Dynamic to Dynamic IPsec Tunnel Configuration Example

Nichel Jhon 2021-06-20


This document describes how to build a LAN-to-LAN IPsec tunnel between Cisco routers when both ends have dynamic IP addresses but the Dynamic Domain Name System (DDNS) is configured.



Cisco recommends that you have knowledge of these topics:

Tip: Refer to the Configuring VPN section of the Cisco 3900 Series, 2900 Series, and 1900 Series Software Configuration Guide and the Configuring a Virtual Tunnel Interface with IP Security article for more information.

Components Used

The information in this document is based on a Cisco 2911 Integrated Services Router that runs Version 15.2(4)M6a.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

When a LAN-to-LAN tunnel needs to be established, the IP address of both IPSec peers must be known. If one of the IP addresses is not known because it is dynamic, such as one obtained via DHCP, then an alternative is to use a dynamic crypto map. This works, but the tunnel can only be brought up by the peer that has the dynamic IP address since the other peer does not know where to find its peer.

For more information about dynamic to static, refer to Configuring Router-to-Router Dynamic-to-Static IPSec with NAT.


Real-Time Resolution for IPsec Tunnel Peer

Cisco IOS® introduced a new feature in Version 12.3(4)T that allows the Fully Qualified Domain Name (FQDN) of the IPSec peer to be specified. When there is traffic that matches a crypto access list, Cicso IOS then resolves the FQDN and obtains the IP address of the peer. It then tries to bring up the tunnel.

Note: There is a limitation on this feature: DNS names resolution for remote IPsec peers will work only if they are used as an initiator. The first packet that is to be encrypted will trigger a DNS lookup; after the DNS lookup is complete, subsequent packets will trigger Internet Key Exchange (IKE). Real-time resolution will not work on the responder.

In order to address the limitation and be able to initiate the tunnel from each site, you will have a dynamic crypto map entry on both routers so you can map incoming IKE connections to the dynamic crypto. This is necessary since the static entry with the Real-time resolution feature does not work when it acts as a responder. 

all articles in this link: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-architecture-implementation/118048-technote-ipsec-00.html

Popular Tags: 200-301

Related Post