09-17-2012 11:36 PM
Hello,
I need help about configuring a IPSec site-to-site VPN with using a dynamic IP at the remote site.
Now I need a little bit help how to configure DynDNS at the remote site and then how do I get a
site-to-site VPN between the HQ with the static IP and the BO with the dynamic IP.
Yours
H.-J. Guenter
09-18-2012 01:47 AM
The ASA doesn't support DynDNS with the HTTP-method. And for a site-to-site-VPN you need static IPs on both ends.
You can build your VPN in two ways:
1) configure a static VPN on the remote ASA, configure a dynamic VPN on the central ASA.
2) configure EasyVPN remote on the remote ASA and EasyVPN Server on the central ASA.
I would prefer solution 2.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-18-2012 02:51 AM
Hi karsten.iwen,
thanks for your answer. But I've got one more question. Because at the BO we have a dynamic IP.
I show you the Konfiguration here:
(HQ) Network -> - <- ASA -> Static IP <- Internet -> Dynamic IP <- ASA -> - <-Network (BO)
I found some dokuments about to configure a Site-to-Site VPN when both sites have static IP,
but I don`t now what I have to configure on the ASA at the HQ so that the ASA acceppt the
connection of the BO ASA with the dynamic IP. I have found only in the quantity of all the
configs I have found on the internet entry, must stand on the side of HQ ASA in the config?
Yours Sincerely
09-18-2012 03:06 AM
The wildcard-PSK belongs to my solution 1) where you configure a static VPN on the branch and a dynamic VPN on the HQ. Wildcard PSKs are not considered a best practice and should be avoided. A better solution would use digital certificates.
But nevertheless, if you want to implement it that way, here is an example:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml
It uses a PIX with v7.x, but it shows what is needed on the HQ-ASA. The BO-ASA uses a standard VPN-S2S-setup.
Also look at the EasyVPN-Solution in the following example:
Perhaps that will fit your needs better then the dynamic VPN above.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-18-2012 05:39 AM
I have seen at look on cisco.com use the ASA can DDNS for Dynamic IP. Is this
a way to get around the wildcard PSK?
Would have to look again but exactly how that is to be configured exactly as I and
then the dynamic IP of the BO HQ ASA ASA to get so that there then again a direct
site-to-site VPN without wildcard PSK can be used.
09-18-2012 06:57 AM
I have seen at look on cisco.com use the ASA can DDNS for Dynamic IP. Is this
a way to get around the wildcard PSK?
no, the DDNS-function is only for the IETF-method, but not for the HTTP-Method used with services like DynDNS.org.
Would have to look again but exactly how that is to be configured exactly as I and
then the dynamic IP of the BO HQ ASA ASA to get so that there then again a direct
site-to-site VPN without wildcard PSK can be used.
The only way to avoid the wildcard-PSKs is to use digital certificates. A workaround is to use EasyVPN where the PSK is assigned to a VPN-group instead of an IP.
Or even better, get a fixed IP for your branch-office.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide