[vpn] Rebuilding Tunnels with Dynamic Clients

Pete Davis pete at ether.net
Sat Dec 22 06:51:36 EST 2001

Having static IP addresses always provides you with a higher level of security
since it allows you both an IP Address and pre-shared secret to use to create
your Security Association.  In the cases where you're not able to obtain a
Static IP address, then the device without a static address must always 
initiate the connection to a static peer destination.

In your example, this may require you to route traffic back through your
515 at the main site to reach offices that have Dynamic Peer addresses since
the dynamic IP Address sites must initiate the session.

Best Regards,


On Fri, Dec 21, 2001 at 11:45:04AM -0500, Mark Riehl wrote:
> All - We're deploying a VPN using a Cisco 515 Pix at the main site and a
> Cisco 806 at approximately 15 remote sites.  A few of the remote sites use
> DSL and their IP addresses can be dynamically assigned.  The Pix has a
> static IP.
> If one of our 806 boxes changes IP, the 806 will reestablish VPN tunnels to
> all of the remote sites w/o any intervention.  What if two remote sites
> change IP address at the same time?  Each of the newly changed sites will be
> able to rebuild tunnels to all remote sites except each other (since they
> don't know the new IPs).

> What's the best way to handle this?  One of our requirements is to have a
> hands off policy for the VPN equipment at the remote sites.  I know that our
> admin can change the config files in each affected 806, but we'd like to
> automate this.  Is there a way to do this, or, should we just push for
> static IPs at each of the remote sites?

> Mark Riehl
> Agile Communications, Inc.
> Email: mark.riehl at agilecommunications.com 

     Pete Davis - Product Manager <psd at cisco.com>  (508) 541-7300 x6154
         Cisco Systems, Inc.  - 38 Forge Park   Franklin, MA 02038

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list