Hi Dave,
you should not worry about this setup, I have seen it working in many
networks without any problem. Things to keep in mind:
1. Only branch offices will be able to iniciate the tunnel to the
main office. Since the branch offices will have dynamic ip addresses,
the main site wont know it, but the branch offices will know the
static ip address of the main site, so that's why only those guys
willl be able to iniciate the tunnel.
2. All dynamic tunnels will have the same password to connect to the
main office.
3. If the tunnels goes down by any reason (lifetimes, no traffic
passing, etc), then again, the bach offices will need to send traffic
thru to inicaite the tunnel again. If there is always traficc be sent
from the remote offices to the main site, then you should not worry
about an interruption, the tunnel will come back up inmediatly.
4. To get more stable tunnels will be also recommendable to add
keepalives to the configuration.
5. If you have cvpn clients with extended authentication (X-AUTH)
running on the main site, you will need to disable the X-AUTH to make
the dynamic tunnels get a successful connection.
Further reference:
Configuring PIX to PIX Dynamic-to-Static IPSec with NAT and Cisco VPN
Client
http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products
_configuration_example09186a0080094680.shtml
Hope this helps!
Aida Lumbreras
------- Original Message-----
Is anyone aware of any problems with setting up site to site VPN's
with PIX's where the sites have dynamic IP's. Situation is I have to
link a bunch of branch offices to main office and all branch offices
are DSL or cable modems that have dynamic and do not have static
IP's. Any problems or gotcha's that anyone is aware of, one thing I
am concerned about is when the lease expires will the VPN go down and
come back up correctly? How is this handled?
Anyway thanks in advance for any comments,
David Nardoni CISSP, EnCE
dnardoni@firstresponseconsulting.com
PGP Signature: 9CE4 C240 BBC7 2945 BDD6 C97A 0E3D 2547 DB0A 104C
