«

Hi,

I've got a Cisco 837 and a Cisco 857 that I want to setup a site to site
vpn - normally this wouldn't be too much trouble but the 857 end of the
tunnel only has a dynamic public IP address.

Here are the 2 lines that I use in the config on the 837 (the one that does
have a static)-
!
crypto isakmp key <sharedkey> address 210.xxx.xxx.xxx no-xauth
!
crypto map cm-cryptomap 110 ipsec-isakmp
set peer 210.xxx.xxx.xxx

Is there a way to make the 857 (dynamic ip) always initiate the tunnel so
that the 837 doesn't need to have an IP specified?

Any help or comments appreciated

cheers

martin

In message <ekblml$gsc$>, Martin wrote:

> Is there a way to make the 857 (dynamic ip) always initiate the tunnel so
> that the 837 doesn't need to have an IP specified?

What happens if you don't specify an IP address?

Lawrence D'Oliveiro wrote:
> In message <ekblml$gsc$>, Martin wrote:
>
> > Is there a way to make the 857 (dynamic ip) always initiate the tunnel so
> > that the 837 doesn't need to have an IP specified?
>
> What happens if you don't specify an IP address?

I believe that you can use DMVPN for this.
Dynamic Multipoint VPN.

I have no idea if the 837 can be used in the central site
7200 can!! Also check that the 857 can be a DMVPN client.
857 can't use Advanced IP Services software.

There is I believe a security issue that you should bear in mind.

The router becomes the key to your network. Anyone
with the router can plug it in to the Internet and get the VPN up.
You should consider protecting the router config by disabling
password recovery. You can still recover the router but
only with a blank config.

You could obviously use ACLs on the central site to
restrict the range of source addresses and if it became known
that the router was missing you could I am sure disable it
on the central site.

There are config examples on www.cisco. The feature is designed
to have mimumun configuration requirements on the remote routers.

"Lawrence D'Oliveiro" <_zealand> wrote in message
news:ekbrdq$qo2$...
> In message <ekblml$gsc$>, Martin wrote:
>
>> Is there a way to make the 857 (dynamic ip) always initiate the tunnel so
>> that the 837 doesn't need to have an IP specified?
>
> What happens if you don't specify an IP address?

It won't accept the command - I'm gong to look into the post from Bod43
about Dynamic Multipoint VPN. cheers

In message <ekd5bi$6ha$>, Martin wrote:

> "Lawrence D'Oliveiro" <_zealand> wrote in message
> news:ekbrdq$qo2$...
>> In message <ekblml$gsc$>, Martin wrote:
>>
>>> Is there a way to make the 857 (dynamic ip) always initiate the tunnel
>>> so that the 837 doesn't need to have an IP specified?
>>
>> What happens if you don't specify an IP address?
>
> It won't accept the command - I'm gong to look into the post from Bod43
> about Dynamic Multipoint VPN.

Another idea might be to forego the Cisco approach and try something more
flexible <http://openvpn.net/>.

Hi,

Martin wrote:
> !
> crypto isakmp key <sharedkey> address 210.xxx.xxx.xxx no-xauth
> !
> crypto map cm-cryptomap 110 ipsec-isakmp
> set peer 210.xxx.xxx.xxx

What version of IOS are you running. Maybe you can just specify a
dynamic DNS Name, e.g.:

crypto isakmp key <sharedkey> address 210.xxx.xxx.xxx no-xauth
!
crypto map cm-cryptomap 110 ipsec-isakmp
set peer yourpeer.dyndns.org dynamic

> Is there a way to make the 857 (dynamic ip) always initiate the tunnel so
> that the 837 doesn't need to have an IP specified?

Would not be neccessary in this scenario. Real-Time Resolution for IPSec
Tunnel Peer is available since 12.3(4)T.

See this Link for further information:

http://www.cisco.com/en/US/products/...html#wp1049712


Martin