Henry - Absolutely right, the "dynamic" keyword for crypto maps solves the problem, but our Cisco SE and quite a few others at work are quite sure that we can't run IPSec on a 2500. I thought the 2500s could be used just to provide cleartext encapsulation (to keep the vpn appliances happy) .... the link you ref. specifies the 2500 platform and the IOS feature navigator _does_ show IPSec support on a 2500 (with the right image, of course). Guess I'll have to call our SE ... thanks for the tip!
Hey, if this works we can toss the IPSec appliances! Jason Henry D. wrote: > If I get this correctly you can use dynamic-map feature > as seen in the example here: > > http://www.cisco.com/warp/customer/707/ios_804.html > > ""the-other-jason"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > >>Help, I can't think of a way to do this ..... :-( >> >>We have two IPSec "appliances" at work that require known, routable >>addresses on their "non-secure" ethernet interfaces. >> >>We want to create a kit engineers can take home for remote IPSec access >>into the network from personal cable/dsl connections. Our typical home >>networks have a cheapo router running NAT. The router is getting a real >>"outside" address from a service provider via DHCP (point "C" in the >>drawing). On the inside, we use private addressing (point "B"). >> >>The problem is to configure an IPSec appliance with a real address but >>connect it via the private address LAN at home. The obvious way to do >>this is with a tunnel, so we've managed to scavenge a couple of old >>2500s for this purpose... >> >> >>IPSec cheapo IPSec >>appliance -->2500-->router-->ISP-->Internet-->3660-->2500-->appliance >> A B C D >> >>Ideally, we want a tunnel from the left side of the left 2500 to either >>the 3660 or the right 2500 .... so that we can give the left IPSec >>appliance some of our address space. With GRE, however, you have to >>specify the endpoint addresses in advance, and of course we don't know >>what address the ISP will give one via DHCP .... >> >>After some reading, I _think_ PPPoE, L2F, PPTP, and L2TP won't help us >> > much > >>Does anyone have any ideas? >> >>Jason Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=32066&t=32057 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
