12-29-2015 04:55 PM
Hi,
I will be building a site to site IPSEC VPN tunnel with an external party who is using a dynamic IP address.
He is using dyndns to associate a domain to the IP.
May I know what are the issues of having a remote party using dynamic IP address?
Does IPSEC automatically rebuild the tunnel when the IP changes?
Solved! Go to Solution.
12-29-2015 06:12 PM
And to answer you other question, about rebuilding the VPN when the IP address changes; you want to make sure DPD (dead peer detection) is enabled.
I found this article about enabling it on the Cyberoam:
http://kb.cyberoam.com/default.asp?id=58
The VPN wont come back up again till the DNS is updated, and the CSR1000V sees the change. If there are any caching DNS servers with a minimum TTL this will cause the VPN to break for an average of half the minimum TTL.
So if you ISP enforces a minimum TTL of 1 hour, and the IP addresses changes, on average it will take 30 minutes for the VPN to start working again, and a maximum of 1 hour.
12-29-2015 04:56 PM
What device you you have and what device do they have?
12-29-2015 05:37 PM
Remote party - CyberRoam CR-200i
Me - Cisco CSR 1000v
12-29-2015 06:06 PM
You are likely to have issues.
On modern Cisco IOS with IKEv1 you can use:
crypto map vpn 10 ipsec-isakmp
set peer <FQDN> dynamic
...
which causes the router to a a dynamic DNS lookup. I don't know if IOS-XE on the CSR-1000v supports this.
You could also use IKEv2 and an email or peer ID:
crypto ikev2 keyring kr-site-to-site
peer remote-site
identity email remote@email-identity.com
...
However I don't think the Cyberoam are very sophisticated in this area, so expect to have issues. I'd personally use the IKEv2 approach if the Cyberoam can handle it.
12-29-2015 06:13 PM
I just did a Google for "Cyberoam IKEv2" and got pretty much nothing back. I take that to mean it has little or poor VPN IKEv2 support.
12-29-2015 06:12 PM
And to answer you other question, about rebuilding the VPN when the IP address changes; you want to make sure DPD (dead peer detection) is enabled.
I found this article about enabling it on the Cyberoam:
http://kb.cyberoam.com/default.asp?id=58
The VPN wont come back up again till the DNS is updated, and the CSR1000V sees the change. If there are any caching DNS servers with a minimum TTL this will cause the VPN to break for an average of half the minimum TTL.
So if you ISP enforces a minimum TTL of 1 hour, and the IP addresses changes, on average it will take 30 minutes for the VPN to start working again, and a maximum of 1 hour.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide