Creating a VPN using dynamic DNS on a vro

Using the Internet egress line to establish a VPN channel to achieve the interconnection between the total and branch offices is currently a popular solution for many companies. In the past, to establish such a VPN, at least one end must use a static IP address. Currently, many companies use ADSL to access the Internet. If China Telecom is required to provide static addresses, the fee will be greatly increased (for example, the monthly rent of ADSL with a fixed IP address of kb in Shenzhen is RMB5000 ). Now, the command for creating a VPN peer based on the DNS name is added to Cisco IOS 12.3 (4) T. With the help of dynamic domain name interpretation systems such as xiwang (3322.org) and 88ip, dynamic Address ADSL lines can be used at both ends of the VPN, saving a lot of money.
Key commands:

Set peer {host-name [dynamic] | ip-address}

Note:

Host-name specifies the name of the IPSec peer DNS host, for example, myhost.example.com.

Dynamic (optional parameter) specifies the IPSec peer host name, which is interpreted as an IP address through the DNS server only when an IPSec channel needs to be established.

The ip-address directly gives the ip address of the IPSec peer (the traditional configuration method ).

In the actual environment, a dynamic domain name interpretation client program should be run on a machine in the LAN to register the host name nbo.3322.org to the server. The registered address is the Internet port address of the router.

Version 12.3:

!

Hostname vpn-2

!

Username mize password 0 http://mize.netbuddy.org

No aaa new-model

Ip subnet-zero

!

Vpdn enable

Vpdn-group pppoe

Request-dialin

Protocol pppoe

!

Ip cef

Ip name-server 202.96.134.20.

!

Crypto isakmp policy 1

Authentication pre-share

Group 2

Crypto isakmp key cisco hostname nbo.3322.org

!

Crypto ipsec transform-set s2s esp-des esp-sha-hmac

!

Crypto map mymap 10 ipsec-isakmp

Set peer nbo.3322.org dynamic

Set transform-set s2s

Match address 110

!

Interface FastEthernet0/0

No ip address

Pppoe enable

Pppoe-client dial-pool-number 1

!

Interface dialer 1

Ip address negotiated

Mtu 1492

Encapsulation ppp

Ip nat outside

Dialer pool 1

Ppp authentication pap callin

Ppp pap sent-username xxx password xxx

Crypto map mymap

!

Interface FastEthernet0/1

Ip address 172.30.1.1 255.255.255.0

Ip nat inside

!

Ip nat inside source route-map nonat interface dialer 1 overload

Ip classless

Ip route 0.0.0.0 0.0.0.0 dialer 1

!

Access-list 110 permit ip 172.30.1.0 0.0.0.255 172.16.0.0 0.0.255.255

Access-list 110 permit ip 172.16.0.0 0.0.255.255 172.30.1.0 0.0.0.255

Access-list 120 deny ip 172.30.1.0 0.0.0.255 172.16.0.0 0.0.255.255

Access-list 120 permit ip 172.30.1.0 0.0.255 any

Route-map nonat permit 10

Matches ip address 120

!

End