Question, Dynamic VPN

Answering with respect to PIX 5/6:

On a PIX with static IP address that is to receive connections from a dynamic device, you configure a crypto dynamic-map with at least a transform set, and you "inject" that dynamic-map into the regular crypto map with a special keyword. You do *not* specify a peer at all (not even as 0.0.0.0).

Optionally, you may put in a match address clause, which may go either in the dynamic-map entry or the main crypto-map entry that refers to the dynamic map.

If you do specify a match address clause and there is a destination of 'any' in it, then when the PIX negotiates the connection, it will automatically narrow the 'any' down to just the address assigned to the dynamic peer (via 'ip pool' or 'vpngroup address-pool')

If you do not specify a match address clause, then the PIX automatically creates a temporary ACL with a source of 'any' and a destination of the address assigned to the dynamic peer, and the PIX then attaches that temporary ACL with a temporary match address clause, and then proceeds as if the match address had originally been there.

Heya Walter, Thanks for the reply. Would it be safe to assume (damn I hate that word) that it uses a dynamic ACL for the dynamic site? You say it does a temp permit all, then it must tighten that down....I can't seem to find anything on CCO regarding this and how it works. About that not specifying the 0.0.0.0 peer...I could see that being used for cert based VPN, but you would have to specify a 0.0.0.0 when using preshared's. Out of the 100's of tunnels I've knocked up, all of them have been preshared. Am I wrong here? I can't see how to do preshared with specifying the 0.0.0.0

-Brian