IPsec Site-to-Site VPN on Cisco 871 with dynamic dns peer

amessina8 · ‎01-13-2006

I have a Cisco 871 Router which has a static public IP. I would like to create an IPsec VPN tunnel to a Linksys BEFVP41 which has a dynamically-assigned public IP.

I have my DNS properly set up in the 871 and I can go through the SDM and initiate the VPN tunnel by entering the hostname of the dynamic router (I set up a dyndns.org account for it so I could reach it by hostname). In fact, the VPN tunnel worked just fine.

The issue is that if the public IP of the Linksys BEFVP41 changes (as it is dynamic), my 871 will no longer be able to establish a VPN connection becasuse it doesn't actually store the FQDN as the peer, but it converts it to the current IP address of the peer.

How do I get this to work where the 871 can always establish a VPN connection?

here is the relevant config:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key TestKey address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

description TestVPN

set peer 70.131.116.125

set transform-set ESP-3DES-SHA

set pfs group1

match address 111

!

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

Where it says "set peer x.x.x.x", I think it should say "set peer fqdn.domain.org".

Or perhaps there is a different way?

Thank you for your help.

amessina8 · ‎01-14-2006

Well, I think I've answered my own question... partially.

I have removed the peer IP addresses from my setup and now, the peers are the ones who initiate the connection and it works! Even without me specifying their tunnel endpoint (WAN address)!

Does this mean that the shared key for the dynamic peers is what allows them to connect and gain VPN access or not?

Am I doing the right thing here?

mheusinger · ‎01-14-2006

Hello,

yes, you do the right thing, this is what is done for VPN clients. Think about internet dialup users with a VPN client. They do not even have a DNS entry. So the only thing you can do is to check, whether they can authenticate themselves. This is what you do with your setup and knowing the shared key means you are allowed to connect. So do not publish the key and better make it something not too easy to guess.

Hope this helps. Please rate all posts.

Regards, Martin

amessina8 · ‎01-14-2006

Thank you mheusinger, I appreciate the confirmation. I just began using this router yesterday. I upgraded from a Linksys BEFVP41 which was *very* simple; it was good for a while, but not so reliable with VPNs. That is why I chose to go for a more robust product. Though, I must say that even with the SDM, the Cisco 871 is quite a bit more sophistocated as far as configuration.

m.velu · ‎01-15-2006

Hi,

You can try out the following.

1. You need to configure a name server in your 871 router to do name resolution first.

!

ip name-server

!

Then as you said you can set the peer with the FQDN

!

set peer

!

M.Velu

amessina8 · ‎01-15-2006

I did try that solution, m.velu. In fact, that was the first thing I did, but the router kep resolving those "set peer" statements with FQDNs to "set peer" statements with IP addresses.

I have since found confirmation on the resolution, which I have implemented. The way to do it for those peers who have dynamic IPs, you don't set the peer in the list. You leave it blank and use the Shared Key to authenticate them.

Thank you for your suggestion.

ovt · ‎01-15-2006

If you don't specify "set peer" your router will not be able to initiate tunnels. It will only accept them. Use "set peer a.b.c.d dynamic" to resolve peer's hostname to IP in runtime. But you'll still have to use wildcard pre-shared key for dynamic peers to authenticate them (or better implement certificates).