Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to site vpn with dynamic IP on both site

Hello everybody,

I have to configure a site to site VPN with dynamic IP on both end: I have a Pixv7 in the central site and a router with Firewall Software on another site.
Is it possible to do so with using dns names?

Everyone's tags (4)
12 REPLIES
Bronze

Re: Site to site vpn with dynamic IP on both site

The PIX does not have the ability to initiate a VPN tunnel to a dynamic DNS hostname.  The PIX can only initiate to a hostname defined by the 'name' command in the configuration.

Bronze

Re: Site to site vpn with dynamic IP on both site

Hi ,


@ Patrick : If you mean this ain't possible on PIX then yeah you are right. Else this may surprise you :-


You can built an Ipsec VPN tunnel between Cisco routers, both on Dynamic IP addresses


In order to configure a LAN-to-LAN Virtual Private Network (VPN) tunnel between two routers with dynamic IP addresses, complete these steps apart from the basic configuration:


  1. Configure the set peer dynamic command on one side of the tunnel with the use of the static crypto map.
  2. On the remote router, configure the dynamic crypto map without the use of the peer statement.

With the use of the set peer dynamic command, the host name of the IP Security (IPsec) peer is resolved through a domain name server (DNS) lookup before the router establishes the IPsec tunnel.


Note:

1. Only a router with a static crypto map can initiate the tunnel with the dynamic DNS resolution of the peer statement.

2. This works on Cisco IOS router code 12.3 and above

Examples

The following example shows a crypto map configuration when IKE will be used to establish the security associations (SAs). In this example, an SA could be set up to either the IPSec peer at 10.0.0.1 or the peer at 10.0.0.2.

crypto map mymap 10 ipsec-isakmp
 match address 101
 set transform-set my_t_set1
 set peer 10.0.0.1
 set peer 10.0.0.2

The following example shows how to configure a router to perform real-time Domain Name System (DNS) resolution with a remote IPSec peer; that is, the host name of peer is resolved via a DNS lookup right before the router establishes a connection (an IPSec tunnel) with the peer.

crypto map secure_b 10 ipsec-isakmp
  match address 140
  set peer b.cisco.com dynamic 
  set transform-set xset
interface serial1
  ip address 30.0.0.1
  crypto map secure_b
access-list 140 permit ...

The following example shows that the first peer, at IP address 1.1.1.1, is the default peer.

crypto map tohub 1 ipsec-isakmp 
 set peer 1.1.1.1 default 
 set peer 2.2.2.2 

The following example shows that the peer with the host name fred is the default peer.

crypto map tohub 2 ipsec-isakmp 
 set peer fred dynamic default 
 set peer barney dynamic 




Refer the Command Reference to know more about the set peer dynamic command.

Refer to the R2 (Cisco 2811 Router) section of Router-to-PIX Dynamic-to-Static IPsec with NAT Configuration Example in order to configure a dynamic crypto map on the router.

Refer to the Mop (Cisco 7204 Router) section of Router-to-PIX Dynamic-to-Static IPsec with NAT Configuration Example in order to configure a static crypto map on the router.


There is one more thing to add here, i.e Tunnel End point Discovery, though this had gone obsolete but if you got a minute, refer this too. To be honest i have never tried this before but yes this used to be in place long time back


Sorry nothing can be done on PIX , this set up works on Cisco routers as per the information posted above. I am sure the information given above will help you if not now, may be sometime later as many people do not know if this works.

"Knowledge is always an addition " :-)

Regards
M


Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries
Bronze

Re: Site to site vpn with dynamic IP on both site

Good to know, I was simply refering to the fact that the PIX cannot resolve DNS hostnames for a VPN peer but I can see how this would work with the router initiating to the PIX.  Very informative update!

New Member

Re: Site to site vpn with dynamic IP on both site

Thank you very much paul I will try this between 2 routeurs and let you know

Bronze

Re: Site to site vpn with dynamic IP on both site

Hey elyesfayache,

Anytime .... Please do let us know at your earliest conveninece so that this post can be picked up as ANSWERED and other users who got the same question can implement this solution in their network (as and when required).



Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries
New Member

Re: Site to site vpn with dynamic IP on both site

Would it then be possible to do it on the asa instead of the pix. I'm talking version 8.

Site to site vpn with dynamic IP on both site

Thank mopaul for your good explain, in my case to fix the problem also reading this other link:

http://www.networkstraining.com/site-to-site-vpn-with-dynamic-crypto-map

New Member

Site to site vpn with dynamic IP on both site

Hi Dear Friends,


I have a sonerio and few questions please do reply me will be greatfull to you .

i have Two RV Series Router
1. RV082
2. RV 042
i dont have Dynamic IP's On both side and i have an account on dyndns .. My Question is how can i create a VPN on these Dynamic IP's ? Is it possible .. Please do let me know.

if some body can guide me step by step i will be greatfull to you . Thanks

Xulqi

New Member

Site to site vpn with dynamic IP on both site

Hi Buddies,

I saw the Key words in Discussion title is "on both side", actually I'm working on a project for a customer, both sides don't have static IP addresses, I awared site to site VPN over Internet can be done when one side has static IP but another side doesn't.

So hope some one can clarify me whether I can deploy it when both sides via DDNS without static IP address.

I'm planning to use ASA firewalls 5505 or 5510

Thanks a lot!

Site to site vpn with dynamic IP on both site

Hi Jesse

It is possible with both side receiving IP address by DHCP, I have this case in my costumers.

In my experience, set IP SLA is good practice to maintaining UP the Crypto MAP if is your case.

Never have I worked with ASA, at the moment I worked only with Routers, different IOS (12.4, 15++)

If you tell me the version of soft in your ASA I can try to make the Lab in GNS.

Are you interested in this config in Routers?

Regards

New Member

Site to site vpn with dynamic IP on both site

Thank you very much for reply Gerardo,

The firewall I'm planning to use is ASA5505-BUN-K9 with OS: asa847-k8.bin

Routers will be connected behind the FW for Intranet routing, actually there is no hardware on hands, I have to make sure this can be done for this option then I can go ahead to order the devices.

I am also going to try it in Lab GNS, hope it can work, and update you later.

Thanks a  lot !

New Member

Hi GMarcialesWould you share

Hi GMarciales

Would you share whole config of Routers.

One more scenario, one side ASA holding pppoe with ddns configuration and another side Router holding pppoe with ddns; is it possible to make site-to-site vpn with this scenario?

32090
Views
25
Helpful
12
Replies
CreatePlease login to create content