VPNs and dynamically allocated IP addresses

[Guy Dawson]

Hi,

We're looking at running a VPN from our main site (leased line and
static IP) to a remote site.

We have a couple of options for the remote site:

VPN over ADSL (dynamic or static IP)
VPN over cable modem (dynamic IP)

Reading the manuals, I can see what to do in the case of a static IP
address. Am I just being dumb or is it not possible to use a dynamic
IP address with a VPN?

We're looking to use a 3600 router at the main site and would like to
use an 800 at the remote site. Later on we would hope to have multiple
remote sites.

Advice and pointers gratefully received.

TIA,
Guy
-- --------------------------------------------------------------------
Guy Dawson I.T. Manager Crossflight Ltd
g...@crossflight.co.uk 07973 797819 01753 776104

[Christian Hartmann]

Hi,

of course this is possible. This example may be does not fit 100%, but generally
speaking...

http://www.cisco.com/warp/customer/707/ios_804.html

Config-example for IP Sec (including dyn. Crypto Maps):
http://www.cisco.
com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt4/scdipsec.
htm#xtocid1190728

Christian

--
_____________________________________________________________
NewsGroups Suchen, lesen, schreiben mit http://netnews.web.de

[Dave Phelps]

You only need a static at the host site. The remotes can be dynamic.

Dave Phelps
Phone Masters Ltd.
tippe...@nospam.com
nospam=bigfoot

[Guy Dawson]

Dave Phelps wrote:
>
> You only need a static at the host site. The remotes can be dynamic.

As far as I can see the dynamic address is allocated as part of the
dial in process. This I can understand.

What I still don't grok is how to configure a router for a dynamically
allocated address on the ethernet port when there is no dial in.

The cable modem has a single ethernet port to which the router will
be connected. The cable modem serves up the IP address to the router
using DHCP.

[Dave Phelps]

On Tue, 20 Mar 2001 11:30:40 +0000, Guy Dawson <g...@crossflight.co.uk> wrote:

>
>
>Dave Phelps wrote:
>>
>> You only need a static at the host site. The remotes can be dynamic.
>
>As far as I can see the dynamic address is allocated as part of the
>dial in process. This I can understand.
>
>What I still don't grok is how to configure a router for a dynamically
>allocated address on the ethernet port when there is no dial in.
>
>The cable modem has a single ethernet port to which the router will
>be connected. The cable modem serves up the IP address to the router
>using DHCP.

router(config-if)#ip address dhcp

Is this your host site? Even if your router is config'd for DHCP, the DHCP server can always give
you the same IP if that is what you are trying to get from your ISP.

[Guy Dawson]

Dave Phelps wrote:

> router(config-if)#ip address dhcp

Doh! I feel like a total <insert non-PC term for person with learning
difficulties> here. Many thanks.

> Is this your host site?

No, the main site has a leased line and fixed IP.

> Even if your router is config'd for DHCP, the DHCP server can always
> give you the same IP if that is what you are trying to get from your ISP.

In the case of a cabel modem, the CM gets an IP address from the cable
company by some means and, acting as a DHCP server, passes it on to
what ever is on the ethernet port. This would normall be a PC but I
want to put a VPN box on.

Regards,

[Dave Phelps]

On Thu, 22 Mar 2001 18:46:12 +0000, Guy Dawson <g...@crossflight.co.uk> wrote:

[snip]

>> Even if your router is config'd for DHCP, the DHCP server can always
>> give you the same IP if that is what you are trying to get from your ISP.
>
>In the case of a cabel modem, the CM gets an IP address from the cable
>company by some means and, acting as a DHCP server, passes it on to
>what ever is on the ethernet port. This would normall be a PC but I
>want to put a VPN box on.

That should work just fine. I don't think you are right about the cablemodem's involvement in the IP
aquisition and DHCP server though. My understanding is that it is just a bridge from one network
medium (cable? whatever the data-link layer is called) to another (ethernet).

[Hansang Bae]

I'm using a new newsreader (my ISP is closing down so I can't use 'nn'
anymore - but I digress) so I don't know how to retrieve older postings
for quoting.

But if this thread's title is any clue, you can do vpn sessions with end
users who receive dynamic IP addresses.

According to the "Enhanced IP Services for Cisco Networks" book (great
book, BTW) here's an example:

crypto dynamic-map DYN-MAP-DHCP 20
match address 101
set transform-set TRANS-ESP TRANS-AH-ESP
!
crypto map MYMAP 500 ipsec-isakmp dynamic DYN-MAP-DHCP
!
int serial 1
ip address 192.168.1.1 255.255.255.0
crypto map MYMAP

Access-list 101 would specify the the traffic that requires IPsec
protection. This method, according to the book, requires IKE. IKE
establishes dynamic IPsec SAs and validates the remote peer.

And according to the book, you may want to read up on "Tunnel Endpoint
Discovery" at cco.

Not really sure if it helps or not, but there it is.....

--
"Somehow I imagined this experience would be more rewarding" Calvin
********************************************************************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
********************************************************************

[Guy Dawson]

Hansang Bae wrote:

> According to the "Enhanced IP Services for Cisco Networks" book (great
> book, BTW) here's an example:

Thanks for the recomendation. I've just ordered a copy...