Galadorn
asked on
Cisco VPN site-to-site and DDNS
Hi Experts,
I've often read that Cisco IOS can't initiate VPN site to site connection between two dynamic IP.
Is it true ? And if it is, how is it possible ? With two simple Linsys RV042 and two DDNS addresses it works perfectly...
Thanks for your answers.
I've often read that Cisco IOS can't initiate VPN site to site connection between two dynamic IP.
Is it true ? And if it is, how is it possible ? With two simple Linsys RV042 and two DDNS addresses it works perfectly...
Thanks for your answers.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Argh !
I tried this ten times and only now I see you can add "dynamic" behind...
set peer <my DDNS name here> dynamic
and it works...
I tried this ten times and only now I see you can add "dynamic" behind...
set peer <my DDNS name here> dynamic
and it works...
Glad to hear its working...
That's what I mentioned in my earlier post: Configure the set peer dynamic command on one side of the tunnel with the use of the static crypto map. On the remote router, configure the dynamic crypto map without the use of the peer statement.
Regards
That's what I mentioned in my earlier post: Configure the set peer dynamic command on one side of the tunnel with the use of the static crypto map. On the remote router, configure the dynamic crypto map without the use of the peer statement.
Regards
ASKER
Absolutly, you wrote "set peer dynamic" and that's what gives me the hint :) Not read carrefully at first time.
And according to my tests : crypto isakmp key 6 <password> address 0.0.0.0 0.0.0.0
doesn't allow everybody to connect; remote host is limited by "set peer xxx dynamic"
And that's what I want of course. Am I right ?
And according to my tests : crypto isakmp key 6 <password> address 0.0.0.0 0.0.0.0
doesn't allow everybody to connect; remote host is limited by "set peer xxx dynamic"
And that's what I want of course. Am I right ?
You are right. However, be careful in doing 0.0.0.0
As you know there are chances your VPN can be compromised...your Preshared key should be long enough and complicated to protect the tunnel
As you know there are chances your VPN can be compromised...your Preshared key should be long enough and complicated to protect the tunnel
ASKER
For now, I use 18 char long password with numbers and special keys.
I tried to use crypto isakmp key 6 <password> hostname <MyHost> instead but it doesn't seems to work. On the remote router, it is the equivalent of "Hostname <MyHost>" command ?
I tried to use crypto isakmp key 6 <password> hostname <MyHost> instead but it doesn't seems to work. On the remote router, it is the equivalent of "Hostname <MyHost>" command ?
crypto isakmp key 6 <KEY> address <IP>
Galadorn, Is your issue fixed?
ASKER
Yep, I let it run monday and tuesday just to be sure everything works and I give feedback and points on wednesday.
I'm not forgetting you :)
I'm not forgetting you :)
Thanks mate...just making sure you've got it fixed :)
ASKER
Everything works perfectly. Thanks for your help.
ASKER
Router A with fixed IP (IOS 12.4)
Router B with dynIP (IOS 15.1)
But I need Router A to initiate the VPN not the other way. For the moment, only router B can initiate the VPN. When Router A needs to communicate, VPN is down for time out reasons and can't raise the VPN up.
so I need to only modify Router A config replacing dynmap by static map :
crypto map CryptoTest 65000 ipsec-isakmp
set peer <my DDNS name here>
set transform-set VPN
set pfs group2
match address VPN
But when I write "set peer <my DDNS name here>", my ddns name is resolved and hardcoded with an IP. What will happens when my dynIP will change ?