1. Home
  2. Cisco Systems
  3. Setting up Site to Site VPN with Dynamic IP at 1 end...

Setting up Site to Site VPN with Dynamic IP at 1 end...

Hi,

I've got a Cisco 837 and a Cisco 857 that I want to setup a site to site vpn - normally this wouldn't be too much trouble but the 857 end of the tunnel only has a dynamic public IP address.

Here are the 2 lines that I use in the config on the 837 (the one that does have a static)- ! crypto isakmp key address 210.xxx.xxx.xxx no-xauth ! crypto map cm-cryptomap 110 ipsec-isakmp set peer 210.xxx.xxx.xxx

Is there a way to make the 857 (dynamic ip) always initiate the tunnel so that the 837 doesn't need to have an IP specified?

Any help or comments appreciated

cheers

martin

Reply to
Martin
Loading thread data ...

What happens if you don't specify an IP address?

Reply to
Lawrence D'Oliveiro

I believe that you can use DMVPN for this. Dynamic Multipoint VPN.

I have no idea if the 837 can be used in the central site

7200 can!! Also check that the 857 can be a DMVPN client. 857 can't use Advanced IP Services software.

There is I believe a security issue that you should bear in mind.

The router becomes the key to your network. Anyone with the router can plug it in to the Internet and get the VPN up. You should consider protecting the router config by disabling password recovery. You can still recover the router but only with a blank config.

You could obviously use ACLs on the central site to restrict the range of source addresses and if it became known that the router was missing you could I am sure disable it on the central site.

There are config examples on www.cisco. The feature is designed to have mimumun configuration requirements on the remote routers.

Reply to
Bod43

It won't accept the command - I'm gong to look into the post from Bod43 about Dynamic Multipoint VPN. cheers

Reply to
Martin

Another idea might be to forego the Cisco approach and try something more flexible .

Reply to
Lawrence D'Oliveiro

What version of IOS are you running. Maybe you can just specify a dynamic DNS Name, e.g.:

crypto isakmp key address 210.xxx.xxx.xxx no-xauth ! crypto map cm-cryptomap 110 ipsec-isakmp set peer yourpeer.dyndns.org dynamic

Would not be neccessary in this scenario. Real-Time Resolution for IPSec Tunnel Peer is available since 12.3(4)T.

See this Link for further information:

formatting link

Martin

Reply to
Martin Turba

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.