I have some ASA Site-to-Site (L2L ikev2) VPN deployments that are using A Dyanic-to-Static Peer configuration. Now I have a special case where I cannot get a static IP for either end and have been researching for a solution to connect L2L with Dynamic-to-Dynamic peers. My research is not really turning up anything and now I am thinking that the ASA may not be capable of this configuration. Can anyone confirm that this is or is not possible?
This will not be possible. You will need at least one static IP address so that at least one end of the tunnel can be configured with an IP address to connect back to. If they are both dynamic then you have no way to tell either ASA where the far end of the tunnel is located.
As already mentioned, you can't do that with the ASA. But with IOS-routers there are two possible ways to achieve that:
In the crypto map "set peer" you can use a (dyndns) FQDN that only gets reloved to an IP when the connection gets initiated. If you have sites that change the public IP regularly (for example once a day), this solution won't be very stable.
You can use a VPN-type that can resolve IPs for spoke-to-spoke trafic dynamically. DMVPN and FlexVPN are technologies for that. You just need one site with a fixed IP where all dynamically addressed sites can register. All these sites can resolve the dynamic peer addrssses later with the help of the static hub and initiate spoke-to-spoke communication.
-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...