Cisco VPN site-to-site and DDNS

Hi Experts,

I've often read that Cisco IOS can't initiate VPN site to site connection between two dynamic IP.
Is it true ? And if it is, how is it possible ? With two simple Linsys RV042 and two DDNS addresses it works perfectly...

Thanks for your answers.
GaladornAsked:
Who is Participating?
 
genie4allCommented:
Hi,

Cisco PIX older versions were not capable of establishing L2L tunnels with dynamic IP's. However, You can built an Ipsec VPN tunnel between Cisco routers, both on Dynamic IP addresses

In order to configure a LAN-to-LAN Virtual Private Network (VPN) tunnel between two routers with dynamic IP addresses, complete these steps apart from the basic configuration:

Configure the set peer dynamic command on one side of the tunnel with the use of the static crypto map. On the remote router, configure the dynamic crypto map without the use of the peer statement.

With the use of the set peer dynamic command, the host name of the IP Security (IPsec) peer is resolved through a domain name server (DNS) lookup before the router establishes the IPsec tunnel.

Note:

1. Only a router with a static crypto map can initiate the tunnel with the dynamic DNS resolution of the peer statement.

2. This works on Cisco IOS router code 12.3 and above
0
 
GaladornAuthor Commented:
Ok, now that I know it is possible, I explain my precise exemple.
Router A with fixed IP (IOS 12.4)
Router B with dynIP (IOS 15.1)
But I need Router A to initiate the VPN not the other way. For the moment, only router B can initiate the VPN. When Router A needs to communicate, VPN is down for time out reasons and can't raise the VPN up.

so I need to only modify Router A config replacing dynmap by static map :
crypto map CryptoTest 65000 ipsec-isakmp
 set peer <my DDNS name here>
 set transform-set VPN
 set pfs group2
 match address VPN

But when I write  "set peer <my DDNS name here>", my ddns name is resolved and hardcoded with an IP. What will happens when my dynIP will change ?
0
 
GaladornAuthor Commented:
Argh !
I tried this ten times and only now I see you can add "dynamic" behind...
set peer <my DDNS name here> dynamic

and it works...
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
genie4allCommented:
Glad to hear its working...

That's what I mentioned in my earlier post: Configure the set peer dynamic command on one side of the tunnel with the use of the static crypto map. On the remote router, configure the dynamic crypto map without the use of the peer statement.

Regards
0
 
GaladornAuthor Commented:
Absolutly, you wrote "set peer dynamic" and that's what gives me the hint :) Not read carrefully at first time.

And according to my tests : crypto isakmp key 6 <password> address 0.0.0.0 0.0.0.0
doesn't allow everybody to connect; remote host is limited by "set peer xxx dynamic"
And that's what I want of course. Am I right ?
0
 
genie4allCommented:
You are right. However, be careful in doing 0.0.0.0

As you know there are chances your VPN can be compromised...your Preshared key should be long enough and complicated to protect the tunnel
0
 
GaladornAuthor Commented:
For now, I use 18 char long password with numbers and special keys.
I tried to use crypto isakmp key 6 <password> hostname <MyHost> instead but it doesn't seems to work. On the remote router, it is the equivalent of "Hostname <MyHost>" command ?
0
 
genie4allCommented:
crypto isakmp key 6 <KEY> address <IP>
0
 
genie4allCommented:
Galadorn, Is your issue fixed?
0
 
GaladornAuthor Commented:
Yep, I let it run monday and tuesday just to be sure everything works and I give feedback and points on wednesday.
I'm not forgetting you :)
0
 
genie4allCommented:
Thanks mate...just making sure you've got it fixed :)
0
 
GaladornAuthor Commented:
Everything works perfectly. Thanks for your help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.