1

‎03-26-2014 05:29 AM

Hi all,

I have some ASA Site-to-Site (L2L ikev2) VPN deployments that are using A Dyanic-to-Static Peer configuration.  Now I have a special case where I cannot get a static IP for either end and have been researching for a solution to connect L2L with Dynamic-to-Dynamic peers.  My research is not really turning up anything and now I am thinking that the ASA may not be capable of this configuration.   Can anyone confirm that this is or is not possible?

My hardware is ASA 5505 running 9.1.4.

Thanks!

Shelby

Labels:
0 Helpful
4 Replies 4

LA-Engineer
Level 1
Level 1

‎03-27-2014 11:12 AM

Are you talking about using some sort of dyndns?

How would the two devices find each other?

0 Helpful

Joe Doran
Level 1
Level 1

‎03-27-2014 03:45 PM

This will not be possible. You will need at least one static IP address so that at least one end of the tunnel can be configured with an IP address to connect back to. If they are both dynamic then you have no way to tell either ASA where the far end of the tunnel is located.

Hope that helps.

0 Helpful

Karsten Iwen
VIP
VIP

‎03-28-2014 12:30 AM

As already mentioned, you can't do that with the ASA. But with IOS-routers there are two possible ways to achieve that:

  1. In the crypto map "set peer" you can use a (dyndns) FQDN that only gets reloved to an IP when the connection gets initiated. If you have sites that change the public IP regularly (for example once a day), this solution won't be very stable.
  2. You can use a VPN-type that can resolve IPs for spoke-to-spoke trafic dynamically. DMVPN and FlexVPN are technologies for that. You just need one site with a fixed IP where all dynamically addressed sites can register. All these sites can resolve the dynamic peer addrssses later with the help of the static hub and initiate spoke-to-spoke communication.
0 Helpful

shelby.lindsey
Level 1
Level 1
In response to Karsten Iwen

‎03-28-2014 06:45 AM

Thanks all.  I was searching for a solution using FQDN, but only have ASA as a choice.  Just wanted to be sure that this was not possible on ASA prior to seeking alternate solution and hardware.

 

Thanks again for the confirmation! 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents