Setting up Site to Site VPN with Dynamic IP at 1 end...

Discussion in 'Cisco' started by Martin, Nov 26, 2006.

  1. Martin

    Martin Guest

    Hi,

    I've got a Cisco 837 and a Cisco 857 that I want to setup a site to site
    vpn - normally this wouldn't be too much trouble but the 857 end of the
    tunnel only has a dynamic public IP address.

    Here are the 2 lines that I use in the config on the 837 (the one that does
    have a static)-
    !
    crypto isakmp key <sharedkey> address 210.xxx.xxx.xxx no-xauth
    !
    crypto map cm-cryptomap 110 ipsec-isakmp
    set peer 210.xxx.xxx.xxx

    Is there a way to make the 857 (dynamic ip) always initiate the tunnel so
    that the 837 doesn't need to have an IP specified?

    Any help or comments appreciated

    cheers

    martin
     
    Martin, Nov 26, 2006
    #1
    1. Advertising

  2. In message <ekblml$gsc$>, Martin wrote:

    > Is there a way to make the 857 (dynamic ip) always initiate the tunnel so
    > that the 837 doesn't need to have an IP specified?


    What happens if you don't specify an IP address?
     
    Lawrence D'Oliveiro, Nov 26, 2006
    #2
    1. Advertising

  3. Martin

    Guest

    Lawrence D'Oliveiro wrote:
    > In message <ekblml$gsc$>, Martin wrote:
    >
    > > Is there a way to make the 857 (dynamic ip) always initiate the tunnel so
    > > that the 837 doesn't need to have an IP specified?

    >
    > What happens if you don't specify an IP address?


    I believe that you can use DMVPN for this.
    Dynamic Multipoint VPN.

    I have no idea if the 837 can be used in the central site
    7200 can!! Also check that the 857 can be a DMVPN client.
    857 can't use Advanced IP Services software.

    There is I believe a security issue that you should bear in mind.

    The router becomes the key to your network. Anyone
    with the router can plug it in to the Internet and get the VPN up.
    You should consider protecting the router config by disabling
    password recovery. You can still recover the router but
    only with a blank config.

    You could obviously use ACLs on the central site to
    restrict the range of source addresses and if it became known
    that the router was missing you could I am sure disable it
    on the central site.

    There are config examples on www.cisco. The feature is designed
    to have mimumun configuration requirements on the remote routers.
     
    , Nov 26, 2006
    #3
  4. Martin

    Martin Guest

    "Lawrence D'Oliveiro" <_zealand> wrote in message
    news:ekbrdq$qo2$...
    > In message <ekblml$gsc$>, Martin wrote:
    >
    >> Is there a way to make the 857 (dynamic ip) always initiate the tunnel so
    >> that the 837 doesn't need to have an IP specified?

    >
    > What happens if you don't specify an IP address?


    It won't accept the command - I'm gong to look into the post from Bod43
    about Dynamic Multipoint VPN. cheers
     
    Martin, Nov 26, 2006
    #4
  5. In message <ekd5bi$6ha$>, Martin wrote:

    > "Lawrence D'Oliveiro" <_zealand> wrote in message
    > news:ekbrdq$qo2$...
    >> In message <ekblml$gsc$>, Martin wrote:
    >>
    >>> Is there a way to make the 857 (dynamic ip) always initiate the tunnel
    >>> so that the 837 doesn't need to have an IP specified?

    >>
    >> What happens if you don't specify an IP address?

    >
    > It won't accept the command - I'm gong to look into the post from Bod43
    > about Dynamic Multipoint VPN.


    Another idea might be to forego the Cisco approach and try something more
    flexible <http://openvpn.net/>.
     
    Lawrence D'Oliveiro, Nov 26, 2006
    #5
  6. Martin

    Martin Turba Guest

    Hi,

    Martin wrote:
    > !
    > crypto isakmp key <sharedkey> address 210.xxx.xxx.xxx no-xauth
    > !
    > crypto map cm-cryptomap 110 ipsec-isakmp
    > set peer 210.xxx.xxx.xxx


    What version of IOS are you running. Maybe you can just specify a
    dynamic DNS Name, e.g.:

    crypto isakmp key <sharedkey> address 210.xxx.xxx.xxx no-xauth
    !
    crypto map cm-cryptomap 110 ipsec-isakmp
    set peer yourpeer.dyndns.org dynamic

    > Is there a way to make the 857 (dynamic ip) always initiate the tunnel so
    > that the 837 doesn't need to have an IP specified?


    Would not be neccessary in this scenario. Real-Time Resolution for IPSec
    Tunnel Peer is available since 12.3(4)T.

    See this Link for further information:

    http://www.cisco.com/en/US/products..._guide_chapter09186a0080455b05.html#wp1049712


    Martin
     
    Martin Turba, Nov 27, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. c
    Replies:
    2
    Views:
    823
  2. Hans-Peter Walter
    Replies:
    3
    Views:
    1,160
    Joe Bloggs
    Jan 21, 2004
  3. Joey
    Replies:
    0
    Views:
    749
  4. Martin
    Replies:
    4
    Views:
    531
    Lawrence D'Oliveiro
    Nov 26, 2006
  5. SteveB
    Replies:
    0
    Views:
    3,244
    SteveB
    Mar 26, 2009
Loading...

Share This Page