I have to configure a site to site VPN with dynamic IP on both end: I have a Pixv7 in the central site and a router with Firewall Software on another site.
Is it possible to do so with using dns names?
The PIX does not have the ability to initiate a VPN tunnel to a dynamic DNS hostname. The PIX can only initiate to a hostname defined by the 'name' command in the configuration.
@ Patrick : If you mean this ain't possible on PIX then yeah you are right. Else this may surprise you :-
You can built an Ipsec VPN tunnel between Cisco routers, both on Dynamic IP addresses
With the use of the set peer dynamic command, the host name of the IP Security (IPsec) peer is resolved through a domain name server (DNS) lookup before the router establishes the IPsec tunnel.
1. Only a router with a static crypto map can initiate the tunnel with the dynamic DNS resolution of the peer statement.
2. This works on Cisco IOS router code 12.3 and above
The following example shows a crypto map configuration when IKE will be used to establish the security associations (SAs). In this example, an SA could be set up to either the IPSec peer at 10.0.0.1 or the peer at 10.0.0.2.
crypto map mymap 10 ipsec-isakmp
match address 101
set transform-set my_t_set1
set peer 10.0.0.1
set peer 10.0.0.2
The following example shows how to configure a router to perform real-time Domain Name System (DNS) resolution with a remote IPSec peer; that is, the host name of peer is resolved via a DNS lookup right before the router establishes a connection (an IPSec tunnel) with the peer.
crypto map secure_b 10 ipsec-isakmp
match address 140
set peer b.cisco.com dynamic
set transform-set xset
ip address 18.104.22.168
crypto map secure_b
access-list 140 permit ...
The following example shows that the first peer, at IP address 22.214.171.124, is the default peer.
crypto map tohub 1 ipsec-isakmp
set peer 126.96.36.199 default
set peer 188.8.131.52
The following example shows that the peer with the host name fred is the default peer.
crypto map tohub 2 ipsec-isakmp
set peer fred dynamic default
set peer barney dynamic
Good to know, I was simply refering to the fact that the PIX cannot resolve DNS hostnames for a VPN peer but I can see how this would work with the router initiating to the PIX. Very informative update!
Anytime .... Please do let us know at your earliest conveninece so that this post can be picked up as ANSWERED and other users who got the same question can implement this solution in their network (as and when required).
Thank mopaul for your good explain, in my case to fix the problem also reading this other link:
Hi Dear Friends,
I have a sonerio and few questions please do reply me will be greatfull to you .
i have Two RV Series Router
2. RV 042
i dont have Dynamic IP's On both side and i have an account on dyndns .. My Question is how can i create a VPN on these Dynamic IP's ? Is it possible .. Please do let me know.
if some body can guide me step by step i will be greatfull to you . Thanks
I saw the Key words in Discussion title is "on both side", actually I'm working on a project for a customer, both sides don't have static IP addresses, I awared site to site VPN over Internet can be done when one side has static IP but another side doesn't.
So hope some one can clarify me whether I can deploy it when both sides via DDNS without static IP address.
I'm planning to use ASA firewalls 5505 or 5510
Thanks a lot!
It is possible with both side receiving IP address by DHCP, I have this case in my costumers.
In my experience, set IP SLA is good practice to maintaining UP the Crypto MAP if is your case.
Never have I worked with ASA, at the moment I worked only with Routers, different IOS (12.4, 15++)
If you tell me the version of soft in your ASA I can try to make the Lab in GNS.
Are you interested in this config in Routers?
Thank you very much for reply Gerardo,
The firewall I'm planning to use is ASA5505-BUN-K9 with OS: asa847-k8.bin
Routers will be connected behind the FW for Intranet routing, actually there is no hardware on hands, I have to make sure this can be done for this option then I can go ahead to order the devices.
I am also going to try it in Lab GNS, hope it can work, and update you later.
Thanks a lot !
Would you share whole config of Routers.
One more scenario, one side ASA holding pppoe with ddns configuration and another side Router holding pppoe with ddns; is it possible to make site-to-site vpn with this scenario?