site to site vpn with dynamic ip on both sides

inspirafos · ‎12-07-2013

Hi, is it possible to configure site to site vpn with both sides has dynamic ip addresses assign?

both asa devices have the latest firmware.

//:Erik

Jeff Van Houten · ‎12-07-2013

Certainly on a router you can tie your crypto-map to the "any" address (0.0.0.0 0.0.0.0). Assuming you're using PSK, that means you'll accept any connection as long as the PSK and the crypto-map configuration matches. That would allow dynamic addressed routers to connect.

For the ASA, I'm not sure.

Sent from Cisco Technical Support iPad App

Richard Burts · ‎12-08-2013

Eric

I have thought about your question and wondered about the possibility of configuring the "any" option as suggested by Jeff. But after considering this I believe that there is a problem in this approach. While it is certainly a viable configuration and works quite well to accept a connection request from any other device, I believe that it is sort of like configuring to set up an Etherchannel. If you set both end as passive then they will both accept a connection request. But there is not anything set up to initiate the request. For this crypto configuration both peers will accept a connection request, but I do not see how you get either peer to initiate a connection request to the other.

I have not been able to think of a way to do what you want and to establish a site to site VPN when when peers are using dynamic addresses. The closest I have come is to use dynammic DNS and base the peering on names rather than addresses. But I can not remember seeing anything where someone has done it this way.

HTH

Rick

HTH

Rick