RE: cry isa key ccie2k9 address (DomainName) is possible

It's been mentioned before, but you can have an any peer with a pre-shared key and a static peer to your hub from the remote firewalls perspective. The remote end will need to bring the tunnel up though, re-keying should not an issue though. I suspect even phase1 keys would be renew properly, assuming that interesting traffic is still flowing. If you wanted to keep the tunnel up between IP changes, a scheduled ping check would probably be the way to go.

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of CCIE-STORM
Sent: Friday, May 01, 2009 10:43 AM
To: Farrukh Haroon
Cc: Cisco certification; security_at_groupstudy.com
Subject: Re: cry isa key ccie2k9 address (DomainName) is possible

not working as DSL (router/modem - speedtouch) has dynamic which is keeping
on changing from ISP side. & this ..DSL doesn't have provision to configure
the IPsec , i went through these doc s long time b4 but not helpfull

On Sat, Apr 11, 2009 at 11:48 AM, Farrukh Haroon <farrukhharoon_at_gmail.com>wrote:

> Yes, you could create a 'dynmaic' crypto map on the PIX, and hardcode
> the DSL end. However the VPN tunnel connection can only be intiiated
> from hosts behind the DSL modem and not the PIX. Once the SA is
> formed, both sides can communicate as normal.
>
> Some examples:
>
>
> http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml
>
>
> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008051a69a.shtml
>
>
> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml
>
> Regards
>
> Farrukh
>
> On Sat, Apr 11, 2009 at 9:28 AM, CCIE-STORM <ccie2sale_at_gmail.com> wrote:
> > Yes offcourse PIX has fixed ip , and DSL dynamic IP...
> >
> > Is there any way to terminate vpn in this case
> >
> > On Thu, Apr 9, 2009 at 1:19 PM, Farrukh Haroon <farrukhharoon_at_gmail.com>
> > wrote:
> >>
> >> You cannot have a L2L VPN when both sides have dynamic IPs AFAIK.
> >>
> >> One side has to be static.
> >>
> >> On Thu, Apr 9, 2009 at 12:42 PM, CCIE-STORM <ccie2sale_at_gmail.com>
> wrote:
> >> > Thanks ryan
> >> >
> >> > but my case is bit differnet
> >> >
> >> > i have a pix on one side with 6.3 code and other end have DSL with
> >> > dynamic
> >> > ip which keeps on changing now and then from ISP
> >> >
> >> > since the ip keeps on chaning i thought having site to site vpn
> between
> >> > pix
> >> > and dsl model
> >> > but no fixed ip ................any better way ....please
> >> >
> >> >
> >> > Waiting
> >> >
> >> > On Sat, Apr 4, 2009 at 4:16 PM, Ryan West <rwest_at_zyedge.com> wrote:
> >> >
> >> >> From the command line it seems possible, but in practice it does not
> >> >> work.
> >> >> It's not hard to hijack the DNS. You may be better off with an
> "Easy
> >> >> VPN"
> >> >> solution using dynamic peers.
> >> >>
> >> >> -----Original Message-----
> >> >> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> Of
> >> >> CCIE-STORM
> >> >> Sent: Saturday, April 04, 2009 9:11 AM
> >> >> To: Cisco certification
> >> >> Subject: cry isa key ccie2k9 address (DomainName) is possible
> >> >>
> >> >> Hi Folks
> >> >> Nice Question #
> >> >> Is it possible instead of IP address can we use domain-name , it type
> >> >> this
> >> >> command its rejected on 6.3(4) as well 7.2(2) any suggestions
> >> >>
> >> >> cry isa key ccie2k9 address 1.1.1.1 ( instead of ip add , i wana use
> >> >> abc.com )
> >> >>
> >> >> Please share your answers ...........
> >> >>
> >> >> Regards
> >> >>
> >> >>
> >> >> Blogs and organic groups at http://www.ccie.net
> >> >>
> >> >>
> _______________________________________________________________________
> >> >> Subscription information may be found at:
> >> >> http://www.groupstudy.com/list/CCIELab.html
> >> >
> >> >
> >> > Blogs and organic groups at http://www.ccie.net
> >> >
> >> >
> _______________________________________________________________________
> >> > Subscription information may be found at:
> >> > http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri May 01 2009 - 10:53:47 ART