Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How do I set up a Pix to endpoint with changing IP address

Status
Not open for further replies.
cchipman

cchipman

IS-IT--Management
Sep 16, 2002
125
US
I have a configuration issue I've not dealt with before. We are wanting to set up one of our new offices to use a tunnel to our Pix box at the main offices.

Her DSL account is one of those DHCP ones where the IP address will change every great once in a while. How do we set it up?

I've set up several tunnels between static end-points, but have no idea on how to set one up to when an endpoint my change.

It would be ok to start the conversation from a Pix-to-Pix perspective, and I'll extra the principle from there.

I looked at the document "Cisco - Configuring a LAN-to-LAN IPSec Between a Router and a PIX Using Digital Certificates"

but I got a bit confused about the certificates. Do we have to pay the CA? or how does that work exactly?

I'm confused and could use some assistance.
 
Sort by date Sort by votes
There is an IPSec enhancement called Tunnel Endpoint Discovery (TED) which I've read about but not used.

According to the info I have (from Cisco secure VPN by Mason), the remote router initiates a connection, the central one identifies it and starts the IKE exchange.

the restrictions are:

IKE cannot start until the peer is identified,

Its only available on dynamic crypto maps.

Hope that point you in the right direction.
 
Upvote 0 Downvote
If you want to keep it simple you may want to use the link below as a guideline:


Regarding your CA question... you don't have to pay the CA, you could use the Windows CA server which is free. You have to set it up and administer it but it works fine. Certs can be quite cumbersome sometimes.
 
Upvote 0 Downvote
Cisco called me back after I called them, and said that If I set the target peer address to 0.0.0.0 it would work for any ip address that had the correct preshared key or certificate.
 
Upvote 0 Downvote
That's correct! And all the information on how to configure it is on the link provided earlier.
 
Upvote 0 Downvote
But then you can only have one such connection. If you need more than one of this type of connection Easy VPN Server in network extension mode is your solution, preferably with nat -traversal enabled.

Jan

Network Systems Engineer
CCNA/CQS/CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
800
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
660
Johnkite
Johnkite
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
592
XLNTech1
XLNTech1
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
194
Russtoleum
Russtoleum
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
169
ISDPCMAN
ISDPCMAN

Part and Inventory Search

Sponsor

Back
Top