Re: dynamic ip vpn

zeuscyril · ‎08-12-2008

hai friends,

i want to create site to site vpn between two sites but both the sites having dynamic ip.my question is ,is it possible to create site to site otherwise any other way is there ..if site to site is possible send any documentation

thanks

Farrukh Haroon · ‎08-13-2008

No you cannot make a site-2-site vpn with dynamic IPs on both sides. Dynamic crypto maps don't allow you to initiate connections, if both sides have dynamic crypto maps, who will initiate the connection?

You can setup a remote-access VPN. Preferably register the VPN server IP with dyn-dns. Then just enter the dyn-dns hostname of the VPN server in the Cisco VPN Client. Just make sure you are running a newer version of the Cisco VPN Client.

Regards

Farrukh

zeuscyril · ‎08-24-2008

by register with ip dyn-dns we cant create site to site vpn .using hostname we can communicate ?...otherwise tell me possible way.

Farrukh Haroon · ‎08-25-2008

Yes it should work. Just make sure you use the latest version of the Cisco VPN Client.

Regards

Farrukh

zeuscyril · ‎08-25-2008

thankyou for ur reply

i am not asking about remote vpn client...

it is possible to create site to site vpn using these dynamic dns hostname..

because i am having both sides dynamic ip.

if it is possible give me some example

thanks..

Farrukh Haroon · ‎08-25-2008

I already told you that you cannot. From my original response:

"No you cannot make a site-2-site vpn with dynamic IPs on both sides. Dynamic crypto maps don't allow you to initiate connections, if both sides have dynamic crypto maps, who will initiate the connection? "

Please rate if helpful.

Regards

Farrukh

zeuscyril · ‎08-25-2008

thanks for ur reply..

so there is no solution...so only possibility is remote client

Farrukh Haroon · ‎08-25-2008

To my knowledge, YES.

Regards

Farrukh

zeuscyril · ‎08-25-2008

hai

i configured remote client in asa 5505 and everything working fine.remotely connecting but the ip address and gateway is same..

for example i assign a pool 192.168.1.10-192.168.1.20

the ipconfig remotely

ip addrss 192.168.1.10

subnet 255.255.255.0

gateway 192.168.1.10...

so i am not able to access anything.

Farrukh Haroon · ‎08-25-2008

That default gateway is normal. Don't worry about that.

'acesss anything' what do you mean? Did you check the encr/decr on the ASA and the VPN client?

Regards

Farrukh

zeuscyril · ‎08-25-2008

not able to access means

i am trying to access that asa but itis not communicating and i tried to ping the asa also...request timed out is coming ..i tried telnet also..nothing is happening..i am attaching my config in this...

Farrukh Haroon · ‎08-26-2008

What is the point of defining a 'permit any' ACL and then doing a 'tunnelspecified'? Just do a "tunnelall".

Is phase 1 and 2 UP after the client connects? Do you see encap/decap?

show crypto ipsec sa

Regards

Farrukh

zeuscyril · ‎08-26-2008

thanks

ok i ll do it

gsobeski · ‎08-27-2008

setup a DMVPN using NHRP at the hub site, which will keep track of the current global IP address at the two spokes, and they will be able to dynamically form tunnels between them, and even if the address changes, those updates will re-register with the NHRP server. That's assuming this is IOS-IOS VPN.

rm760 · ‎12-14-2010

Have you tried using a dynamic update client on a computer inside each firewall and then building the VPN using FQDNs instead of the IP address.