Hi GMarcialesWould you share

elyesfayache · ‎11-20-2009

Hello everybody,

I have to configure a site to site VPN with dynamic IP on both end: I have a Pixv7 in the central site and a router with Firewall Software on another site.
Is it possible to do so with using dns names?

Patrick0711 · ‎11-20-2009

The PIX does not have the ability to initiate a VPN tunnel to a dynamic DNS hostname. The PIX can only initiate to a hostname defined by the 'name' command in the configuration.

mopaul · ‎11-20-2009

Hi ,

@ Patrick : If you mean this ain't possible on PIX then yeah you are right. Else this may surprise you :-

You can built an Ipsec VPN tunnel between Cisco routers, both on Dynamic IP addresses

In order to configure a LAN-to-LAN Virtual Private Network (VPN) tunnel between two routers with dynamic IP addresses, complete these steps apart from the basic configuration:

Configure the set peer dynamic command on one side of the tunnel with the use of the static crypto map.
On the remote router, configure the dynamic crypto map without the use of the peer statement.

With the use of the set peer dynamic command, the host name of the IP Security (IPsec) peer is resolved through a domain name server (DNS) lookup before the router establishes the IPsec tunnel.

Note:

1. Only a router with a static crypto map can initiate the tunnel with the dynamic DNS resolution of the peer statement.

2. This works on Cisco IOS router code 12.3 and above

Examples

The following example shows a crypto map configuration when IKE will be used to establish the security associations (SAs). In this example, an SA could be set up to either the IPSec peer at 10.0.0.1 or the peer at 10.0.0.2.

crypto map mymap 10 ipsec-isakmp

 match address 101

 set transform-set my_t_set1

 set peer 10.0.0.1

 set peer 10.0.0.2

The following example shows how to configure a router to perform real-time Domain Name System (DNS) resolution with a remote IPSec peer; that is, the host name of peer is resolved via a DNS lookup right before the router establishes a connection (an IPSec tunnel) with the peer.

crypto map secure_b 10 ipsec-isakmp

  match address 140

  set peer b.cisco.com dynamic

  set transform-set xset

interface serial1

  ip address 30.0.0.1

  crypto map secure_b

access-list 140 permit ...

The following example shows that the first peer, at IP address 1.1.1.1, is the default peer.

crypto map tohub 1 ipsec-isakmp

 set peer 1.1.1.1 default

 set peer 2.2.2.2

The following example shows that the peer with the host name fred is the default peer.

crypto map tohub 2 ipsec-isakmp

 set peer fred dynamic default

 set peer barney dynamic

Refer the Command Reference to know more about the set peer dynamic command.

http://www.cisco.com/en/US/customer/docs/ios/12_3t/secur/command/reference/sec_s1gt.html#wp1205212

Refer to the R2 (Cisco 2811 Router) section of Router-to-PIX Dynamic-to-Static IPsec with NAT Configuration Example in order to configure a dynamic crypto map on the router.

Refer to the Mop (Cisco 7204 Router) section of Router-to-PIX Dynamic-to-Static IPsec with NAT Configuration Example in order to configure a static crypto map on the router.

There is one more thing to add here, i.e Tunnel End point Discovery, though this had gone obsolete but if you got a minute, refer this too. To be honest i have never tried this before but yes this used to be in place long time back

https://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094832.shtml

Sorry nothing can be done on PIX , this set up works on Cisco routers as per the information posted above. I am sure the information given above will help you if not now, may be sometime later as many people do not know if this works.

"Knowledge is always an addition " :-)

Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

Patrick0711 · ‎11-20-2009

Good to know, I was simply refering to the fact that the PIX cannot resolve DNS hostnames for a VPN peer but I can see how this would work with the router initiating to the PIX. Very informative update!

elyesfayache · ‎11-20-2009

Thank you very much paul I will try this between 2 routeurs and let you know

mopaul · ‎11-21-2009

Hey elyesfayache,

Anytime .... Please do let us know at your earliest conveninece so that this post can be picked up as ANSWERED and other users who got the same question can implement this solution in their network (as and when required).

Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

ahmedchohan · ‎05-20-2010

Would it then be possible to do it on the asa instead of the pix. I'm talking version 8.

Gerardo Marciales · ‎08-21-2011

Thank mopaul for your good explain, in my case to fix the problem also reading this other link:

http://www.networkstraining.com/site-to-site-vpn-with-dynamic-crypto-map

xulqi2765 · ‎06-08-2013

Hi Dear Friends,

I have a sonerio and few questions please do reply me will be greatfull to you .

i have Two RV Series Router
1. RV082
2. RV 042
i dont have Dynamic IP's On both side and i have an account on dyndns .. My Question is how can i create a VPN on these Dynamic IP's ? Is it possible .. Please do let me know.

if some body can guide me step by step i will be greatfull to you . Thanks

Xulqi

jessemi01 · ‎01-07-2014

Hi Buddies,

I saw the Key words in Discussion title is "on both side", actually I'm working on a project for a customer, both sides don't have static IP addresses, I awared site to site VPN over Internet can be done when one side has static IP but another side doesn't.

So hope some one can clarify me whether I can deploy it when both sides via DDNS without static IP address.

I'm planning to use ASA firewalls 5505 or 5510

Thanks a lot!

Gerardo Marciales · ‎01-08-2014

Hi Jesse

It is possible with both side receiving IP address by DHCP, I have this case in my costumers.

In my experience, set IP SLA is good practice to maintaining UP the Crypto MAP if is your case.

Never have I worked with ASA, at the moment I worked only with Routers, different IOS (12.4, 15++)

If you tell me the version of soft in your ASA I can try to make the Lab in GNS.

Are you interested in this config in Routers?

Regards

32768H65536 · ‎01-08-2014

Thank you very much for reply Gerardo,

The firewall I'm planning to use is ASA5505-BUN-K9 with OS: asa847-k8.bin

Routers will be connected behind the FW for Intranet routing, actually there is no hardware on hands, I have to make sure this can be done for this option then I can go ahead to order the devices.

I am also going to try it in Lab GNS, hope it can work, and update you later.

Thanks a lot !

mahin1985 · ‎08-08-2014

Hi GMarciales

Would you share whole config of Routers.

One more scenario, one side ASA holding pppoe with ddns configuration and another side Router holding pppoe with ddns; is it possible to make site-to-site vpn with this scenario?

Site to site vpn with dynamic IP on both site

Examples