|
Setting up Site to Site VPN with Dynamic IP at 1 end...
Hi,
I've got a Cisco 837 and a Cisco 857 that I want to setup a site to site vpn - normally this wouldn't be too much trouble but the 857 end of the tunnel only has a dynamic public IP address. Here are the 2 lines that I use in the config on the 837 (the one that does have a static)- ! crypto isakmp key <sharedkey> address 210.xxx.xxx.xxx no-xauth ! crypto map cm-cryptomap 110 ipsec-isakmp set peer 210.xxx.xxx.xxx Is there a way to make the 857 (dynamic ip) always initiate the tunnel so that the 837 doesn't need to have an IP specified? Any help or comments appreciated cheers martin |
Re: Setting up Site to Site VPN with Dynamic IP at 1 end...
In message <ekblml$gsc$1@lust.ihug.co.nz>, Martin wrote:
> Is there a way to make the 857 (dynamic ip) always initiate the tunnel so > that the 837 doesn't need to have an IP specified? What happens if you don't specify an IP address? |
Re: Setting up Site to Site VPN with Dynamic IP at 1 end...
Lawrence D'Oliveiro wrote: > In message <ekblml$gsc$1@lust.ihug.co.nz>, Martin wrote: > > > Is there a way to make the 857 (dynamic ip) always initiate the tunnel so > > that the 837 doesn't need to have an IP specified? > > What happens if you don't specify an IP address? I believe that you can use DMVPN for this. Dynamic Multipoint VPN. I have no idea if the 837 can be used in the central site 7200 can!! Also check that the 857 can be a DMVPN client. 857 can't use Advanced IP Services software. There is I believe a security issue that you should bear in mind. The router becomes the key to your network. Anyone with the router can plug it in to the Internet and get the VPN up. You should consider protecting the router config by disabling password recovery. You can still recover the router but only with a blank config. You could obviously use ACLs on the central site to restrict the range of source addresses and if it became known that the router was missing you could I am sure disable it on the central site. There are config examples on www.cisco. The feature is designed to have mimumun configuration requirements on the remote routers. |
Re: Setting up Site to Site VPN with Dynamic IP at 1 end...
"Lawrence D'Oliveiro" <ldo@geek-central.gen.new_zealand> wrote in message news:ekbrdq$qo2$2@lust.ihug.co.nz... > In message <ekblml$gsc$1@lust.ihug.co.nz>, Martin wrote: > >> Is there a way to make the 857 (dynamic ip) always initiate the tunnel so >> that the 837 doesn't need to have an IP specified? > > What happens if you don't specify an IP address? It won't accept the command - I'm gong to look into the post from Bod43 about Dynamic Multipoint VPN. cheers |
Re: Setting up Site to Site VPN with Dynamic IP at 1 end...
In message <ekd5bi$6ha$1@lust.ihug.co.nz>, Martin wrote:
> "Lawrence D'Oliveiro" <ldo@geek-central.gen.new_zealand> wrote in message > news:ekbrdq$qo2$2@lust.ihug.co.nz... >> In message <ekblml$gsc$1@lust.ihug.co.nz>, Martin wrote: >> >>> Is there a way to make the 857 (dynamic ip) always initiate the tunnel >>> so that the 837 doesn't need to have an IP specified? >> >> What happens if you don't specify an IP address? > > It won't accept the command - I'm gong to look into the post from Bod43 > about Dynamic Multipoint VPN. Another idea might be to forego the Cisco approach and try something more flexible <http://openvpn.net/>. |
Re: Setting up Site to Site VPN with Dynamic IP at 1 end...
Hi,
Martin wrote: > ! > crypto isakmp key <sharedkey> address 210.xxx.xxx.xxx no-xauth > ! > crypto map cm-cryptomap 110 ipsec-isakmp > set peer 210.xxx.xxx.xxx What version of IOS are you running. Maybe you can just specify a dynamic DNS Name, e.g.: crypto isakmp key <sharedkey> address 210.xxx.xxx.xxx no-xauth ! crypto map cm-cryptomap 110 ipsec-isakmp set peer yourpeer.dyndns.org dynamic > Is there a way to make the 857 (dynamic ip) always initiate the tunnel so > that the 837 doesn't need to have an IP specified? Would not be neccessary in this scenario. Real-Time Resolution for IPSec Tunnel Peer is available since 12.3(4)T. See this Link for further information: http://www.cisco.com/en/US/products/...html#wp1049712 Martin |
| All times are GMT. The time now is 06:11 PM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.