RE: Security queries !!!

I have never seen an example of this on the internet so I am not sure if
there is an example out there.

You would need to do aggressive mode IPsec negotiation so you can support
using hostnames. Next you need to find a DDNS service.

This site claims to support dynamic DNS updates from IOS and gives you the
configuration.

http://www.no-ip.com/support/guides/routers/using_cisco_routers_with_no-ip.h
tml

For the IPSec configuration (The configuration below would be repeated on
both sides of course mirroring the configuration on the opposite side). Not
sure how any of this would have to do with either CCIE exam though.

ip domain-name <your-dns-domain>

ip name-server <the dns server you will use>

!

crypto isakmp policy 10

 encryption aes

 hash sha

 group 5

!

crypto isakmp identity hostname

crypto isakmp key <password> hostname <remote-dns-name>

!

crypto isakmp peer hostname <remote-dns-name>

 set aggressive client-endpoint fqdn <local-dns-name>

 set aggressive password <password>

!

crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac

!

crypto map SITE-2-SITE 10 ipsec-isakmp

 set peer <remote-dns-name>

 set transform-set AES-SHA

 match address <VPN_PROTECTED_NETWORKS>

!

ip access-list extended <VPN_PROTECTED_NETWORKS>

 permit ip <local-network-1> <mask> <remote-network-1> <mask>

 permit ip <local-network-2> <mask> <remote-network-2> <mask>

 permit ip <local-network-3> <mask> <remote-network-3> <mask>

 etc...

Regards,

Tyson Scott - CCIE #13513 R&S, Security, and SP

Technical Instructor - IPexpert, Inc.

Mailto: <mailto:tscott_at_ipexpert.com> tscott_at_ipexpert.com

Telephone: +1.810.326.1444, ext. 208

Live Assistance, Please visit: <http://www.ipexpert.com/chat>
www.ipexpert.com/chat

eFax: +1.810.454.0130

IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
<http://www.ipexpert.com/communities> www.ipexpert.com/communities and our
public website at <http://www.ipexpert.com/> www.ipexpert.com

From: jockey wearer [mailto:jockeywearer_at_gmail.com]
Sent: Wednesday, April 07, 2010 10:46 AM
To: Tyson Scott
Cc: Group study
Subject: Re: Security queries !!!

Hi Tyson ,

Can you explain me second point in details

2)Can we do site to site VPN if both site has dynamic Ips(by using ddns)?

I checked on internet but I got one site dynamic and one site static
examples .

Thanks

Prashant

On Tue, Apr 6, 2010 at 11:47 PM, Tyson Scott <tscott_at_ipexpert.com> wrote:

It is called dynamic because of the ability on the Hub to dynamically learn
neighbors based on inbound connections from spokes.

Yes you can do site-to-site with DDNS. You cannot do DMVPN with two dynamic
IP's without having to change spokes to the new NBMA of the Hub in the event
of a change.

Regards,
 
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Jockey
Sent: Monday, April 05, 2010 10:30 PM
To: Group study
Subject: Security queries !!!

Hi experts,

1)Why DMVPN is called as dynamic?
2)Can we do site to site VPN if both site has dynamic Ips(by using
ddns)?

Thanks

Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
Received on Wed Apr 07 2010 - 11:05:15 ART