Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
540
Views
0
Helpful
4
Replies

tunnel 831 831

kiksen1
Level 1
Level 1

‎08-19-2003 07:35 AM

Dear All!

I am setting up a vpn with two 831, only with pre shared key.

my config looks like that:

-----------------------

crypto isakmp key geheim address x.x.0.2

!

!

crypto ipsec transform-set SetEins esp-3des esp-md5-hmac

crypto ipsec transform-set SICHER esp-3des esp-md5-hmac

!

crypto map FILTER 10 ipsec-isakmp

set peer 12.0.0.2

set security-association lifetime seconds 4000

set transform-set SICHER

match address 101

-----------------------

crytpo isakmp key XXXXXX address a.b.c.d

there is a possibility to day

crypto isakmp key xxxxx hostname MyHost

What is this good for? Is this a way to do dynamic vpn?

In the Crypto Map, I can change thte "Identity", how can I use this feature? I thought the Identity is the IP in most cases?

Is ist possible to do "set peer hostname" which is only resolved when I build up the tunnel?

Well, this are mainly IOS questions, are there any good papers or books out there?

What I would like to do, is to build up a connection to a 831 with a DSL-moden infront of it. I want to get the ip-Adress using dyndns. I know this is not a good idea from a security point of view, but I don't have a choice?

Thank you!

Best

Christian

Labels:
0 Helpful
4 Replies 4

jsivulka
Level 5
Level 5

‎08-25-2003 10:34 AM

1) Dynamic VPN is used where one of the endpoints, mostly the remote office, is receives an IP address through DHCP. Simply put, this is done using the command

crypto isakmp key address 0.0.0.0.

The key specified will be used as a preshare for all remote endpoints. For more information, please see http://www.cisco.com/warp/public/707/ios_804.html

2) The crypto isakmp identity command has two options:

crypto isakmp identity {address | hostname}

address- Sets the ISAKMP identity to the IP address. This is the default

hostname- Sets the ISAKMP identity to the host name

Normally, a ip host command goes with the identity hostname command.

3) For more information on set peer command, you could refer to http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/fipsencr

0 Helpful

plemieux72
Level 1
Level 1

‎01-10-2004 08:50 AM

Christian,

Did you ever get this to work with dyndns between your two 831's? I would also like to use host names to setup a VPN instead of IP addresses. I know some Linksys routers have a dyndns client integrated but I did not think any Cisco router or firewall had it. But maybe I am wrong and the SOHO series can be setup this way... nevertheless, I can not find any documentation on dynamic DNS in the guides. If it worked for you, can you please add details on how you accomplished this to this thread? Thanks

0 Helpful

kiksen1
Level 1
Level 1
In response to plemieux72

‎01-12-2004 04:29 AM

Hello Jan,

no, cisco is not working with dynamic ip-addresses on both tunnelendpoints and I think there are enough reasons why.

Actually there is one way to do it anyway, but the feature is not intended to this!

You can use the ez-vpn feature. There you can tell the client site to resolv a hostname as tunnelendpoint, but I think it is intended to do load balancing not for dyndns.org :)

Best,

Christian

0 Helpful

MICHAEL RUCKER
Level 1
Level 1
In response to kiksen1

‎05-31-2004 08:08 AM

Hello,

what are the reasons why cisco doesn`t support the dyndns feature ?

Best,

Michael

0 Helpful
Customers Also Viewed These Support Documents