VPN between peers with dynamic IP address and dynamic DNS

Discussion in 'Cisco' started by Diego Balgera, Feb 4, 2008.

  1. Hi,

    I have 2 Cisco 8xx routers, both with an ethernet (internal) and ADSL
    (external) interfaces. The IP address given to the ADSL interface is
    dynamic, negotiated via PPP to a dialer interface, a configuration from a
    typical ISP.
    Both external dynamic IP addresses are known with a fully qualified domain
    name via dynamic DNS that I set up already.

    Now I would like to set up a VPN between these 2 routers to connect the 2
    internal networks together: I set up the VPN using their IP addresses
    (crypto policy, crypto transform-set, crypto map) and it works like a charm
    until I reboot the router and the IP address will change. I need to solve
    this using the dynamic DNS names instead, but all my attempts to set up the
    configuration using the dynamic DNS names failed so far ... :-(

    Can you please suggest a configuration sample or a document showing how to
    configure the VPN using the dynamic DNS names as VPN peers?

    Thank you in advance!
    Best regards.
    Diego.
     
    Diego Balgera, Feb 4, 2008
    #1
    1. Advertisements

  2. Diego Balgera

    Merv Guest


    I would be very surprised if that capability exists

    Suggest you open a case with the Cisco TAC
     
    Merv, Feb 4, 2008
    #2
    1. Advertisements

  3. Hi Diego,

    Well thats about the same challenge I face. If you have found a solution or
    even if TAC tells you that it wont work I would really appreciate it to
    read about your experiences.

    Thanks...Andy
     
    Andreas Heinzelmann, Feb 5, 2008
    #3
  4. Diego Balgera

    Merv Guest

    this manufacturer claims to be able to support dynamic-to-dynamic DNS
    IPSEC tunnels


    http://www.multitech.com/DOCUMENTS/Collateral/data_sheets/498.asp


    Fully Qualified Domain Name (FQDN) Feature The SOHO RouteFinder's FQDN
    feature allows you to utilize a static name in the IPSec VPN setup,
    like "branchoffice.dyndns.org", instead of a dynamic IP address, to
    create static-to-dynamic or dynamic-to-dynamic VPN IPSec tunnels.
     
    Merv, Feb 5, 2008
    #4
  5. You'd need to work some magic using kron/EEM/Tcl or similar.

    For example, have a kron job fire every n minutes. Check to see if
    the DNS name of interest matches the peer's actual address. If not,
    reconfigure things.

    Aaron

    ----

    ~ ~ >
    ~ >> Can you please suggest a configuration sample or a document showing how
    ~ >> to
    ~ >> configure the VPN using the dynamic DNS names as VPN peers?
    ~ Hi Diego,
    ~
    ~ Well thats about the same challenge I face. If you have found a solution or
    ~ even if TAC tells you that it wont work I would really appreciate it to
    ~ read about your experiences.
    ~
    ~ Thanks...Andy
    ~
     
    Aaron Leonard, Feb 5, 2008
    #5
  6. Diego Balgera

    Johann Lo Guest

    Sorry this is not a direct answer, but you do know that there is an outage
    window associated with DDNS when your IP refreshes (because the DDNS
    service has to reregister the new IP, then this info has to propagate
    perhaps)

    hence if you need VPN its worth the extra few bucks for static IP

    sorry can't help directly, I've never seen a VPN config using FQDNs instead
    of IPs
     
    Johann Lo, Feb 8, 2008
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.