Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

vpn tunnel and dynamic ip address

Hi everybody

how is everyone doing ?

Let say we have a  small branch office say B1 and we want to connect it to company's head quarter HQ.

B1 dynamic ip address----------------vpn tunnel-------------- 199.199.199.1-HQ

Assume B1 is assigned a dynamic ip address a.a.a.a

Let  say B1 uses a router with a dsl interface.  B1 will use local ISP  to connect to internet.

At B1  we set the destination ip  for vpn tunnel as  199.199.199.1

The problem is  how can we set the destination ip at HQ for vpn tunnel because  B1 is assigned an ip by an isp which could change.

How can we establish vpn between two nodes when one of them is using dynamic ip address as was the case in our example?

thanks

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Bronze

vpn tunnel and dynamic ip address

Hall of Fame Super Bronze

vpn tunnel and dynamic ip address

The example I provided also includes a NAT configuration.

Packets that are denied from encryption are NAT'd out to the internet (they leave the router unencrypted).

Packets that match the encryption are sent via the VPN tunnel (those are not destined for the internet).

Regards,

Edison

4 REPLIES
Hall of Fame Super Bronze

vpn tunnel and dynamic ip address

Bronze

Re: vpn tunnel and dynamic ip address

Hi Edison

The link you forwarded shows  a configuration  on "dr_whoovie" router.

For example:

At " dr_ whoovie"   the traffic that needs to be vpn-tunneled  will have to be matched by crptomap rtp under S0

I have the question about the order the commands are listed under crypto map rtp which i have posted for easy reference. (  i understand regardless of the order presented below, the goal to vpn -tunnel the desired packets will be achieved)

crypto map rtp 1 ipsec-isakmp  
 set peer 99.99.99.set transform-set rtpset 

 match address 115

---------------------------------------

The first command instrucst to perform the action instructed by "  set peer 99.99.99.1"

( that means all the packets because at this stage interesting packets have not been identified)

The second command instructs router to perform the action instructed by " set transform-set rtpset"

( again that means the above action will be performed on all packets because at this stage interesting packets have not been identified)

The third command instructs router to perform the action instructed by " match address 115"

The above command will identify the interesting packets which will be forwarded out of s0 while all the rest will be denied

Is this order of operation correct?

If it is correct what will happen to packets that have been denied ,will they be  dropped?  Because in my book an example demonstrates the following

Crypto map sarah 1 ipsex-isakmp

 match address 115

( interesting packets are identified by above command.

Then router performs the actions instrucetd by the following command on the interesting packets,  all the others at this point  are sent unencrypted out of interface.  Here we observed  the uninteresting packets which are denied by access-list  are simply forwarded out of interface wihout being vpn-tunneled.


set peer 99.99.99.1 set transform-set rtpset

If your compare this order of commands to that of one presented in the case of "dr_whoovie" ,you see the order of commands is different.

In " dr_ whoovie"  the interesting traffic is identified at the end because " match address 115 "was used at the end ' the question is what will happen to the packets which are denied by access-list 15.

Will these packet simply be dropped even though  router have performed all the actions instructed by "set peer 99.99.99.1, set transform-set rtpset "  commands because those commands preceded " match address 115 " command?

  

thanks and have a evening

Hall of Fame Super Bronze

vpn tunnel and dynamic ip address

The example I provided also includes a NAT configuration.

Packets that are denied from encryption are NAT'd out to the internet (they leave the router unencrypted).

Packets that match the encryption are sent via the VPN tunnel (those are not destined for the internet).

Regards,

Edison

Bronze

Re: vpn tunnel and dynamic ip address

Thanks Edsion.

I was thinking something else.  I got the concept and I really appreciate your help.

Have a nice weekend.

327
Views
0
Helpful
4
Replies
CreatePlease login to create content