Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Setting up Site to Site VPN with Dynamic IP at 1 end...

Reply
Thread Tools

Setting up Site to Site VPN with Dynamic IP at 1 end...

 
 
Martin
Guest
Posts: n/a
 
      11-26-2006
Hi,

I've got a Cisco 837 and a Cisco 857 that I want to setup a site to site
vpn - normally this wouldn't be too much trouble but the 857 end of the
tunnel only has a dynamic public IP address.

Here are the 2 lines that I use in the config on the 837 (the one that does
have a static)-
!
crypto isakmp key <sharedkey> address 210.xxx.xxx.xxx no-xauth
!
crypto map cm-cryptomap 110 ipsec-isakmp
set peer 210.xxx.xxx.xxx

Is there a way to make the 857 (dynamic ip) always initiate the tunnel so
that the 837 doesn't need to have an IP specified?

Any help or comments appreciated

cheers

martin


 
Reply With Quote
 
 
 
 
Lawrence D'Oliveiro
Guest
Posts: n/a
 
      11-26-2006
In message <ekblml$gsc$(E-Mail Removed)>, Martin wrote:

> Is there a way to make the 857 (dynamic ip) always initiate the tunnel so
> that the 837 doesn't need to have an IP specified?


What happens if you don't specify an IP address?
 
Reply With Quote
 
 
 
 
Bod43@hotmail.co.uk
Guest
Posts: n/a
 
      11-26-2006

Lawrence D'Oliveiro wrote:
> In message <ekblml$gsc$(E-Mail Removed)>, Martin wrote:
>
> > Is there a way to make the 857 (dynamic ip) always initiate the tunnel so
> > that the 837 doesn't need to have an IP specified?

>
> What happens if you don't specify an IP address?


I believe that you can use DMVPN for this.
Dynamic Multipoint VPN.

I have no idea if the 837 can be used in the central site
7200 can!! Also check that the 857 can be a DMVPN client.
857 can't use Advanced IP Services software.

There is I believe a security issue that you should bear in mind.

The router becomes the key to your network. Anyone
with the router can plug it in to the Internet and get the VPN up.
You should consider protecting the router config by disabling
password recovery. You can still recover the router but
only with a blank config.

You could obviously use ACLs on the central site to
restrict the range of source addresses and if it became known
that the router was missing you could I am sure disable it
on the central site.

There are config examples on www.cisco. The feature is designed
to have mimumun configuration requirements on the remote routers.

 
Reply With Quote
 
Martin
Guest
Posts: n/a
 
      11-26-2006

"Lawrence D'Oliveiro" <(E-Mail Removed)_zealand> wrote in message
news:ekbrdq$qo2$(E-Mail Removed)...
> In message <ekblml$gsc$(E-Mail Removed)>, Martin wrote:
>
>> Is there a way to make the 857 (dynamic ip) always initiate the tunnel so
>> that the 837 doesn't need to have an IP specified?

>
> What happens if you don't specify an IP address?


It won't accept the command - I'm gong to look into the post from Bod43
about Dynamic Multipoint VPN. cheers


 
Reply With Quote
 
Lawrence D'Oliveiro
Guest
Posts: n/a
 
      11-26-2006
In message <ekd5bi$6ha$(E-Mail Removed)>, Martin wrote:

> "Lawrence D'Oliveiro" <(E-Mail Removed)_zealand> wrote in message
> news:ekbrdq$qo2$(E-Mail Removed)...
>> In message <ekblml$gsc$(E-Mail Removed)>, Martin wrote:
>>
>>> Is there a way to make the 857 (dynamic ip) always initiate the tunnel
>>> so that the 837 doesn't need to have an IP specified?

>>
>> What happens if you don't specify an IP address?

>
> It won't accept the command - I'm gong to look into the post from Bod43
> about Dynamic Multipoint VPN.


Another idea might be to forego the Cisco approach and try something more
flexible <http://openvpn.net/>.
 
Reply With Quote
 
Martin Turba
Guest
Posts: n/a
 
      11-27-2006
Hi,

Martin wrote:
> !
> crypto isakmp key <sharedkey> address 210.xxx.xxx.xxx no-xauth
> !
> crypto map cm-cryptomap 110 ipsec-isakmp
> set peer 210.xxx.xxx.xxx


What version of IOS are you running. Maybe you can just specify a
dynamic DNS Name, e.g.:

crypto isakmp key <sharedkey> address 210.xxx.xxx.xxx no-xauth
!
crypto map cm-cryptomap 110 ipsec-isakmp
set peer yourpeer.dyndns.org dynamic

> Is there a way to make the 857 (dynamic ip) always initiate the tunnel so
> that the 837 doesn't need to have an IP specified?


Would not be neccessary in this scenario. Real-Time Resolution for IPSec
Tunnel Peer is available since 12.3(4)T.

See this Link for further information:

http://www.cisco.com/en/US/products/...html#wp1049712


Martin
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASA 5505 site-site VPN - other site dynamic? SteveB Cisco 0 03-26-2009 01:48 PM
VPN site to site & Remote access VPN ( vpn client) over the same interface pasatealinux Cisco 1 12-17-2007 07:41 PM
Multiple site-to-site VPN plus two dynamic VPN connections one to different VLAN Joey Cisco 0 04-25-2007 03:19 AM
setting up site-2-site with PIX 506e VPN Wizard cisco Cisco 3 02-17-2007 03:30 PM
Setting up Site to Site VPN with Dynamic IP at 1 end... Martin NZ Computing 4 11-26-2006 11:24 PM



Advertisments