Link to home
Start Free TrialLog in
Avatar of Galadorn
Galadorn

asked on

Cisco VPN site-to-site and DDNS

Hi Experts,

I've often read that Cisco IOS can't initiate VPN site to site connection between two dynamic IP.
Is it true ? And if it is, how is it possible ? With two simple Linsys RV042 and two DDNS addresses it works perfectly...

Thanks for your answers.
ASKER CERTIFIED SOLUTION
Avatar of genie4all
genie4all

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Galadorn
Galadorn

ASKER

Ok, now that I know it is possible, I explain my precise exemple.
Router A with fixed IP (IOS 12.4)
Router B with dynIP (IOS 15.1)
But I need Router A to initiate the VPN not the other way. For the moment, only router B can initiate the VPN. When Router A needs to communicate, VPN is down for time out reasons and can't raise the VPN up.

so I need to only modify Router A config replacing dynmap by static map :
crypto map CryptoTest 65000 ipsec-isakmp
 set peer <my DDNS name here>
 set transform-set VPN
 set pfs group2
 match address VPN

But when I write  "set peer <my DDNS name here>", my ddns name is resolved and hardcoded with an IP. What will happens when my dynIP will change ?
Argh !
I tried this ten times and only now I see you can add "dynamic" behind...
set peer <my DDNS name here> dynamic

and it works...
Glad to hear its working...

That's what I mentioned in my earlier post: Configure the set peer dynamic command on one side of the tunnel with the use of the static crypto map. On the remote router, configure the dynamic crypto map without the use of the peer statement.

Regards
Absolutly, you wrote "set peer dynamic" and that's what gives me the hint :) Not read carrefully at first time.

And according to my tests : crypto isakmp key 6 <password> address 0.0.0.0 0.0.0.0
doesn't allow everybody to connect; remote host is limited by "set peer xxx dynamic"
And that's what I want of course. Am I right ?
You are right. However, be careful in doing 0.0.0.0

As you know there are chances your VPN can be compromised...your Preshared key should be long enough and complicated to protect the tunnel
For now, I use 18 char long password with numbers and special keys.
I tried to use crypto isakmp key 6 <password> hostname <MyHost> instead but it doesn't seems to work. On the remote router, it is the equivalent of "Hostname <MyHost>" command ?
crypto isakmp key 6 <KEY> address <IP>
Galadorn, Is your issue fixed?
Yep, I let it run monday and tuesday just to be sure everything works and I give feedback and points on wednesday.
I'm not forgetting you :)
Thanks mate...just making sure you've got it fixed :)
Everything works perfectly. Thanks for your help.