Cisco VPN site-to-site and DDNS

Hi Experts,

I've often read that Cisco IOS can't initiate VPN site to site connection between two dynamic IP.
Is it true ? And if it is, how is it possible ? With two simple Linsys RV042 and two DDNS addresses it works perfectly...

Thanks for your answers.
Who is Participating?
genie4allConnect With a Mentor Commented:

Cisco PIX older versions were not capable of establishing L2L tunnels with dynamic IP's. However, You can built an Ipsec VPN tunnel between Cisco routers, both on Dynamic IP addresses

In order to configure a LAN-to-LAN Virtual Private Network (VPN) tunnel between two routers with dynamic IP addresses, complete these steps apart from the basic configuration:

Configure the set peer dynamic command on one side of the tunnel with the use of the static crypto map. On the remote router, configure the dynamic crypto map without the use of the peer statement.

With the use of the set peer dynamic command, the host name of the IP Security (IPsec) peer is resolved through a domain name server (DNS) lookup before the router establishes the IPsec tunnel.


1. Only a router with a static crypto map can initiate the tunnel with the dynamic DNS resolution of the peer statement.

2. This works on Cisco IOS router code 12.3 and above
GaladornAuthor Commented:
Ok, now that I know it is possible, I explain my precise exemple.
Router A with fixed IP (IOS 12.4)
Router B with dynIP (IOS 15.1)
But I need Router A to initiate the VPN not the other way. For the moment, only router B can initiate the VPN. When Router A needs to communicate, VPN is down for time out reasons and can't raise the VPN up.

so I need to only modify Router A config replacing dynmap by static map :
crypto map CryptoTest 65000 ipsec-isakmp
 set peer <my DDNS name here>
 set transform-set VPN
 set pfs group2
 match address VPN

But when I write  "set peer <my DDNS name here>", my ddns name is resolved and hardcoded with an IP. What will happens when my dynIP will change ?
GaladornAuthor Commented:
Argh !
I tried this ten times and only now I see you can add "dynamic" behind...
set peer <my DDNS name here> dynamic

and it works...
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Glad to hear its working...

That's what I mentioned in my earlier post: Configure the set peer dynamic command on one side of the tunnel with the use of the static crypto map. On the remote router, configure the dynamic crypto map without the use of the peer statement.

GaladornAuthor Commented:
Absolutly, you wrote "set peer dynamic" and that's what gives me the hint :) Not read carrefully at first time.

And according to my tests : crypto isakmp key 6 <password> address
doesn't allow everybody to connect; remote host is limited by "set peer xxx dynamic"
And that's what I want of course. Am I right ?
You are right. However, be careful in doing

As you know there are chances your VPN can be compromised...your Preshared key should be long enough and complicated to protect the tunnel
GaladornAuthor Commented:
For now, I use 18 char long password with numbers and special keys.
I tried to use crypto isakmp key 6 <password> hostname <MyHost> instead but it doesn't seems to work. On the remote router, it is the equivalent of "Hostname <MyHost>" command ?
crypto isakmp key 6 <KEY> address <IP>
Galadorn, Is your issue fixed?
GaladornAuthor Commented:
Yep, I let it run monday and tuesday just to be sure everything works and I give feedback and points on wednesday.
I'm not forgetting you :)
Thanks mate...just making sure you've got it fixed :)
GaladornAuthor Commented:
Everything works perfectly. Thanks for your help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.