Solved

Cisco VPN site-to-site and DDNS

Posted on 2011-09-09
12
1,597 Views
Last Modified: 2012-05-12
Hi Experts,

I've often read that Cisco IOS can't initiate VPN site to site connection between two dynamic IP.
Is it true ? And if it is, how is it possible ? With two simple Linsys RV042 and two DDNS addresses it works perfectly...

Thanks for your answers.
0
Comment
Question by:Galadorn
  • 6
  • 6
12 Comments
 
LVL 2

Accepted Solution

by:
genie4all earned 500 total points
ID: 36509184
Hi,

Cisco PIX older versions were not capable of establishing L2L tunnels with dynamic IP's. However, You can built an Ipsec VPN tunnel between Cisco routers, both on Dynamic IP addresses

In order to configure a LAN-to-LAN Virtual Private Network (VPN) tunnel between two routers with dynamic IP addresses, complete these steps apart from the basic configuration:

Configure the set peer dynamic command on one side of the tunnel with the use of the static crypto map. On the remote router, configure the dynamic crypto map without the use of the peer statement.

With the use of the set peer dynamic command, the host name of the IP Security (IPsec) peer is resolved through a domain name server (DNS) lookup before the router establishes the IPsec tunnel.

Note:

1. Only a router with a static crypto map can initiate the tunnel with the dynamic DNS resolution of the peer statement.

2. This works on Cisco IOS router code 12.3 and above
0
 

Author Comment

by:Galadorn
ID: 36509339
Ok, now that I know it is possible, I explain my precise exemple.
Router A with fixed IP (IOS 12.4)
Router B with dynIP (IOS 15.1)
But I need Router A to initiate the VPN not the other way. For the moment, only router B can initiate the VPN. When Router A needs to communicate, VPN is down for time out reasons and can't raise the VPN up.

so I need to only modify Router A config replacing dynmap by static map :
crypto map CryptoTest 65000 ipsec-isakmp
 set peer <my DDNS name here>
 set transform-set VPN
 set pfs group2
 match address VPN

But when I write  "set peer <my DDNS name here>", my ddns name is resolved and hardcoded with an IP. What will happens when my dynIP will change ?
0
 

Author Comment

by:Galadorn
ID: 36509488
Argh !
I tried this ten times and only now I see you can add "dynamic" behind...
set peer <my DDNS name here> dynamic

and it works...
0
 
LVL 2

Expert Comment

by:genie4all
ID: 36509579
Glad to hear its working...

That's what I mentioned in my earlier post: Configure the set peer dynamic command on one side of the tunnel with the use of the static crypto map. On the remote router, configure the dynamic crypto map without the use of the peer statement.

Regards
0
 

Author Comment

by:Galadorn
ID: 36509656
Absolutly, you wrote "set peer dynamic" and that's what gives me the hint :) Not read carrefully at first time.

And according to my tests : crypto isakmp key 6 <password> address 0.0.0.0 0.0.0.0
doesn't allow everybody to connect; remote host is limited by "set peer xxx dynamic"
And that's what I want of course. Am I right ?
0
 
LVL 2

Expert Comment

by:genie4all
ID: 36509705
You are right. However, be careful in doing 0.0.0.0

As you know there are chances your VPN can be compromised...your Preshared key should be long enough and complicated to protect the tunnel
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:Galadorn
ID: 36509745
For now, I use 18 char long password with numbers and special keys.
I tried to use crypto isakmp key 6 <password> hostname <MyHost> instead but it doesn't seems to work. On the remote router, it is the equivalent of "Hostname <MyHost>" command ?
0
 
LVL 2

Expert Comment

by:genie4all
ID: 36509870
crypto isakmp key 6 <KEY> address <IP>
0
 
LVL 2

Expert Comment

by:genie4all
ID: 36523390
Galadorn, Is your issue fixed?
0
 

Author Comment

by:Galadorn
ID: 36523756
Yep, I let it run monday and tuesday just to be sure everything works and I give feedback and points on wednesday.
I'm not forgetting you :)
0
 
LVL 2

Expert Comment

by:genie4all
ID: 36524231
Thanks mate...just making sure you've got it fixed :)
0
 

Author Comment

by:Galadorn
ID: 36534434
Everything works perfectly. Thanks for your help.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
     Intro      In this article, I will show you how to parse a JSON in Swift using an open source library called SwiftyJSON (https://github.com/SwiftyJSON/SwiftyJSON). If you haven't heard of a JSON before, it stands for JavaScript Object Notation…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now