Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
37052
Views
25
Helpful
12
Replies

Site to site vpn with dynamic IP on both site

elyesfayache
Level 1
Level 1

‎11-20-2009 01:04 PM

Hello everybody,

I have to configure a site to site VPN with dynamic IP on both end: I have a Pixv7 in the central site and a router with Firewall Software on another site.
Is it possible to do so with using dns names?

Labels:
0 Helpful
12 Replies 12

Patrick0711
Level 3
Level 3

‎11-20-2009 01:48 PM

The PIX does not have the ability to initiate a VPN tunnel to a dynamic DNS hostname.  The PIX can only initiate to a hostname defined by the 'name' command in the configuration.

0 Helpful

mopaul
Cisco Employee
Cisco Employee

‎11-20-2009 05:32 PM

Hi ,


@ Patrick : If you mean this ain't possible on PIX then yeah you are right. Else this may surprise you :-


You can built an Ipsec VPN tunnel between Cisco routers, both on Dynamic IP addresses


In order to configure a LAN-to-LAN Virtual Private Network (VPN) tunnel between two routers with dynamic IP addresses, complete these steps apart from the basic configuration:


  1. Configure the set peer dynamic command on one side of the tunnel with the use of the static crypto map.
  2. On the remote router, configure the dynamic crypto map without the use of the peer statement.

With the use of the set peer dynamic command, the host name of the IP Security (IPsec) peer is resolved through a domain name server (DNS) lookup before the router establishes the IPsec tunnel.


Note:

1. Only a router with a static crypto map can initiate the tunnel with the dynamic DNS resolution of the peer statement.

2. This works on Cisco IOS router code 12.3 and above

Examples

The following example shows a crypto map configuration when IKE will be used to establish the security associations (SAs). In this example, an SA could be set up to either the IPSec peer at 10.0.0.1 or the peer at 10.0.0.2.

crypto map mymap 10 ipsec-isakmp
 match address 101
 set transform-set my_t_set1
 set peer 10.0.0.1
 set peer 10.0.0.2

The following example shows how to configure a router to perform real-time Domain Name System (DNS) resolution with a remote IPSec peer; that is, the host name of peer is resolved via a DNS lookup right before the router establishes a connection (an IPSec tunnel) with the peer.

crypto map secure_b 10 ipsec-isakmp
  match address 140
  set peer b.cisco.com dynamic 
  set transform-set xset
interface serial1
  ip address 30.0.0.1
  crypto map secure_b
access-list 140 permit ...

The following example shows that the first peer, at IP address 1.1.1.1, is the default peer.

crypto map tohub 1 ipsec-isakmp 
 set peer 1.1.1.1 default 
 set peer 2.2.2.2

The following example shows that the peer with the host name fred is the default peer.

crypto map tohub 2 ipsec-isakmp 
 set peer fred dynamic default 
 set peer barney dynamic




Refer the Command Reference to know more about the set peer dynamic command.

Refer to the R2 (Cisco 2811 Router) section of Router-to-PIX Dynamic-to-Static IPsec with NAT Configuration Example in order to configure a dynamic crypto map on the router.

Refer to the Mop (Cisco 7204 Router) section of Router-to-PIX Dynamic-to-Static IPsec with NAT Configuration Example in order to configure a static crypto map on the router.


There is one more thing to add here, i.e Tunnel End point Discovery, though this had gone obsolete but if you got a minute, refer this too. To be honest i have never tried this before but yes this used to be in place long time back


Sorry nothing can be done on PIX , this set up works on Cisco routers as per the information posted above. I am sure the information given above will help you if not now, may be sometime later as many people do not know if this works.

"Knowledge is always an addition " :-)

Regards
M


Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

Patrick0711
Level 3
Level 3
In response to mopaul

‎11-20-2009 06:08 PM

Good to know, I was simply refering to the fact that the PIX cannot resolve DNS hostnames for a VPN peer but I can see how this would work with the router initiating to the PIX.  Very informative update!

0 Helpful

elyesfayache
Level 1
Level 1
In response to Patrick0711

‎11-20-2009 11:19 PM

Thank you very much paul I will try this between 2 routeurs and let you know

0 Helpful

mopaul
Cisco Employee
Cisco Employee
In response to elyesfayache

‎11-21-2009 10:04 AM

Hey elyesfayache,

Anytime .... Please do let us know at your earliest conveninece so that this post can be picked up as ANSWERED and other users who got the same question can implement this solution in their network (as and when required).



Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries
0 Helpful

ahmedchohan
Level 1
Level 1
In response to mopaul

‎05-20-2010 04:32 AM

Would it then be possible to do it on the asa instead of the pix. I'm talking version 8.

0 Helpful

Gerardo Marciales
Level 1
Level 1

‎08-21-2011 02:36 PM

Thank mopaul for your good explain, in my case to fix the problem also reading this other link:

http://www.networkstraining.com/site-to-site-vpn-with-dynamic-crypto-map

xulqi2765
Level 1
Level 1

‎06-08-2013 02:19 PM

Hi Dear Friends,


I have a sonerio and few questions please do reply me will be greatfull to you .

i have Two RV Series Router
1. RV082
2. RV 042
i dont have Dynamic IP's On both side and i have an account on dyndns .. My Question is how can i create a VPN on these Dynamic IP's ? Is it possible .. Please do let me know.

if some body can guide me step by step i will be greatfull to you . Thanks

Xulqi

0 Helpful

jessemi01
Level 1
Level 1
In response to xulqi2765

‎01-07-2014 06:50 PM

Hi Buddies,

I saw the Key words in Discussion title is "on both side", actually I'm working on a project for a customer, both sides don't have static IP addresses, I awared site to site VPN over Internet can be done when one side has static IP but another side doesn't.

So hope some one can clarify me whether I can deploy it when both sides via DDNS without static IP address.

I'm planning to use ASA firewalls 5505 or 5510

Thanks a lot!

0 Helpful

Gerardo Marciales
Level 1
Level 1
In response to jessemi01

‎01-08-2014 06:05 AM

Hi Jesse

It is possible with both side receiving IP address by DHCP, I have this case in my costumers.

In my experience, set IP SLA is good practice to maintaining UP the Crypto MAP if is your case.

Never have I worked with ASA, at the moment I worked only with Routers, different IOS (12.4, 15++)

If you tell me the version of soft in your ASA I can try to make the Lab in GNS.

Are you interested in this config in Routers?

Regards

0 Helpful

32768H65536
Level 1
Level 1
In response to Gerardo Marciales

‎01-08-2014 07:37 PM

Thank you very much for reply Gerardo,

The firewall I'm planning to use is ASA5505-BUN-K9 with OS: asa847-k8.bin

Routers will be connected behind the FW for Intranet routing, actually there is no hardware on hands, I have to make sure this can be done for this option then I can go ahead to order the devices.

I am also going to try it in Lab GNS, hope it can work, and update you later.

Thanks a  lot !

0 Helpful

mahin1985
Level 1
Level 1
In response to Gerardo Marciales

‎08-08-2014 10:36 AM

Hi GMarciales

Would you share whole config of Routers.

One more scenario, one side ASA holding pppoe with ddns configuration and another side Router holding pppoe with ddns; is it possible to make site-to-site vpn with this scenario?

0 Helpful
Customers Also Viewed These Support Documents