GRE over IPSEC with one side having a dynamic IP address

Hi,

What I can advice you is to check attached TCG and try to combine GRE and IPsec P2MP setup.

I hadn't this case, but you can try. Probably, you will have to migrate to pure IPsec to achieve dyamic WAN IP address alocation. Also you didn't mention which platform you have (Comware 5 or 7)?

Two attached files are:

HP MSR Router GRE over IPSec TCG v1.3_Jan2014.pdf

IPsec P2MP setup with zero touch in hub.pdf

ZIP file: 1,6M

Br,

Michal

Hi Michal,

Thank you for your answer. The routers are brand new MSR routers (MSR3024 and MSR2003) with the latest software releases.

I saw the documents you sent but in the configurations they use the ip addresses of the public interfaces as endpoints but the problem is that one side will have a dynamic IP address so I can't use that information in the configuration.

Regards.

The P2MP doc  include IPsec solution dynamic IP without GRE, but I think there is only one part in your configuration to change:

Hub:

Create a keychain named key 1 and specify the pre-shared key. In this scenario, we create an open keychain with 1 password to any address. There could be more than 1 keychain with multiple passwords defined to address spaces.

ike keychain key1
 pre-shared-key address 0.0.0.0 0.0.0.0 key simple password

At Spoke side,  of course you need to provide static public IP for the HUB to setup the tunnel. I assume, on the Spoke/Remote site you have public IP but dynamically assigned by ISP (PPPoE).

Br,

Mike